mobilità, controllo, cloud security la nuova frontiera ... · gianluca silvestri - system engineer...
TRANSCRIPT
Mobilità, controllo, Cloud Securityla nuova frontiera delle Enterprise LAN
Gianluca Silvestri - System Engineer Exclusive Networks
The Challenge
The Evolving Landscape
Shadow IT
Users are more mobile
Typically organisations are
reactive – it’s time to embrace
and be
pro-active
Does anyone in this room work anywhere else outside of this office?
How many devices have we got in this room?
Are they enterprise owned or personal?
How many of you have corporate applications installed on your personal device?
How many of you have personal applications on your enterprise owned device?
Do you have any corporate data stored locally on any of your devices?
Does your business have a mobility strategy?
It’s real, it’s in this room!
The Challenge: The 5 Core Pillars of Enterprise Mobility
The Answer
The time is now
©2016 Aerohive Networks Confidential 10
Great Wi-Fi
Smarter InvestmentReduce the cost of design, deployment, and operations
Connected Experience
11
Connected Experience
Scalable
Grow from 1 to 100,000’s
of APs with a single
architecture
Secure
Provide access to only
those that should have it
Simple
Reduce the complexity
of network
management
Streamlined Operation:Simplicity, but not too simple
User, Device, App, Location
Granular Visibility
Intuitive yet Powerful Configuration
Progressive Disclosure
Completeness of Capabilities
Full Feature Solution
Effortless ScaleFrom one to hundreds of thousands
13
Connect
Provision
Grow
Maintain
Reduced Support BurdenMake your team instant Wi-Fi Gurus
Simplified Troubleshooting
Quickly identify and resolve network issues
• Network Health Assessment• Automatic data collection• Real-time and historical
investigative tools
Devices and Data Sources
Open Platform for Customized Apps and Insights
15
Data Store
ProcessingMicro
Services
API
Big Data Big Ideas
Aerohive Cloud Services
IT Value
Open Applications Ecosystem
Business Insight
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2015 Infoblox Inc. All Rights Reserved.
Traditional Network Architecture
INT
ER
NE
TIN
TR
AN
ET
MICROSOFT
DNS
MICROSOFT
DHCP
DENVER
DM
ZA
PP
S &
EN
D-P
OIN
TS
FIREWALL
BIND DNS
EUROPE
BIND DNS
AMERICAS
BIND DNS
APJ
VulnerableVulnerable Vulnerable
Vulnerable
(Malware)
Vulnerable Vulnerable Vulnerable
Security Vulnerabilities
• Hacks of DNS server
• External attacks (DNS DDoS)
• Malware inside network
Management Silos
• Multiple points of management
• Multiple data silos
MICROSOFT
DNS
MICROSOFT
DHCP
LONDON
MICROSOFT
DNS
MICROSOFT
DHCP
TOKYO
Single Points of Failure
APPS &
END POINTS
VIRTUALIZATION &
PRIVATE CLOUDS
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved.
IPAM
INTERNAL DNS
&DHCP
TOKYO
EXTERNAL
DNS
EXTERNAL
DNS
INTERNAL DNS &DHCP
DENVER
Where Infoblox Helps
INT
ER
NE
TIN
TR
AN
ET
DM
ZA
PP
S &
EN
D-P
OIN
TS
APPS &
END POINTS
VIRTUALIZATION &
PRIVATE CLOUDS
(1) Secure Secure Platform
Protection from external attacks
Block Malware call-backs
Data Exfiltration protection
(3) Automate
DDI + Automation for
Virtualization & Hybrid Clouds
(2) Control
Highly efficient, centralized control
ONE authoritative IPAM data source
18 | © 2015 Infoblox Inc. All Rights Reserved.
Customers Need Commercial Grade IPAM…
NOT
THIS!
19 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox IPAM in “IP Mapping” Mode
© 2016 Netskope. All Rights Reserved.
Challenge: No Visibility or Control in Unsanctioned Apps
20
‣ Unsanctioned apps fly under
the radar
‣ Ecosystems connect these
apps to sanctioned ones
‣ No visibility or control =
increased risk of data
leakage, non-compliance,
and threat propagation
UnsanctionedSanctioned PROBLEM
© 2016 Netskope. All Rights Reserved.
Requirement: Deep Visibility and Control Across All Apps
21
‣ Gain visibility and control
across all cloud apps,
covering users on any
device, including native/sync
‣ Protect sensitive data with
advanced, enterprise DLP
‣ Defend against and
remediate against threats
propagating in cloud apps
SOLUTION UnsanctionedSanctioned
Allow is the new block (allow is new block green light slide)
22
© 2016 Netskope. All Rights Reserved. 23
NGFW
FWIPS
Web Proxy
Netskope
StatefulPacket inspection
DeepPacket inspection
Port/ProtocolAgnostic inspectionApp signatures
URL filtering WebAVWebDLP
Cloud risk assessmentIdentify 1000s of cloud appsActivity controlAnomaly detectionCloud usage forensicsData Loss PreventionEncryption
Data
Identity
Activity
App
L7-HTTP
L4-
Ports/Prot
ocol
CONTROL
UTM
“All-in-one”services
• Allow, don’t block
• Control apps, activity, data
• Reduce security risk
• Ensure compliance
• Safe cloud enablement
© 2016 Netskope. All Rights Reserved.
Comparison of visibility capabilities
24
Web session start
Login as:
mary@acme
User-agent:
Browser/OS
From: IP address
To: IP address
www.box.com
URL Category:
File Sharing/
Storage
HTTP GET/POST/
DELETE/CONNECT
HTTP headers
GET and POST
Body
Identity App Activity Data Summary
Perimeter
security
Netskope
Web session end
URL: Box
Category: File Sharing
Using: Macbook, Safari 6.0
From: IP address
To: IP address
Login as: mary@acme
Box ID: mary@gmail
Using: Macbook/Safari
From: Mtn View, CA
Destination:
Box site located in Germany
To user: sharing a doc with
“John@Newco”
App: Box
Category: Cloud Storage
App Instance: Corporate
CCL: High
Risk: High
Login
Upload
Download
Share
Logout
Invite
Edit
View…
PII/PCI/PHI data
Other sensitive
classifications
App: Box
Instance: Corporate
Using: Macbook, Safari 6.0
From: Mountain View, CA
Activities: Create Folder,
Move Files (4), Share Folder
w/ John@NewCo
Anomalies: Downloaded a
PII doc from SFDC and
uploaded to box
The Industry’s Only All-Mode Deployment Architecture
Use Cases
ForwardProxy
ReverseProxy
Inline
TAP API
Connector
LOG
Offline
Explicit
Proxy/PAC File‣ Discover apps
‣ Assess risk
‣ See basic
activities
‣ Enforce policies in real-time for any app,
including ones accessed remotely, on mobile,
and/or via native or sync client
Traffic Steering Options
© 2016 Netskope. All Rights Reserved. 25
‣ Discover apps
‣ Assess risk
‣ See deep
activities
‣ Detect DLP
violations
‣ eDiscover
DLP violations
in content at
rest
‣ Govern
activities and
data for
content at rest
‣ Enforce
policies in
real-time
‣ Enforce
mobile policies
‣ Sanctioned
apps only
Proxy Chaining DNSAgent/
Mobile Profile
LAB Scenario
DNS DHCP IPAM
NETWORK AUTOMATION
DNS SECURITY
DNS Forward
Netskope
Secure Forwarder
Analysis
Access
LIVE DEMO
THANK YOU!