network access and the acronym soup – nac, mdm, sbc & sso


@shmulik247#AvayaATF

Shmulik Nehama, Identity Engines Portfolio LeaderAvaya

Network Access and the Acronym Soup – NAC, MDM, SBC & SSO


©2013 Avaya Inc. All rights reserved

February 26-28, 2013 | Orlando, FL

Agenda

• The Acronym Soup• Network Access Control• Mobile Device Management• Session Border Control• Single Sign On• Resources

3

DisclaimerSome of the material provided in this presentation is looking forward and may be subject to change without advance notice!



The Acronym Soup

Avaya Identity Engines

Authenticates & authorizes network access of users and any network attached device (IP phones, medical devices, user devices, printers etc.).

Dynamically provisions the network to contain the access of users and the network attached devices


Single Sign On (SSO) is an area of access control that enables users to login once and/or with same enterprise credentials and gain access to applications without being prompted to login again at each of them and/or without the need to maintain different set of credentials.

MDM manages mobile devices in the context of which applications should / should not be on user handheld devices, password management, patch and software management.

MDM manages mobile device data and apps but NOT control / provisions the network for access

Provides network security for SIP-based applications without the need for a VPN client on the accessing device.

Controls access of UC applications (NOT network access of users / devices)

DevConnect(MobileIron)

Avaya SessionBorder Controller

Avaya Solution

NACNetwork Access

Control

SSOSingle Sign On

SBCSession Border

Control

MDMMobile Device Management

Avaya SolutionAvaya Solution Avaya Solution

4



The Acronym Soup


Authenticates & authorizes network access of users and any network attached device (IP phones, medical devices, user devices, printers etc.).

Dynamically provisions the network to contain the access of users and the network attached devices


Single Sign On (SSO) is an area of access control that enables users to login once and/or with same enterprise credentials and gain access to applications without being prompted to login again at each of them and/or without the need to maintain different set of credentials.

MDM manages mobile devices in the context of which applications should / should not be on user handheld devices, password management, wipe out and software.

MDM manages mobile device data and apps but NOT control / provisions the network for access

Provides network security for SIP-based applications without the need for a VPN client on the accessing device.

Controls access of UC applications (NOT network access of users / devices)

DevConnect(MobileIron)

Avaya SessionBorder Controller

Avaya Solution

NACNetwork Access

Control

SSOSingle Sign On

SBCSession Border

Control


Avaya SolutionAvaya Solution Avaya Solution

5



Agenda

6

The Acronym SoupNetwork Access ControlMobile Device ManagementSession Border ControlSingle Sign OnResources



What is it?

Network Access with policies, controls and provisions access to a network

Including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do

Role-based Access is where access to the network is given according to profile of the person and the results of a posture / health check.

e.g. in an enterprise, the HR dept could access only HR dept files if both the role & endpoint meets anti-virus being up-to-date.

7



February 26-28, 2013 | Orlando, FL8

Enterprise Networkw/Multiple Policy Enforcement Locations

• Multiple repositories of identity information

• Multiple locations of enforcement points

• Challenges with in providing access to• Guest Access• Contractors Access

• Challenges in implementing consistent access behavior across the network

• Challenges with mergers and acquisitions Enterprise Network with Multiple Constituents

and Policy-Enforcement Locations




Enterprise Networkw/Centralized Identity and Policy Services

Identity and Policy Service in theEnterprise Network

• Network Access Control is centralization of both identity and policy information in a single location• Simplification• Consistency

• Facilitate self-service Guest Access• IT Hands-off

• Contractor Access




Why is it important?

• Granular Control• Network operators define

policies, such as roles of users and the allowed network areas to access and enforce them based in switches, WLAN Controllers etc.

• Enhanced Security • Ability to prevent access from

end-stations that do not meet security posture requirements

• Regulatory Compliance• Enforce access policies based

on authenticated user identities

1. Define roles

2. Define network access level

10




Network Access Features

IP Phone Visitor or Business Partner

Personal Machine

Corporate Desktop

Network Printer

Network Device

Wireless Access Point

Surveillance Camera

Fax Machine

Medical Device

Local Server/App

Guests & Guest Devices

EnterpriseNetwork

• It is not only about users and their devices but also about any network attached device

• Each access port is not assigned until a user/device attempts access.

• Once authenticated & authorized, user/device is granted appropriate access level.


©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL12

Typical Network Access Architecture

NET

WO

RK A

BSTR

ACTI

ON

LAY

ER

DIRE

CTO

RY A

BSTR

ACTI

ON

LAY

ER

Reporting & Analytics

Posture Assessment

Guest Access Mgmt

Identity Engines

Access Portal

CASE Wizard

PolicyEnforcement Point

PolicyDecision Point

PolicyInformation Point




Network Access Features

Basic Features Authentication & Authorization Guest Access Management Posture Compliance Compliance checking for un-

managed devices e.g. BYOD Reporting and Analytics Directory Federation

Advanced Features Unified Solution for wired and

wireless network access IT Hands-Off self-service

Guest access management Device Finger-printing BYOD On-boarding High Availability



SPB Network Access Automation

UC Zone

Corporate Zone

Guest Zone

Contractor Zone

CAMPUSBRANCH

DATA CENTERDATA CENTER

BRANCHCAMPUS

• User connects to edge switch

• User placed on a VLAN• VLAN mapped to an ISID• Done!

1

2

3




Multi-Host Multi-Authentication

• MHMA is a network switch capability where Identity Engines separately authenticates and authorizes multiple clients connected to a switch port

• Each client must completeEAP authentication beforethe port allows traffic fromthe users MAC address,only traffic from authorizedhosts is allowed

• Enables to direct multiple hosts on a single port to different VLAN’s. Used for separating voice and data traffic on the same port



Agenda

16





What is it?

• Mobile Device Management (MDM) secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises.

• MDM functionality typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices • Smart-phones, tablets, mobile printers,

mobile POS devices, etc

17





• Reduce support costs and business risks• Control and protect the data and

configuration settings for all mobile devices in the network

• Manage devices• IT can use MDM to manage the devices

over the air with minimal intervention in employee schedules

• Visibility• With mobile devices becoming present

“everywhere” and applications flooding the market, mobile monitoring is growing in importance.

Support SayingYES to BYOD

18




…Anyone here still using flip phone?

19

Time Magazine cover Aug 18 1997.Bill Gates invests $150M to save Apple.

Android appsiPhone/iPad appsTablets in 2012Smartphones in 2011Smartphones in 2012Social Media Users

700 000700 000

119 000 000491 000 000686 000 000

1 200 000 000

Tablet market $45B by 2014– Yankee 2011

50% Enterprise users interested in or using consumer applications– Yankee 2011

Smartphone app revenue to triple by 2014– Yankee 2011




Typical MDM Solution

• Server & Client Components• Server component

sends out management commands to devices

• Client component runson device to receive and implement commands

• Must have an agentinstalled and maintained• Constant 24x7 race after

device and OS updates• Deployment -- On-premise

and Cloud based solutions

20




MDM Capabilities

Basic Features Inventory Management &

Real Time Reporting Setting Passcode Policies Remote Lock and Full Wipe Remote Selective Wipe Configuration of Email, Wi-Fi,

VPN, Certs. Email Access Controls Jail-broken / Rooted Device

Detection

Advanced Features Enterprise App Catalog App Blacklisting / Whitelisting Secure Document Sharing Geo Location Event-based Security and

Compliance Rules Engine Roaming Usage Dual Persona separate

Personal vs. Corporate content

Monitor access to App Store Data encryption




MDM Market Landscape

• 100+ vendors who claim some level of MDM functionality

• 20 vendors in Gartner MDM MQ

• None of the Networking vendors provide true MDM capabilities• Requires to keep-up with

intense pace of mobile device market updates and innovation

22




MDM Capabilities and the Use Cases

• Cross platform device support• Configuration management• Device monitoring

• License control• Software distribution• Inventory & asset control

MDM requirements vary depending on use case




MDM Capabilities and the Use Cases

MDM requirements vary depending on use case

organizations w/ very large number of mobile users

small number of mobile users

non-regulated organizations (e.g. retail)

strongly regulated e.g. Finance, defense

data encryption, dual persona, selective wipe

detect OS & version, installed apps, roaming usage, content, device wipe




Avaya’s MDM strategy

• Today Avaya Flare and one-XC

Applications interoperability tested with MobileIron

• Tomorrow Identity Engines MDM

integration with top vendors• Ignition Server will query

mobile device attributes from the MDM and make attributes part of the Access Policy

Avaya Flare & one-XC Applications on user devices

25





MDM

26





MDM

Identity EnginesAccess Policy

27



Agenda

28





What is it?

• A device or application that governs the manner in which calls, also called sessions, are initiated, conducted and terminated in a VoIP network.• An SBC can facilitate VoIP sessions

between phone sets or proprietary networks that use different signaling protocols.

• An SBC can include call filtering, bandwidth use management, firewalls and anti-malware programs to minimize abuse and enhance security

29





• Denial of Service• Call/registration overload• Malformed messages (fuzzing)

• Configuration errors• Misconfigured devices• Operator and application errors

• Theft of service• Unauthorized users• Unauthorized media types

• Viruses and SPIT• Viruses via SIP messages • Malware via IM sessions• SPIT – unwanted traffic

30

Source: Nemertes Research

Enterprise Adoptionof Collaboration Tools

Mobile Collaboration Security Threats




UC Security – Should You Care?

31

Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC.

In 2010

50% Increase

In VoIP hacking at new levels

Up to 25%of attacks

VoIP scanning - botnets, Cloud used for VoIP fraud Huge Bills

Reduce Deployments by

1/3

VoIP / UC security reduces VoIP / UC deployment timeby one third

Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications5

Collection of Analysts (Yankee survey & Aberdeen)




OSI Model - 7 Layers of Attacks

• Typical firewall protection • Layer 3-4 protection• Emerging layer 7 FWs

• Email spam filters layer 7 application specific email firewall

• SIP, VoIP, UC layer 4 to layer 7 application

• SIP Trunking - a trunk side application

• SIP Line (phone) side (internal and external) access another application

OSI Model

Data Unit Layer Function

Host Layers

Data

7. Application Network process to application

6. Presentation

Data representation, encryption and

decryption, convert machine dependent

data to machine independent data

5. Session Inter-host communication

Segments 4. TransportEnd-to-end

connections and reliability,

flow control

Media Layers

Packet/Datagram 3. Network Path determination and logical addressing

Frame 2. Data Link Physical addressing

Bit 1. Physical Media, signal and binary transmission

Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model

Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection

Think of OSI model as a 7 foot high jump

http://en.wikipedia.org/wiki/OSI_Model



Agenda

33

Complements Existing Security Architecture

Avaya SBCE

Firewall

FirewallApplication LevelSecurity Proxy(Policy Application,

Threat Protection Privacy,Access Control)



Session Border Control Use Cases

SIP Trunking Remote Worker

SIP Trunking

Avaya SBCfor

Enterprise SIP Trunking Avaya SBCfor

Enterprise

CS1000

SIP Trunking

Avaya SBCfor

Enterprise

Use Cases

Avaya SBCfor

EnterpriseSIP Trunking



SBC Use Cases – SIP Trunking

Use Case: SIP Trunking to Carrier Carrier offering SIP trunks as lower-cost alternative to TDM

Carrier SIP trunks to the Avaya SBC Avaya SBC located in the DMZ behind the Enterprise firewall Services security and demarcation device between the IP-PBX and the Carrier

− NAT traversal− Securely anchors signaling and media, and can− Normalize SIP protocol

Firewall

InternetEnterprise

IP PBX

Avaya SBCE

DMZ

SIP TrunksFirewall

Carrier




Secure Remote Worker with BYOD

Personal PC, Mac or iPad devices Avaya Flare®, Avaya one-X® SIP client app App secured into the organization,

not the device One number UC anywhere

Avaya SBCEAvaya Aura®

PresenceServer

SystemM

anager

Communication Manager

Avaya Aura Conferencing

Aura Messaging

Session Manager

Untrusted Network(Internet, Wireless, etc.)




Secure Remote Worker with BYOD

Use Case: Remote Worker Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints

Remote Worker are external to the Enterprise firewall Avaya Session Border Controller for Enterprise

− Authenticate SIP-based users/clients to Aura Realm− Securely proxy registrations and client device provisioning− Securely manage communications without requiring a VPN

Firewall

InternetEnterprise

Avaya SBCE

DMZ

Firewall

Remote WorkersIP PBX



Agenda

38




What is it?

Single Sign On (SSO) is a property of access control that enables users to login with one set of enterprise credentials and gain access to systems without being prompted for different credentials or login again.

Maintaining one set of credentials and reducing multiple logins.

39





• Reduces password fatigue from different user name and password combinations

• Reduces time spent re-entering passwords for the same identity

• Reduces IT costs due to lower number of IT help desk calls about passwords

40



Single-Sign-On

41

• ERP

• HRM

• CRM

• Intranet Applications

EnterpriseIdentity Realm•3rd Party Web

Sites

• Salesforce

•Social Media

•Social Media

WebSingle-Sign-On

• EnterpriseDirectory

InfrastructureLocalSingle-Sign-On



Single-Sign-On

42

• SM

• AAC

• CM

• PS

EnterpriseIdentity Realm


Infrastructure

Aura ApplicationsIdentity Realm

Current Situation The enterprise and Aura realms are

separate where each app has its own notion of user identity, credentials and manages them separately.

Integration with enterprise AAA is difficult, inconsistent and brittle



Single-Sign-On

43

• SM

• AAC

• CM

• PS

EnterpriseIdentity Realm


Infrastructure

Customers Want Users to authenticate to enterprise

AAA service Minimize the number of user

identities and credentials Minimize and standard approach to

authentication & credential mgmt Consistent user experience

Aura Applications




Stepping Identity Engines Up into the Applications Access

• Incorporating SAML as an authentication protocol

• Web Clients• Think Clients

• Introducing the concept of Identity Provider for Applications

• Introducing the concept of Service Providers

• Focus on Aura UC Applications

• Flare• One-X Communicator• Avaya Aura Conferencing

44




Agenda

• Network Access• Mobile Device Management• Network Access Control• SIP Security• Single Sign On• Resources

45




NACNetwork Access

Control

SBCSession Border

Controller


SSOSingle Sign On

“Avaya is the company that is stepping in with a true, holistic BYOD proposal that covers all

the pieces.”

Zeus Kerravala, ZK Research

46




Resources

• Identity Engines Product Management• Shmulik Nehama• [email protected]

• Session Border Controller Product Management• Jack Rynes• [email protected]

• Secure BYOD YouTube Video• http://www.youtube.com/watch?v=0ZrMOqzGMpE

47

http://www.youtube.com/watch?v=0ZrMOqzGMpE


Thank you!@shmulik247#AvayaATF

48

network access and the acronym soup – nac, mdm, sbc & sso

Documents

network access of users

user devices

mobile devices

network security

area of access control

medical devices

fl2013 avaya

avayaatf2013 avaya