advanced wired network security using aruba clearpass ... · basic port control •authn/authz: ......
TRANSCRIPT
Advanced Wired Network Security Using Aruba ClearPass Policy Manager
Herman Robers, EMEA Security CSE
June 2019
The Status Quo
VLAN 200QoS Policy ‘A’
VLAN 100ACL ‘headless’
VLAN 300ACL ‘desktop’
VLAN 400ACL ‘guest’
2@ArubaEMEA | #ATM19EMEA
Wired “Security” Complexity
CORENETWORK
• Add Guest VLAN
• Set Guest VLAN
Policy
• Repeat for Desktop
VLAN
• Repeat for Voice
VLAN
• Repeat for Headless
VLAN
• Extend to rest of
network
Manual
Moves/Add/Changes
cause operational
burden
Port Policy/VLAN not
tied to “identity” of
device/user plugging
into it.
Policy applied at
Firewall based on
VLAN packet received
on, not “identity” of
user/device
Lack of visibility/control
creates a ”Hacker’s
Paradise” for Malware
to develop undetected.
3@ArubaEMEA | #ATM19EMEA
The Security Dilemma
Risk Cost
4@ArubaEMEA | #ATM19EMEA
Today’s Threats and Regulations Tilt The Scale
• IoT dramatically increases number of devices/vulnerabilities that can be exploited
• GDPR, PCI, and other regulations will cause significant financial impact
• Average dwell time of a APT is >100 days!
• Average mitigation time is >30 days!
Dissecting the Challenge
ACCESSNETWORK
CORENETWORK
Step 0: What is on my network?
Step 1: Apply “best fit” dynamic control at the Edge
Step 2: Orchestrate Security and Experience
Step 3: Analyze Behaviors and React to Threats
Firewall
X
6@ArubaEMEA | #ATM19EMEA
Visibility, Orchestration and Automation
Aruba 360 Secure Fabric
Experience at the EdgeAruba Secure InfrastructureSecure Boot | Encryption | Dynamic Segmentation
ClearPass | IntroSpectDiscovery, Authorization, and Integrated Attack Detection and ResponseAruba
360 SecurityExchange
OtherInfrastructure
Security Analytics
7@ArubaEMEA | #ATM19EMEA
ClearPass Secure Network Access Control
Attack Response
Event-triggered actions
One Role, One Network
AAA and non-AAA options
Precision Access Privileges
Identity and context-based rules
Device Discovery and Profiling
Custom Fingerprinting
Visibility Authorization
EnforcementAuthentication
8@ArubaEMEA | #ATM19EMEA
Step 0: Visibility
Passive
• DHCP Fingerprinting
• HTTP User-Agent
• TCP Fingerprinting
• ARP
• Cisco Device Sensor
• Netflow/IPFIX
• Aruba AMON
Active
• WMI
• NMAP
• SSH
• ARP
• MAC/IF Table
• CDP/LLDP Table
• OnGuard
Exchange
• MDM/EMM
• CMDB
• Endpoint/EDR
ML/AI
• IntroSpect
• Device Insight*
9@ArubaEMEA | #ATM19EMEA
TRADITIONAL PROFILING
TECHNIQUES LACK DEVICE CONTEXT
GENERIC “WINDOWS” OR “LINUX” DEVICESTATIC
ATTRIBUTES
• NMAP
• SNMP
• WMI
10@ArubaEMEA | #ATM19EMEA
DEEP PACKET INSPECTION (DPI)
CLEARPASS DEVICE INSIGHT: FROM GENERIC TO GRANULAR DEVICE VIEW
WINDOWS DEVICE
AXIS DEVICE
AXIS SECURITY CAMERA
AXIS Q35 NETWORK CAMERA
STATIC + BEHAVIORAL
ATTRIBUTES
• APPLICATIONS
• WEB SITES
• PORTS
• PROTOCOLS
CROWD-
SOURCING
MACHINE
LEARNING
11@ArubaEMEA | #ATM19EMEA
STEP 1: AUTHORIZE AND ENFORCE“NO INVISIBLE NETWORK CONNECTIONS”
RADIUS/SNMP
AuthenticationServerAP / Controller / Switch
Use best authentication possible
Step-up authenticationif available
12@ArubaEMEA | #ATM19EMEA
Balancing Security with Configuration & Management
13@ArubaEMEA | #ATM19EMEA
Varying Levels of Control
•AuthN/AuthZ:
•SNMP
•Enforcement:
•Port Based VLAN
•SNMP/CLI
Basic Port Control
•AuthN/AuthZ:
•MAC Authentication
•Allowall
•Enforcement:
•Session Based ACL, Role, VLAN
•RADIUS
Basic Session Control
•AuthN/AuthZ:
•Multi Auth: 802.1X / MAC / WebAuth
•Enforcement:
•Session Based ACL, Role, VLAN
•RADIUS
Full Visibility and Control
VLAN 100QoS Policy ‘A’
VLAN 200ACL ‘headless’
VLAN 300ACL ‘desktop’
VLAN 400ACL ‘guest’
user-role 'PRINTER'
ACL 'CORP'vlan 'SECURE'
user-role 'GUEST'
user-role 'VOIP'
Mac auth, profiling, asset DB
Mac auth, profiling, asset DB
802.1X, profiling, endpoint DB, OnGuard
Web Auth, Self Registration, Mac Auth
14@ArubaEMEA | #ATM19EMEA
user-role 'PRINTER'
ACL 'CORP'vlan 'SECURE'
user-role 'GUEST'
user-role 'VOIP'
Mac auth, profiling, asset DB
Mac auth, profiling, asset DB
802.1X, profiling, endpoint DB, OnGuard
Web Auth, Self Registration, Mac Auth
15@ArubaEMEA | #ATM19EMEA
The Colorless Port
Dynamic Segmentation – No More VLANs!
CORENETWORK
NEW DEVICE
AP VOIP DEVICE QUARANTINE
16@ArubaEMEA | #ATM19EMEA
Step 2: Experience/Security Orchestration
Internet of
Things (IoT)
BYOD and
corporate owned
REST API,
Syslog Security monitoring and
threat prevention
Device management and
multi-factor authentication
Helpdesk and voice/SMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
17@ArubaEMEA | #ATM19EMEA
Internet of Things (IoT)
Multi-vendor switching
Multi-vendor WLANs
BYOD and corporate owned
3rd Party Security and Networking Vendors
ClearPass Device InsightENHANCED DISCOVERY /
PROFILING
360 SECURE FABRIC
ECOSYSTEM
Bi-Directional Data Exchange
ClearPass Policy ManagerSEGMENTATION / ENFORCEMENT
18@ArubaEMEA | #ATM19EMEA
CPPM Integration Ensures Secure Access
Logon to Applications (SSO)
Update Firewall
Update Web Proxy / Filter
Update EMM/MDM
Security Orchestration in Action
WHOAD/LDAP
EMM/MDM/CDI WHO WHENWHEREWHAT
Who: Bob
Group: Faculty
Device: Personal iPad
MDM: Airwatch
Location: Room 104
Time: 9am, Monday
Compliance: Healthy
Mac Address: X
IP Address: Y
Airgroup Permissions
Update Enforcement Device (LAN/WAN/VPN)
Adaptive Trust Identity
ClearPass
Service Chaining
19@ArubaEMEA | #ATM19EMEA
Enhanced Experiences
I can’t
connect, now
what?
SMS/Voice with Instructions
Self-Service Pages for
Onboarding/Registration/Remediation
I need
information to
help Bob!
Cre
ate
He
lpD
esk
ticket
with
require
d c
onte
xt
• Ensure user is aware of issues and support
• Provide self-service options to remediate
issue
• Ensure help-desk is prepared to quickly
resolve issue if needed
That was
easy, back to
work!
20@ArubaEMEA | #ATM19EMEA
• Real-time Quarantine • Re-authentication• Bandwidth Control• Blacklist
User/Device Context
ActionableAlerts
ClearPassSecure Access Control
1. Discover and Authorize
2. Monitor and Alert
3. Decide and Act
ClearPass Adaptive Response
360 SecurityExchange Partners
21@ArubaEMEA | #ATM19EMEA
Step 3: Analyzing Behaviors and React to Threats
IntroSpect Use Case Example: Ransomware
InfectCommand
and ControlLateral
SpreadEncrypt
• IOC-STIX
Ransomware Tracker
• Suspicious email
Attachment
• Suspicious email
domain
• Host scan
• Port scan
• Abnormal host
access
• Excessive host
activity
• Failed auths
• New logons
• DNS DGA
• DNS tunneling
• New country
access
• Unusual file activity
• Telltale encryption writes
22@ArubaEMEA | #ATM19EMEA
23@ArubaEMEA | #ATM19EMEA
SUPERVISED
UNSUPERVISED
MACHINE LEARNINGPackets
Flows
Logs
Alerts
IntroSpect Advanced Analytics and Forensics
• Real-time Quarantine • Re-authentication• Bandwidth Control• Blacklist
User/Device Context
ActionableAlerts
ClearPassSecure Access Control Entity360 Profile
with Risk Scoring
1. Discover and Authorize
2. Monitor and Alert
3. Decide and Act
IntroSpect UEBA
CLEARPASS + INTROSPECT = INTEGRATED PROTECTION
ClearPass Adaptive Response
24@ArubaEMEA | #ATM19EMEA
Customer Examples
– Customer Example #1:
– Realized ROI in 7 months on ONE specific use case
– Corporate employees were frequently rearranging their desks, plugging their docking stations and phones into different ports.
– Each time they did this, the helpdesk would have to open a ticket and reconfigure. The cost of this alone paid for their investment.
– Customer Example #2:
– Each time a switch or port had to be reconfigured, this customer had to pay their provider a fee of $100.
– This will eliminate a 7 figure operational cost each year by utilizing the colorless / intelligent ports in ClearPass.
25@ArubaEMEA | #ATM19EMEA
Benefits of a Modern Wired Security Implementation
– Stronger security/compliance posture
– Lower risk to organization
– Improved operations efficiency
– Symbiotic Network and Security Ecosystem
– Networking: Less helpdesk call, less requests from security, less changes
– Security: Enable security to take action on own
– Improved end user experience
26@ArubaEMEA | #ATM19EMEA
UNIQUELY POSITIONED TO DELIVER ADVANCED
SECURITY
ANALYTICS
CONTROL
CONNECTIVITY
VISIBILITY
27@ArubaEMEA | #ATM19EMEA
Expand your solution value with Dynamic SegmentationThis is one of Aruba’s core technical differentiators
Wired
Wireless
ClearPass for Policy Definition
Controller/Gateway for Policy Enforcement
See a Demo in the Innovation Zone!
Dynamic Segmentation
✓ Wired and Wireless Access
✓ Layer 7 Stateful Firewall (DPI)
✓ Intelligent Role-based awareness
✓ Customizable Device Profiling
✓ Centralized Policy Enforcement
28@ArubaEMEA | #ATM19EMEA
29@ArubaEMEA | #ATM19EMEA
Thank You
Still not a part of the Airheads
Community? Sign up today!
community.arubanetworks.com
30@ArubaEMEA | #ATM19EMEA
Please give us your feedback
1. Click on "Agenda" icon
2. Search for the session by session ID or by selecting the session date
3. Click on the session
4. Tap the "Survey" icon