Extreme Networks Identity Manager
User, Device, Location, and Presence
Timo Lonka, Country Manager
© 2011 Extreme Networks, Inc. All rights reserved.
User and Traffic Profiles Have Changed
More users with different
roles...
Who are you?
More devices with unique
requirements...
What are you?
More applications generating
demanding traffic...
Is it a threat or is it okay?
Employee vs. Contractor vs. Guest
Managed or unmanaged device
More resources with different
security demands...
Page 2
Increased risk of data in motion
Are you supposed to be here?
Pressure of internal/external
regulatory compliance …
© 2011 Extreme Networks, Inc. All rights reserved.
Day-to-Day Pain Points
• 80% of IT resources are spent being reactive to network
and help desk calls
• Too many help desk calls related to network configuration
• More calls means more support personnel
• Network adds moves and changes are labor intensive and costly
– may require reconfiguration at times
• Need for troubleshooting is high as it relates to user issues
• Need to reduce network down time as it relates to configuration
• Need a dynamic way of dealing with application performance
• E.g. bandwidth allocation to higher bandwidth applications
• Network configuration is manual and laborious
• Compliance becomes complicated
• E.g. keeping non-accounting people out of the accounts servers etc.
3
© 2011 Extreme Networks, Inc. All rights reserved.
Extreme Networks enables IT organizations to…
Proactively Manage Business Operations
Static
Dynamic
Limited visibility of User, Device,
Location, and Presence
Awareness of User, Device,
Location, and Presence
Network provisioning and
monitoring based on:
Network provisioning and
monitoring based on:
• IP Address
• User Identity, Device Identity
• TCP/UDP Port Information
• Virtual Machine Identity
• Static ACLs
• Role-based Access, Dynamic ACLs
Manual Configuration
Automated Configuration
Reactive
Management
Proactive
Management
Enabling the Move from a Static Network to a Dynamic Network (Identity-Aware)
4
© 2011 Extreme Networks, Inc. All rights reserved.
Traditional IdAM
Identity and Access Management (IdAM) provisioning at the
application (i.e. resource) level
Intellectual
property
data
IP Manager: John
Customer
data
Sales: Alice
Financial
resource
systems
Finance: Bob
User Community
Network Infrastructure
© 2011 Extreme Networks, Inc. All rights reserved.
Protected
Application
Application
/ Data
/ Data
Center
Center
Page 5
Extreme Networks Identity Manager
Identity and Access Management (IdAM) provisioning at the
network and application level with Extreme Networks
Intellectual
property
data
IP Manager: John
 Increased Network Availability
• Eliminate “noise” traffic and malicious
activity within the infrastructure
 Network and data access provisioned
based on roles and identity
Customer
data
Sales: Alice
 Audit network activity per user
Financial
resource
systems
Finance: Bob
User Community
Protected
Network
Network
Infrastructure
Infrastructure
© 2011 Extreme Networks, Inc. All rights reserved.
Protected Application / Data Center
Page 6
Identity and Network Authentication
Network authentication methods today…
• Netlogin 802.1X Login ID
• Netlogin Web-based ID
• Netlogin MAC-radius
What’s Needed:

Non-Intrusive, Transparent Authentication
• Windows Domain Login
• Kerberos Snooping


Tying authentication and identity to roles and dynamic policies
Tracking of endpoints based on:
• User
• Device
• LLDP-based device identification (e.g. VoIP Phone, Printers, etc…)
• Computer Name
• Location, location, location!
© 2011 Extreme Networks, Inc. All rights reserved.
Page 7
Transparent Authentication with Kerberos
Username
IP
MAC
Computer
Name
VLAN
Location
Switch Port #
John_Smith
10.1.1.101
00:00:00:00:01
Laptop_1011
1
24
User and Device Awareness through Transparent Authentication
» No software agents required – utilize existing authentication methods
» Do not need to retrain users on logging on to the network
Internet
Intranet
1
User logs into the Active
Directory domain with
username and password
Mail
Servers
Active Directory Server
RADIUS Server
2
Extreme “snoops” the
Kerberos login by capturing
the username
3
Active Directory validates and
approves user credentials and
responds to host
Page 8
Success
LDAP Server
CRM
Database
4
Extreme grants network access based
on AD server response
© 2011 Extreme Networks, Inc. All rights reserved.
Awareness Enables … Role-based Access
Role Derivation
» Users are assigned to a “role” based on their attributes
(e.g. job function, location, etc…)
» Users then inherit network policies within the roles to
control access to network resources regardless location
Role
Internet
Intranet
Mail
CRM/Database
VLAN
Unauthenticated
Yes
No
No
No
Default
Contractor
Yes
Yes
No
No
Default
Employee
Yes
Yes
Yes
Yes
Default
Internet
User: John
Role: Employee
Resource Access = Permit All
No Authentication
Match =
Match
Detected
Company
Department
Who
is ==
Unauthenticated
IBM
Employee
John?
Role
Alice?
Intranet
Mail
Servers
User: Alice
Role: Contractor
Resource Access = Deny Mail and CRM
Active Directory Server
RADIUS Server
LDAP
Response
LDAP Server
Data
Center
User: Bob
Role: Unauthenticated
Resource Access = Internet Only
Page 9
© 2011 Extreme Networks, Inc. All rights reserved.
Awareness Enables … Role-based Access
Role Derivation
» Users are assigned to a “role” based on their attributes
(e.g. job function, location, etc…)
» Users then inherit network policies within the roles to
control access to network resources regardless location
Role
Internet
Intranet
Mail
CRM/Database
VLAN
Unauthenticated
Yes
No
No
No
Default
Contractor
Yes
Yes
No
No
Default
Employee
Yes
Yes
Yes
Yes
Default
Match
Group =
Query
Employee
User: John
Role: Employee
Resource Access = Permit All
Internet
Summit WM3000
Intranet
Mail
Servers
Role-based access regardless
of location, wired, or wireless!
Not dependent on VLANs!
Page
10
Active Directory Server
RADIUS Server
Response
LDAP Server
© 2011
Extreme
Networks,
Inc. All
rights reserved.
For Internal Use
Only.
Extreme
Networks
Confidential
and Proprietary.
Not to be distributed outside of Extreme Networks, Inc.
Data
Center
Child and Parent Role Relationship
User gets placed into a defined role, which will then “dynamically” inherit a
set of policies configured for each specific role
Faculty Role
Contains Policy 1, 2, 3
English Role
Student Role
Visitor Role
Contains Policy 4, 5
Engineering
Role
Contains Policy 6, 7
Mathematics
Role
Contains Policy 8, 9, 10
Contains Policy 11, 12, 13
Contains Policy 14, 15
© 2011
Extreme
Networks,
Inc. All
rights reserved.
For Internal Use
Only.
Extreme
Networks
Confidential
and Proprietary.
Not to be distributed outside of Extreme Networks, Inc.
Page 11
Provisioning: Utilizing Existing Data Stores…
“if ” user matches a defined attribute value …
Wireless
Wired
LDAP Attributes
Employee/User ID
Title
Department
Company
City
State
Country
RADIUS
Attributes
Calling Station
•
Location: The zone the client is located
•
ESSID: The ESSID the client is associated
•
Group: The Group assigned by AAA
•
MAC: The MAC address of the device
•
Authentication: Authentication used
•
Encryption: Encryption used
…. “then” place user into a defined ROLE
© 2011 Extreme Networks, Inc. All rights reserved.
Page 12
Provisioning: Location-based Access Control
• Locate users/devices and
enforce policies based on it’s
current location
• Define/configure multiple
GeoFencing zones
• Site dimensions, zones and Access
Point locations
Employee Indoor
Group: Corp
State: Compliant
Auth: Any
Encp: Any
Location: Indoor
Policy: Intranet Access
Warehouse Area
Office Area
• Physical security without
impacting mobility
Visitor - Conference
Room
Conference
Room
Group: Public
Device: Any
State: Compliant
Auth: Any
Encp: Any
Location: Indoor
Policy: Internet Only
Visitor Outdoors
Employee
Outdoor
Group: Public
Group: Corp
Device: Any
State: Compliant
State: Compliant
Auth: Any
Auth: Any
Encp: Any
Encp: Any
Location: Outdoor
Location: Outdoors
Policy: Remote Access
Policy: Access Denied
© 2011 Extreme Networks, Inc. All rights reserved.
Page 13
Identity Manager: Addressing Needs Today
 Onboarding Users Securely
 Onboarding IT Assets Securely
 Rich Visibility of User/Device Identity, and their Location
 Provisioning of users and devices with Roles, based on
their profiles
Onboarding Users
802.1X, Web
Portal
Extreme
Switching
Solution
Extreme
Wireless
Solution
14
✔
Available today
✔
Available today
Onboarding
Users
Windows Active
Directory
Onboarding IT
Assets
LLDP Attributes,
Role-based
Provisioning
LDAP Profile of
Users and
Devices
✔
✔
Available today
Available today
✔
✭
Available today
Summer 2012
MAC OUI
✔
✔ Wired Ethernet
Available today
Available today
N/A
N/A
802.1X and WPA PSK
more common
authentication on
Wireless.
Critical IT Assets are
Wired Connections
Wireless Ethernet
© 2011 Extreme Networks, Inc. All rights reserved.
Onboarding Users and their BYOD
• ExtremeXOS switches and Summit WM will have the ability to provide
OS fingerprinting of the connected device
• Wired or Wireless!
• Utilize DHCP Fingerprinting and/or HTTP User Agent
• Allows for enhancements to Role-based Policies that now include
Device/OS type as an attribute. For example:
…then place User and
Device in Role:
If User Identity, or
User Attribute
Equals
Department = Sales
Location = Student
Dorm
Mobile Sales Role
…and if Device
Class Type Equals
Corporate Sales Role
Game Console Role
iPhone
Windows PC
Game Console
15
© 2011 Extreme Networks, Inc. All rights reserved.
…and dynamically
apply the following
policies
• Permit Sales Server
• Deny Finance Servers
• Permit Sales Server
• Permit Finance Server
• Deny Corporate
Resources
• Rate limit traffic 10%
Network Visibility of Users and Devices
001010100010101101010
User and
Device
Identity
010101010101010010010
Username
Device Identity
IP
MAC
Computer
Name
Role
VLAN
Location
Switch Port
#
Location
Switch Location
John_Smith
10.1.1.101
00:00:00:00:00:01
John’s_Laptop
Employee
1
24
Wiring closet, building 2
Alice_Jones
10.1.1.200
00:00:00:00:00:02
Science_PC
Contractor
1
1
3rd floor, building 3
Cisco VoIP
Phone
10.1.2.100
00:00:00:00:00:03
n/a
Voice
10
2
3rd floor, building 4
Dell iSCSI_Array
10.3.1.111
00:00:22:00:00:10
n/a
Storage
20
8
Data Center
<unknown>
10.1.1.50
00:00:00:00:00:50
n/a
Guest
1
1
Media building
Turning bits and bytes of information into “rich content” (users,
devices, and their location) and achieving automatic provisioning
with Role-based Policies
© 2011 Extreme Networks, Inc. All rights reserved.
Page 16
Centralized Reporting is Critical
Top 10 Dashboard
Detail User Views
© 2011 Extreme Networks, Inc. All rights reserved.
Page 17
Application
Monitoring
RADIUS
AD/LDAP
DLP
3rd party interface
(XML, SNMP,
etc…)
VPN
IPS
Extreme XOS Software Modules
UTM
SIEM
Wireless
Convergence
Firewall
Identity and
Role-based
Solutions
Role-based
Mgmt
Ridgeline
Identity
Reporting
Embedded
Security
(e.g. DoS,
IP Spoof,
ARP, etc..)
Partner
Device
Mgmt
Network and Services Mgr
Open Standards Architecture
Extreme Switching Infrastructure
© 2011 Extreme Networks, Inc. All rights reserved.
Page 18
Extreme Networks Product Portfolio
Summit X480
BlackDiamond® 8800
with 8900-Series
Modules
Network
Management
E4G 200/400
Only 400 model stacks
BlackDiamond X
Series
Summit X670
8900-40G6X-Xm
Ridgeline™
Summit X460
Summit X650
Motorola ADSP
Summit X450a
Wireless
Single-Radio AP
Adaptive AP
Wallplate AP
Controller w/ AP
VIM3-40G4X
Summit X450e
Summit X250e
Summit X440
Summit X150
Summit X350
BlackDiamond 8800
with 8500-Series
Modules
Summit®
WM3000Series
EAS
BlackDiamond 8800
with C-Series
Modules
ReachNXT™
10/100M
1G
10G
Fixed
19
40G
SummitStack™
© 2011 Extreme Networks, Inc. All rights reserved.
1/10/40G
10/40/100G
Modular
Summit® X440 Products
The Intelligent Edge
• Summit® X440-8t
• Summit X440-8p
• Summit X440-24t
• Summit X440-24p
• Summit X440-48t
• Summit X440-48p
• Summit X440-24t-10G
• Summit X440-24p-10G
• Summit X440-48t-10G
• Summit X440-48p-10G
• Summit X440-L2-24t*
• Summit X440-L2-48t*
*Future availability
20
© 2011 Extreme Networks, Inc. All rights reserved.
In Summary:
A more intelligent switch fabric: Extreme Networks
• User, Device, Location, and Presence
Layer 7: Application
Application Awareness
(Virtualization, VM
mobility), User Awareness,
Device Awareness, etc…
Layer 4: Transport
Layer 3: Network
Layer 2: Data Link
Layer 1: Physical
Today’s Network
Page
21
© 2011 Extreme Networks, Inc. All rights reserved.
Extreme Networks
Thank You
© 2011 Extreme Networks, Inc. All rights reserved.