THE EXPERIENCE EDGE People Move. Networks Must Follow

Kim Filtenborg & Allan Højberg

Fra statisk til dynamisk……

tale, video og data kører på én device

THE PERFECT STORM IS COMING:

MOBILE, IoT og CLOUD

Udfordringer og ønsker til netværket idag

Mobilitet

IOT Håndtering

Øge sikkerheden rundt om den enkelte bruger/enhed

Ensartet rollebaseret politik på tværs af LAN/WLAN for brugere og devices

Bedre og nemmere segmentering

Zero touch deployment

Fra statisk setup – til dynamisk setup

Eliminating the blind spots!Secure the Edge: Secure the Experience

ClearPass

CONTROL

• Reducer risiko og arbejdsbyrde gennem Automation

• Alle enheder er godkendt eller autoriseret - INGEN UBEKENDTE ENHEDER

RESPONSE

• Adaptiv responseudveksling til 3 part, best of breed security løsning

VISIBILITY

• Overblik, hvad der er tilsluttet i dit kablede og trådløse

• multivendor-miljø

Device Visibility: ClearPass Policy ManagerAn easy start to regaining control

• Visibility of what’s on the network – up to approx. 5K devices • Includes install guide and specific report generation

• Visibility of what’s changing on the network• TACACS to secure and monitor network config changes + reporting

• RADIUS and/or Guest services for up to 100 concurrent users

Device Visibility: ClearPass Policy ManagerAn easy start to regaining control

TRADITIONAL PROFILING TECHNIQUES LACK DEVICE CONTEXT

STATIC ATTRIBUTES

NMAP | SNMP | WMI

GENERIC “WINDOWS” OR “LINUX” DEVICE

ELIMINATES BLIND SPOTS

CLEARPASS DEVICE INSIGHT

Delivers automated, ML powered device classification to enhance

policy-based access control

MACHINE LEARNING-

BASED CLUSTERING

USING DPI

MAC / Vendor info

Port/ProtocolStatic Attributes

(DHCP, User agent, SNMP info)

Destination IP

Communication Frequency

Application Communications

CLEARPASS DEVICE INSIGHT: FROM GENERIC TO GRANULAR DEVICE VIEW

STATIC ATTRIBUTES

NMAP | SNMP | WMI

WINDOWS DEVICE

AXIS DEVICE

AXIS SECURITY CAMERA

AXIS Q35 NETWORK CAMERA

DEEP PACKET INSPECTION (DPI)

STATIC + BEHAVIORAL ATTRIBUTES

APPLICATIONSWEB SITES

PORTSPROTOCOLS

CROWD-SOURCING

MACHINELEARNING

ARCHITECTURE OVERVIEW

Combination of on-premises data collector (appliance or virtual) and

cloud-based analyzer

Through Deep Packet Inspection (DPI), device attributes are are

extracted and metadata is sent to the cloud for analysis

Campus Branch

Device InsightVirtual Collector Gateway Switch

DEVICE INSIGHT

ANALYZER

CLOUD PLATFORM

Device InsightVirtual Collector

V VDevice Insight

Hardware Collector

CLOUD-ENABLED COMMUNITY CROWDSOURCING

Aruba receives the signature

Signature is made available for use by

all customers

Customer labels a device using clusters or rules

Signature is tested and validated

DEVICE CLASSIFICATION

Discovered DevicesClassify known

devices with

established patternsClassification based on

static, flow and behavior

based attributes

Static Rules

Device Identified and

Labeled

ML-based Classification

16

ClearPass Device Insight – Accurate Classification

17

ClearPass Device Insight – Accurate Classification

Static Attributes: Operating System, Hardware Vendor

Active and Passive techniques such as MAC OUI, NMAP, etc.

Dynamic Attributes: Understanding Behavioral AttributesDeep Packet Inspection (DPI) and Machine

Learning to leverage communication patterns, applications, etc.

Comparative Attributes: Finding Commonality

Continuous monitoring of device trafficand crowdsourced intelligence to refine

and update device fingerprints

ML-ENABLED DETERMINE THE UNKNOWN DEVICES

19

ClearPass Device Insight – Generic to Granular

20

ClearPass Device Insight – Generic to Granular

21

ClearPass Device Insight – Generic to Granular

ClearPass Policy ManagerAUTOMATED SEGMENTATION AND

ENFORCEMENT

ClearPass Device InsightENHANCED DISCOVERY / PROFILING

Bi-Directional Data Exchange

CLEARPASS POLICY MANAGER AUTOMATES SECURE ACCESS

Aruba Security ExchangeINTELLIGENCE SHARING AND AUTOMATION

WITH OVER 140 PARTNERS

Bi-Directional Data Exchange

23

ClearPass Device Insight – Enhancing Policy

24

ClearPass Device Insight – Enhancing Policy

25

ClearPass Device Insight – Enhancing Policy

26

ClearPass Device Insight – Enhancing Policy

27

ClearPass Device Insight – Enhancing Policy

Creating Access Policy ControlClearPass Policy Manager Integrations

LoggingUEBA

Network

Social Media

Deception

PMS / IoT

Messaging

EMM / MDM

AuthN / MFA

Services

Endpoint

Firewall

Open, Multi-Vendor

Security Framework

Byggesten til Dynamic User Roles

ClearPass: End to End profiling and control

Internet of

Things (IoT)

BYOD and

corporate owned

REST API,

Syslog Security monitoring and

threat prevention

Device management and

multi-factor authentication

Helpdesk and voice/SMS

service in the cloud

Multi-vendor

switching

Multi-vendor

WLANs

Aruba ClearPass with

Exchange Ecosystem

Role Based Polices for LAN/WLAN & SecurityUsers Devices App finger-printing

User roles• Polices på tværs af LAN/WLAN

• En sted politikker håndteres

• Sikkerhed håndhævet på

kanten med forskellige roller

Security Policies• Sikker og fleksibel mulighed for at enforce

rundt om bruger/device • DPI, FW regler, QoS• Firewall ude på kanten

Aruba Mobility Controller

Core switch

ArubaOS-Switch

Tunnels

Aruba AP

BYOD

Laptop

Byggesten til Dynamisk Segmentation

ARUBA

Controller/Gateway

WIRED

ACCESS

ARUBA Switch ARUBA AP

Fordele ved Dynamic Segmentation?

Åbent økosystem – 3 parts integration

Leader Gartner – 5/6 + integration med leaders

TCO – du ejer hvad du køber og baseret på standard komponenter + LTW

Layer 7 løsning – application aware

Ingen begræsninger på antal af devices i samme managementplatform

BEST-IN-CLASS

ECOSYSTEM

WIRED ACCESS

SECURE

INFRASTRUCTURE

SOFTWARE

PLATFORM

VIA CLIENT

TechnologyPartners

360 Security Ecosystem

Alliances Airheads andDevelopers

WIRED CORE/AGGREMOTE ACCESSWi-Fi | BLE | TAGS

MANAGEMENT SECURITY LOCATION

ClearPass IntroSpect Meridian Cape NetworksNetInsight

ANALYTICS AND ASSURANCE

Aruba AirWave

EDGE COMPUTEWAN

Open and Designed for Flexibility

Aruba Central

THE EXPERIENCE EDGE

Gartner recommendation:

“Aruba’s wired and wireless LAN solutions are suitable for

consideration globally for all access layer opportunities.”

Leader Magic Quadrant for Wired and

WLAN Access Infrastructure. Gartner,

August 2018

Unified Wired

and Wireless

LAN

WLAN Only

Refresh/New

Build

Performance

Stringent

Applications

Multivendor

Network

Environment

Remote Branch

Office With

Corporate HQ

Wired Only

Refresh/New

Build

Aruba

4.13

Aruba

4.13

Aruba

4.10

Aruba

3.82

Aruba

4.13Cisco

4.11

Cisco

4.10

Mist Systems

4.03

Cisco

4.09

Extreme Networks

3.76

Cisco

4.12

Extreme Networks

4.05

Extreme Networks

4.02

Cisco

3.96

Extreme Networks

3.92

New H3C

3.57

Extreme Networks

3.97

Aruba

4.03

Huawei

3.80

Extreme Networks

3.95

Huawei

3.81

Huawei

3.51

Huawei

3.80

Huawei

3.83

New H3C

3.73

Aerohive

3.84

Aerohive

3.76

Cisco

3.48

Aerohive

3.76

New H3C

3.81

MARKET LEADERS

13 YEARS RUNNING

Enkelt, effektivt ogsikkert netværk

Tak for jeres opmærksomhed!