Extreme Networks Identity Manager User, Device, Location, and Presence Timo Lonka, Country Manager © 2011 Extreme Networks, Inc. All rights reserved. User and Traffic Profiles Have Changed More users with different roles... Who are you? More devices with unique requirements... What are you? More applications generating demanding traffic... Is it a threat or is it okay? Employee vs. Contractor vs. Guest Managed or unmanaged device More resources with different security demands... Page 2 Increased risk of data in motion Are you supposed to be here? Pressure of internal/external regulatory compliance … © 2011 Extreme Networks, Inc. All rights reserved. Day-to-Day Pain Points • 80% of IT resources are spent being reactive to network and help desk calls • Too many help desk calls related to network configuration • More calls means more support personnel • Network adds moves and changes are labor intensive and costly – may require reconfiguration at times • Need for troubleshooting is high as it relates to user issues • Need to reduce network down time as it relates to configuration • Need a dynamic way of dealing with application performance • E.g. bandwidth allocation to higher bandwidth applications • Network configuration is manual and laborious • Compliance becomes complicated • E.g. keeping non-accounting people out of the accounts servers etc. 3 © 2011 Extreme Networks, Inc. All rights reserved. Extreme Networks enables IT organizations to… Proactively Manage Business Operations Static Dynamic Limited visibility of User, Device, Location, and Presence Awareness of User, Device, Location, and Presence Network provisioning and monitoring based on: Network provisioning and monitoring based on: • IP Address • User Identity, Device Identity • TCP/UDP Port Information • Virtual Machine Identity • Static ACLs • Role-based Access, Dynamic ACLs Manual Configuration Automated Configuration Reactive Management Proactive Management Enabling the Move from a Static Network to a Dynamic Network (Identity-Aware) 4 © 2011 Extreme Networks, Inc. All rights reserved. Traditional IdAM Identity and Access Management (IdAM) provisioning at the application (i.e. resource) level Intellectual property data IP Manager: John Customer data Sales: Alice Financial resource systems Finance: Bob User Community Network Infrastructure © 2011 Extreme Networks, Inc. All rights reserved. Protected Application Application / Data / Data Center Center Page 5 Extreme Networks Identity Manager Identity and Access Management (IdAM) provisioning at the network and application level with Extreme Networks Intellectual property data IP Manager: John Increased Network Availability • Eliminate “noise” traffic and malicious activity within the infrastructure Network and data access provisioned based on roles and identity Customer data Sales: Alice Audit network activity per user Financial resource systems Finance: Bob User Community Protected Network Network Infrastructure Infrastructure © 2011 Extreme Networks, Inc. All rights reserved. Protected Application / Data Center Page 6 Identity and Network Authentication Network authentication methods today… • Netlogin 802.1X Login ID • Netlogin Web-based ID • Netlogin MAC-radius What’s Needed: Non-Intrusive, Transparent Authentication • Windows Domain Login • Kerberos Snooping Tying authentication and identity to roles and dynamic policies Tracking of endpoints based on: • User • Device • LLDP-based device identification (e.g. VoIP Phone, Printers, etc…) • Computer Name • Location, location, location! © 2011 Extreme Networks, Inc. All rights reserved. Page 7 Transparent Authentication with Kerberos Username IP MAC Computer Name VLAN Location Switch Port # John_Smith 10.1.1.101 00:00:00:00:01 Laptop_1011 1 24 User and Device Awareness through Transparent Authentication » No software agents required – utilize existing authentication methods » Do not need to retrain users on logging on to the network Internet Intranet 1 User logs into the Active Directory domain with username and password Mail Servers Active Directory Server RADIUS Server 2 Extreme “snoops” the Kerberos login by capturing the username 3 Active Directory validates and approves user credentials and responds to host Page 8 Success LDAP Server CRM Database 4 Extreme grants network access based on AD server response © 2011 Extreme Networks, Inc. All rights reserved. Awareness Enables … Role-based Access Role Derivation » Users are assigned to a “role” based on their attributes (e.g. job function, location, etc…) » Users then inherit network policies within the roles to control access to network resources regardless location Role Internet Intranet Mail CRM/Database VLAN Unauthenticated Yes No No No Default Contractor Yes Yes No No Default Employee Yes Yes Yes Yes Default Internet User: John Role: Employee Resource Access = Permit All No Authentication Match = Match Detected Company Department Who is == Unauthenticated IBM Employee John? Role Alice? Intranet Mail Servers User: Alice Role: Contractor Resource Access = Deny Mail and CRM Active Directory Server RADIUS Server LDAP Response LDAP Server Data Center User: Bob Role: Unauthenticated Resource Access = Internet Only Page 9 © 2011 Extreme Networks, Inc. All rights reserved. Awareness Enables … Role-based Access Role Derivation » Users are assigned to a “role” based on their attributes (e.g. job function, location, etc…) » Users then inherit network policies within the roles to control access to network resources regardless location Role Internet Intranet Mail CRM/Database VLAN Unauthenticated Yes No No No Default Contractor Yes Yes No No Default Employee Yes Yes Yes Yes Default Match Group = Query Employee User: John Role: Employee Resource Access = Permit All Internet Summit WM3000 Intranet Mail Servers Role-based access regardless of location, wired, or wireless! Not dependent on VLANs! Page 10 Active Directory Server RADIUS Server Response LDAP Server © 2011 Extreme Networks, Inc. All rights reserved. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Data Center Child and Parent Role Relationship User gets placed into a defined role, which will then “dynamically” inherit a set of policies configured for each specific role Faculty Role Contains Policy 1, 2, 3 English Role Student Role Visitor Role Contains Policy 4, 5 Engineering Role Contains Policy 6, 7 Mathematics Role Contains Policy 8, 9, 10 Contains Policy 11, 12, 13 Contains Policy 14, 15 © 2011 Extreme Networks, Inc. All rights reserved. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Page 11 Provisioning: Utilizing Existing Data Stores… “if ” user matches a defined attribute value … Wireless Wired LDAP Attributes Employee/User ID Title Department Company City State Country RADIUS Attributes Calling Station • Location: The zone the client is located • ESSID: The ESSID the client is associated • Group: The Group assigned by AAA • MAC: The MAC address of the device • Authentication: Authentication used • Encryption: Encryption used …. “then” place user into a defined ROLE © 2011 Extreme Networks, Inc. All rights reserved. Page 12 Provisioning: Location-based Access Control • Locate users/devices and enforce policies based on it’s current location • Define/configure multiple GeoFencing zones • Site dimensions, zones and Access Point locations Employee Indoor Group: Corp State: Compliant Auth: Any Encp: Any Location: Indoor Policy: Intranet Access Warehouse Area Office Area • Physical security without impacting mobility Visitor - Conference Room Conference Room Group: Public Device: Any State: Compliant Auth: Any Encp: Any Location: Indoor Policy: Internet Only Visitor Outdoors Employee Outdoor Group: Public Group: Corp Device: Any State: Compliant State: Compliant Auth: Any Auth: Any Encp: Any Encp: Any Location: Outdoor Location: Outdoors Policy: Remote Access Policy: Access Denied © 2011 Extreme Networks, Inc. All rights reserved. Page 13 Identity Manager: Addressing Needs Today Onboarding Users Securely Onboarding IT Assets Securely Rich Visibility of User/Device Identity, and their Location Provisioning of users and devices with Roles, based on their profiles Onboarding Users 802.1X, Web Portal Extreme Switching Solution Extreme Wireless Solution 14 ✔ Available today ✔ Available today Onboarding Users Windows Active Directory Onboarding IT Assets LLDP Attributes, Role-based Provisioning LDAP Profile of Users and Devices ✔ ✔ Available today Available today ✔ ✭ Available today Summer 2012 MAC OUI ✔ ✔ Wired Ethernet Available today Available today N/A N/A 802.1X and WPA PSK more common authentication on Wireless. Critical IT Assets are Wired Connections Wireless Ethernet © 2011 Extreme Networks, Inc. All rights reserved. Onboarding Users and their BYOD • ExtremeXOS switches and Summit WM will have the ability to provide OS fingerprinting of the connected device • Wired or Wireless! • Utilize DHCP Fingerprinting and/or HTTP User Agent • Allows for enhancements to Role-based Policies that now include Device/OS type as an attribute. For example: …then place User and Device in Role: If User Identity, or User Attribute Equals Department = Sales Location = Student Dorm Mobile Sales Role …and if Device Class Type Equals Corporate Sales Role Game Console Role iPhone Windows PC Game Console 15 © 2011 Extreme Networks, Inc. All rights reserved. …and dynamically apply the following policies • Permit Sales Server • Deny Finance Servers • Permit Sales Server • Permit Finance Server • Deny Corporate Resources • Rate limit traffic 10% Network Visibility of Users and Devices 001010100010101101010 User and Device Identity 010101010101010010010 Username Device Identity IP MAC Computer Name Role VLAN Location Switch Port # Location Switch Location John_Smith 10.1.1.101 00:00:00:00:00:01 John’s_Laptop Employee 1 24 Wiring closet, building 2 Alice_Jones 10.1.1.200 00:00:00:00:00:02 Science_PC Contractor 1 1 3rd floor, building 3 Cisco VoIP Phone 10.1.2.100 00:00:00:00:00:03 n/a Voice 10 2 3rd floor, building 4 Dell iSCSI_Array 10.3.1.111 00:00:22:00:00:10 n/a Storage 20 8 Data Center <unknown> 10.1.1.50 00:00:00:00:00:50 n/a Guest 1 1 Media building Turning bits and bytes of information into “rich content” (users, devices, and their location) and achieving automatic provisioning with Role-based Policies © 2011 Extreme Networks, Inc. All rights reserved. Page 16 Centralized Reporting is Critical Top 10 Dashboard Detail User Views © 2011 Extreme Networks, Inc. All rights reserved. Page 17 Application Monitoring RADIUS AD/LDAP DLP 3rd party interface (XML, SNMP, etc…) VPN IPS Extreme XOS Software Modules UTM SIEM Wireless Convergence Firewall Identity and Role-based Solutions Role-based Mgmt Ridgeline Identity Reporting Embedded Security (e.g. DoS, IP Spoof, ARP, etc..) Partner Device Mgmt Network and Services Mgr Open Standards Architecture Extreme Switching Infrastructure © 2011 Extreme Networks, Inc. All rights reserved. Page 18 Extreme Networks Product Portfolio Summit X480 BlackDiamond® 8800 with 8900-Series Modules Network Management E4G 200/400 Only 400 model stacks BlackDiamond X Series Summit X670 8900-40G6X-Xm Ridgeline™ Summit X460 Summit X650 Motorola ADSP Summit X450a Wireless Single-Radio AP Adaptive AP Wallplate AP Controller w/ AP VIM3-40G4X Summit X450e Summit X250e Summit X440 Summit X150 Summit X350 BlackDiamond 8800 with 8500-Series Modules Summit® WM3000Series EAS BlackDiamond 8800 with C-Series Modules ReachNXT™ 10/100M 1G 10G Fixed 19 40G SummitStack™ © 2011 Extreme Networks, Inc. All rights reserved. 1/10/40G 10/40/100G Modular Summit® X440 Products The Intelligent Edge • Summit® X440-8t • Summit X440-8p • Summit X440-24t • Summit X440-24p • Summit X440-48t • Summit X440-48p • Summit X440-24t-10G • Summit X440-24p-10G • Summit X440-48t-10G • Summit X440-48p-10G • Summit X440-L2-24t* • Summit X440-L2-48t* *Future availability 20 © 2011 Extreme Networks, Inc. All rights reserved. In Summary: A more intelligent switch fabric: Extreme Networks • User, Device, Location, and Presence Layer 7: Application Application Awareness (Virtualization, VM mobility), User Awareness, Device Awareness, etc… Layer 4: Transport Layer 3: Network Layer 2: Data Link Layer 1: Physical Today’s Network Page 21 © 2011 Extreme Networks, Inc. All rights reserved. Extreme Networks Thank You © 2011 Extreme Networks, Inc. All rights reserved.