Mobilità, controllo, Cloud Securityla nuova frontiera delle Enterprise LAN

Gianluca Silvestri - System Engineer Exclusive Networks

The Challenge

The Evolving Landscape

Shadow IT

Users are more mobile

Typically organisations are

reactive – it’s time to embrace

and be

pro-active

Does anyone in this room work anywhere else outside of this office?

How many devices have we got in this room?

Are they enterprise owned or personal?

How many of you have corporate applications installed on your personal device?

How many of you have personal applications on your enterprise owned device?

Do you have any corporate data stored locally on any of your devices?

Does your business have a mobility strategy?

It’s real, it’s in this room!

The Challenge: The 5 Core Pillars of Enterprise Mobility

The Answer

The time is now

©2016 Aerohive Networks Confidential 10

Great Wi-Fi

Smarter InvestmentReduce the cost of design, deployment, and operations

Connected Experience

11

Connected Experience

Scalable

Grow from 1 to 100,000’s

of APs with a single

architecture

Secure

Provide access to only

those that should have it

Simple

Reduce the complexity

of network

management

Streamlined Operation:Simplicity, but not too simple

User, Device, App, Location

Granular Visibility

Intuitive yet Powerful Configuration

Progressive Disclosure

Completeness of Capabilities

Full Feature Solution

Effortless ScaleFrom one to hundreds of thousands

13

Connect

Provision

Grow

Maintain

Reduced Support BurdenMake your team instant Wi-Fi Gurus

Simplified Troubleshooting

Quickly identify and resolve network issues

• Network Health Assessment• Automatic data collection• Real-time and historical

investigative tools

Devices and Data Sources

Open Platform for Customized Apps and Insights

15

Data Store

ProcessingMicro

Services

API

Big Data Big Ideas

Aerohive Cloud Services

IT Value

Open Applications Ecosystem

Business Insight

16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2015 Infoblox Inc. All Rights Reserved.

Traditional Network Architecture

INT

ER

NE

TIN

TR

AN

ET

MICROSOFT

DNS

MICROSOFT

DHCP

DENVER

DM

ZA

PP

S &

EN

D-P

OIN

TS

FIREWALL

BIND DNS

EUROPE

BIND DNS

AMERICAS

BIND DNS

APJ

VulnerableVulnerable Vulnerable

Vulnerable

(Malware)

Vulnerable Vulnerable Vulnerable

Security Vulnerabilities

• Hacks of DNS server

• External attacks (DNS DDoS)

• Malware inside network

Management Silos

• Multiple points of management

• Multiple data silos

MICROSOFT

DNS

MICROSOFT

DHCP

LONDON

MICROSOFT

DNS

MICROSOFT

DHCP

TOKYO

Single Points of Failure

APPS &

END POINTS

VIRTUALIZATION &

PRIVATE CLOUDS

17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved.

IPAM

INTERNAL DNS

&DHCP

TOKYO

EXTERNAL

DNS

EXTERNAL

DNS

INTERNAL DNS &DHCP

DENVER

Where Infoblox Helps

INT

ER

NE

TIN

TR

AN

ET

DM

ZA

PP

S &

EN

D-P

OIN

TS

APPS &

END POINTS

VIRTUALIZATION &

PRIVATE CLOUDS

(1) Secure Secure Platform

Protection from external attacks

Block Malware call-backs

Data Exfiltration protection

(3) Automate

DDI + Automation for

Virtualization & Hybrid Clouds

(2) Control

Highly efficient, centralized control

ONE authoritative IPAM data source

18 | © 2015 Infoblox Inc. All Rights Reserved.

Customers Need Commercial Grade IPAM…

NOT

THIS!

19 | © 2015 Infoblox Inc. All Rights Reserved.

Infoblox IPAM in “IP Mapping” Mode

© 2016 Netskope. All Rights Reserved.

Challenge: No Visibility or Control in Unsanctioned Apps

20

‣ Unsanctioned apps fly under

the radar

‣ Ecosystems connect these

apps to sanctioned ones

‣ No visibility or control =

increased risk of data

leakage, non-compliance,

and threat propagation

UnsanctionedSanctioned PROBLEM

© 2016 Netskope. All Rights Reserved.

Requirement: Deep Visibility and Control Across All Apps

21

‣ Gain visibility and control

across all cloud apps,

covering users on any

device, including native/sync

‣ Protect sensitive data with

advanced, enterprise DLP

‣ Defend against and

remediate against threats

propagating in cloud apps

SOLUTION UnsanctionedSanctioned

Allow is the new block (allow is new block green light slide)

22

© 2016 Netskope. All Rights Reserved. 23

NGFW

FWIPS

Web Proxy

Netskope

StatefulPacket inspection

DeepPacket inspection

Port/ProtocolAgnostic inspectionApp signatures

URL filtering WebAVWebDLP

Cloud risk assessmentIdentify 1000s of cloud appsActivity controlAnomaly detectionCloud usage forensicsData Loss PreventionEncryption

Data

Identity

Activity

App

L7-HTTP

L4-

Ports/Prot

ocol

CONTROL

UTM

“All-in-one”services

• Allow, don’t block

• Control apps, activity, data

• Reduce security risk

• Ensure compliance

• Safe cloud enablement

© 2016 Netskope. All Rights Reserved.

Comparison of visibility capabilities

24

Web session start

Login as:

mary@acme

User-agent:

Browser/OS

From: IP address

To: IP address

www.box.com

URL Category:

File Sharing/

Storage

HTTP GET/POST/

DELETE/CONNECT

HTTP headers

GET and POST

Body

Identity App Activity Data Summary

Perimeter

security

Netskope

Web session end

URL: Box

Category: File Sharing

Using: Macbook, Safari 6.0

From: IP address

To: IP address

Login as: mary@acme

Box ID: mary@gmail

Using: Macbook/Safari

From: Mtn View, CA

Destination:

Box site located in Germany

To user: sharing a doc with

“John@Newco”

App: Box

Category: Cloud Storage

App Instance: Corporate

CCL: High

Risk: High

Login

Upload

Download

Share

Logout

Invite

Edit

View…

PII/PCI/PHI data

Other sensitive

classifications

App: Box

Instance: Corporate

Using: Macbook, Safari 6.0

From: Mountain View, CA

Activities: Create Folder,

Move Files (4), Share Folder

w/ John@NewCo

Anomalies: Downloaded a

PII doc from SFDC and

uploaded to box

The Industry’s Only All-Mode Deployment Architecture

Use Cases

ForwardProxy

ReverseProxy

Inline

TAP API

Connector

LOG

Offline

Explicit

Proxy/PAC File‣ Discover apps

‣ Assess risk

‣ See basic

activities

‣ Enforce policies in real-time for any app,

including ones accessed remotely, on mobile,

and/or via native or sync client

Traffic Steering Options

© 2016 Netskope. All Rights Reserved. 25

‣ Discover apps

‣ Assess risk

‣ See deep

activities

‣ Detect DLP

violations

‣ eDiscover

DLP violations

in content at

rest

‣ Govern

activities and

data for

content at rest

‣ Enforce

policies in

real-time

‣ Enforce

mobile policies

‣ Sanctioned

apps only

Proxy Chaining DNSAgent/

Mobile Profile

LAB Scenario

DNS DHCP IPAM

NETWORK AUTOMATION

DNS SECURITY

DNS Forward

Netskope

Secure Forwarder

Analysis

Access

LIVE DEMO

THANK YOU!