©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Network Access
and the Acronym Soup –
NAC, MDM, SBC & SSO
Shmulik Nehama,
Identity Engines Portfolio Leader
Avaya
@shmulik247
#AvayaATF
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Agenda
•
•
•
•
•
•
The Acronym Soup
Network Access Control
Mobile Device Management
Session Border Control
Single Sign On
Resources
©2013 Avaya Inc. All rights reserved
3
February 26-28, 2013 | Orlando, FL
The Acronym Soup
NAC
MDM
SBC
SSO
Network Access
Control
Mobile Device
Management
Session Border
Control
Single Sign On
Authenticates &
authorizes network
access of users and any
network attached device
(IP phones, medical
devices, user devices,
printers etc.).
MDM manages mobile
devices in the context of
which applications
should / should not be
on user handheld
devices, password
management, patch and
software management.
Provides network
security for SIP-based
applications without the
need for a VPN client on
the accessing device.
Single Sign On (SSO) is an
area of access control
that enables users to
login once and/or with
same enterprise
credentials and gain
access to applications
without being prompted
to login again at each of
them and/or without the
need to maintain
different set of
credentials.
Dynamically provisions
the network to contain
the access of users and
the network attached
devices
MDM manages mobile
device data and apps but
NOT control / provisions
the network for access
Controls access of UC
applications (NOT
network access of users /
devices)
Avaya Solution
Avaya Solution
Avaya Solution
Avaya Solution
Avaya Identity Engines
DevConnect
(MobileIron)
Avaya Session
Border Controller
Avaya Identity Engines
©2013 Avaya Inc. All rights reserved
4
February 26-28, 2013 | Orlando, FL
The Acronym Soup
NAC
MDM
SBC
SSO
Network Access
Control
Mobile Device
Management
Session Border
Control
Single Sign On
Authenticates &
authorizes network
access of users and any
network attached device
(IP phones, medical
devices, user devices,
printers etc.).
MDM manages mobile
devices in the context of
which applications
should / should not be
on user handheld
devices, password
management, patch and
software management.
Provides network
security for SIP-based
applications without the
need for a VPN client on
the accessing device.
Single Sign On (SSO) is an
area of access control
that enables users to
login once and/or with
same enterprise
credentials and gain
access to applications
without being prompted
to login again at each of
them and/or without the
need to maintain
different set of
credentials.
Dynamically provisions
the network to contain
the access of users and
the network attached
devices
MDM manages mobile
device data and apps but
NOT control / provisions
the network for access
Controls access of UC
applications (NOT
network access of users /
devices)
Avaya Solution
Avaya Solution
Avaya Solution
Avaya Solution
Avaya Identity Engines
DevConnect
(MobileIron)
Avaya Session
Border Controller
Avaya Identity Engines
©2013 Avaya Inc. All rights reserved
5
February 26-28, 2013 | Orlando, FL
Agenda
•
•
•
•
•
•
The Acronym Soup
Network Access Control
Mobile Device Management
Session Border Control
Single Sign On
Resources
©2013 Avaya Inc. All rights reserved
6
February 26-28, 2013 | Orlando, FL
What is it?
• Network Access with policies, controls
and provisions access to a network
– Including pre-admission endpoint security
policy checks and post-admission controls
over where users and devices can go on a
network and what they can do
• Role-based Access is where access to
the network is given according to profile
of the person and the results of a
posture / health check.
– e.g. in an enterprise, the HR dept could
access only HR dept files if both the role &
endpoint meets anti-virus being up-to-date.
©2013 Avaya Inc. All rights reserved
7
February 26-28, 2013 | Orlando, FL
Enterprise Network w/Multiple Policy
Enforcement Locations
• Multiple repositories of
identity information
• Multiple locations of
enforcement points
• Challenges with in providing
access to
• Guest Access
• Contractors Access
• Challenges in implementing
consistent access behavior
across the network
• Challenges with mergers
and acquisitions
©2013 Avaya Inc. All rights reserved
Enterprise Network with Multiple Constituents
and Policy-Enforcement Locations
8
February 26-28, 2013 | Orlando, FL
Enterprise Network w/Centralized
Identity and Policy Services
• It is principally the variety of
enforcement devices that
was not foreseen
• Centralization of both
identity and policy
information in a single
location
• Simplification
• Consistency
• Self-service Guest Access
with IT Hands-off
• Contractor Access
Identity and Policy Service in the
Enterprise Network
©2013 Avaya Inc. All rights reserved
9
February 26-28, 2013 | Orlando, FL
Why is it important?
1. Define roles
• Granular Control
• Network operators define
policies, such as roles of users
and the allowed network areas
to access and enforce them
based in switches, WLAN
Controllers etc.
• Enhanced Security
2. Define network access level
• Ability to prevent access from
end-stations that do not meet
security posture requirements
• Regulatory Compliance
• Enforce access policies based
on authenticated user identities
©2013 Avaya Inc. All rights reserved
10
February 26-28, 2013 | Orlando, FL
Network Access Features
Enterprise
Network
IP Phone
Visitor or
Business
Partner
Personal
Machine
Corporate
Desktop
Network
Printer
Network
Device
Wireless
Access Point
Surveillance
Camera
Fax
Machine
Medical
Device
Local
Server/App
Guests & Guest Devices
• It is not only about users and their devices but also about any
network attached device
• Each access port is not assigned until a user/device attempts
access.
• Once authenticated & authorized, user/device is granted
appropriate access level.
©2013 Avaya Inc. All rights reserved
11
February 26-28, 2013 | Orlando, FL
Typical Network Access Architecture
©2013 Avaya Inc. All rights reserved
Guest Access Mgmt
Posture Assessment
Reporting & Analytics
Access Portal
CASE Wizard
Identity Engines
12
Policy
Information Point
DIRECTORY ABSTRACTION LAYER
Policy
Decision Point
NETWORK ABSTRACTION LAYER
Policy
Enforcement Point
February 26-28, 2013 | Orlando, FL
Network Access Features
Basic Features
Advanced Features




 Unified Solution for wired and
wireless network access
 IT Hands-Off self-service
Guest access management
 Device Finger-printing
 BYOD On-boarding
 High Availability
Authentication & Authorization
Guest Access Management
Posture Compliance
Compliance checking for unmanaged devices e.g. BYOD
 Reporting and Analytics
 Directory Federation
©2013 Avaya Inc. All rights reserved
13
February 26-28, 2013 | Orlando, FL
SPB Network Access Automation
CAMPUS
BRANCH
UC Zone
Corporate Zone
Guest Zone
Contractor Zone
DATA CENTER
• User connects to
an edge switch
• User is placed on
a VLAN
• VLAN is mapped
to an SPB ISID
• Done!
©2013 Avaya Inc. All rights reserved
DATA CENTER
CAMPUS
BRANCH
14
February 26-28, 2013 | Orlando, FL
Multi-Host Multi-Authentication
• MHMA is a network switch capability where Identity Engines
separately authenticates and authorizes multiple clients connected to
a switch port
• Each client must complete
EAP authentication before
the port allows traffic from
the users MAC address,
only traffic from authorized
hosts is allowed
• Enables to direct multiple hosts on a single port to different VLAN’s.
Used for separating voice and data traffic on the same port
©2013 Avaya Inc. All rights reserved
15
February 26-28, 2013 | Orlando, FL
Agenda
•
•
•
•
•
•
The Acronym Soup
Network Access Control
Mobile Device Management
Session Border Control
Single Sign On
Resources
©2013 Avaya Inc. All rights reserved
16
February 26-28, 2013 | Orlando, FL
What is it?
• Mobile Device Management (MDM)
secures, monitors, manages and
supports mobile devices deployed
across mobile operators, service
providers and enterprises.
• MDM functionality typically includes
over-the-air distribution of applications,
data and configuration settings for all
types of mobile devices
• Smart-phones, tablets, mobile printers,
mobile POS devices, etc
©2013 Avaya Inc. All rights reserved
17
February 26-28, 2013 | Orlando, FL
Why is it important?
• Reduce support costs and business
risks
• Control and protect the data and
configuration settings for all mobile
devices in the network
Say YES to BYOD
• Manage devices
• IT can use MDM to manage the devices
over the air with minimal intervention in
employee schedules
• Visibility
• With mobile devices becoming
ubiquitous and applications flooding the
market, mobile monitoring is growing in
importance.
©2013 Avaya Inc. All rights reserved
18
February 26-28, 2013 | Orlando, FL
Typical MDM Solution
• Server & Client Components
• Server component
sends out management
commands to devices
• Client component runs
on device to receive and
implement commands
• Must have an agent
installed and maintained
• Constant 24x7 race after
device and OS updates
• On-premise and Cloud
(SaaS) based solutions
©2013 Avaya Inc. All rights reserved
19
February 26-28, 2013 | Orlando, FL
MDM Capabilities
Basic Features
Advanced Features
 Inventory Management &
Real Time Reporting
 Setting Passcode Policies
 Remote Lock and Full Wipe
 Remote Selective Wipe
 OTA Configuration (Email,
Wi-Fi, VPN, Certs)
 Email Access Controls
 Jail-broken / Rooted Device
Detection










©2013 Avaya Inc. All rights reserved
20
Enterprise App Catalog
App Blacklisting / Whitelisting
Secure Document Sharing
Certificate Management
Geo Location
Event-based Security and
Compliance Rules Engine
Roaming Usage
Dual Persona  separate
Personal vs. Corporate
content
Monitor access to App Store
Data encryption
February 26-28, 2013 | Orlando, FL
MDM Capabilities and the Use Cases
• Cross platform device support
• Configuration management
• Device monitoring
• License control
• Software distribution
• Inventory & asset control
MDM requirements vary depending on use case
©2013 Avaya Inc. All rights reserved
21
February 26-28, 2013 | Orlando, FL
MDM Capabilities and the Use Cases
strongly
regulated e.g.
Finance, defense
non-regulated
organizations
(e.g. retail)
small number
of mobile
users
organizations w/
very large number
of mobile users
MDM requirements vary depending on use case
©2013 Avaya Inc. All rights reserved
22
February 26-28, 2013 | Orlando, FL
MDM Capabilities and the Use Cases
data encryption, dual
persona, selective wipe
strongly
regulated e.g.
Finance, defense
non-regulated
organizations
(e.g. retail)
small number
of mobile
users
organizations w/
very large number
of mobile users
detect OS & version, installed apps,
roaming usage, content, device wipe
MDM requirements vary depending on use case
©2013 Avaya Inc. All rights reserved
23
February 26-28, 2013 | Orlando, FL
MDM Market Landscape
• 100+ vendors who claim
some level of MDM
functionality
• 20 vendors in Gartner
MDM MQ
• Non of the NAC vendors
provide true MDM
capabilities
• Requires to keep-up with
intense pace of mobile
device market updates
and innovation
©2013 Avaya Inc. All rights reserved
24
February 26-28, 2013 | Orlando, FL
Avaya’s MDM strategy
Avaya Flare & one-XC Applications on user devices
• Today
 Avaya Flare and one-XC
Applications interoperability
tested with MobileIron
• Tomorrow
 Identity Engines MDM
integration with top vendors
• Ignition Server will query
mobile device attributes from
the MDM and make attributes
part of the Access Policy
©2013 Avaya Inc. All rights reserved
25
February 26-28, 2013 | Orlando, FL
Avaya’s MDM strategy
MDM
©2013 Avaya Inc. All rights reserved
26
February 26-28, 2013 | Orlando, FL
Avaya’s MDM strategy
Identity Engines
Access Policy
MDM
©2013 Avaya Inc. All rights reserved
27
February 26-28, 2013 | Orlando, FL
Agenda
•
•
•
•
•
•
The Acronym Soup
Network Access Control
Mobile Device Management
Session Border Control
Single Sign On
Resources
©2013 Avaya Inc. All rights reserved
28
February 26-28, 2013 | Orlando, FL
What is it?
• A device or application that governs
the manner in which calls, also
called sessions, are initiated,
conducted and terminated in a VoIP
network.
• An SBC can facilitate VoIP sessions
between phone sets or proprietary
networks that use different signaling
protocols.
• An SBC can include call filtering,
bandwidth use management, firewalls
and anti-malware programs to minimize
abuse and enhance security
©2013 Avaya Inc. All rights reserved
29
February 26-28, 2013 | Orlando, FL
Why is it important?
Mobile Collaboration Security Threats
• Denial of Service
• Call/registration overload
• Malformed messages (fuzzing)
Enterprise Adoption
of Collaboration Tools
• Configuration errors
• Misconfigured devices
• Operator and application errors
• Theft of service
• Unauthorized users
• Unauthorized media types
• Viruses and SPIT
• Viruses via SIP messages
• Malware via IM sessions
• SPIT – unwanted traffic
Source: Nemertes Research
©2013 Avaya Inc. All rights reserved
30
February 26-28, 2013 | Orlando, FL
UC Security – Should You Care?
Credit card privacy rules: other compliance laws require security architecture
specific to VoIP and other UC.1
Increase
VoIP hacking at new
levels2
Up to
of attacks
VoIP scanning –
botnets, Cloud used
for VoIP fraud3
Reduce Deployments by
VoIP / UC security
reduces VoIP / UC
deployment time
by one third4
Yankee survey
Toll fraud: yearly enterprise losses in Billions
inadequate securing of SIP trunks, UC and VoIP applications5
©2013 Avaya Inc. All rights reserved
31
February 26-28, 2013 | Orlando, FL
OSI Model - 7 Layers of Attacks
OSI Model
Think of OSI model as a 7 foot
high jump
Data Unit
• Typical firewall protection
• Layer 3-4 protection
• Email spam filters layer 7 application
specific email firewall
• SIP, VoIP, UC layer 4 to layer 7
application
• SIP Trunking - a trunk side
application
• SIP Line (phone) side (internal
and external) access another
application
Layer
Function
7. Application
Network process to
application
6. Presentation
Data representation,
encryption and
decryption, convert
machine dependent
data to machine
independent data
5. Session
Inter-host
communication
Segments
4. Transport
End-to-end
connections
and reliability,
flow control
Packet/Datagram
3. Network
Path determination
and logical
addressing
Frame
2. Data Link
Physical addressing
Bit
1. Physical
Media, signal and
binary transmission
Data
Host
Layers
Media
Layers
Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model
Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection
©2013 Avaya Inc. All rights reserved
32
February 26-28, 2013 | Orlando, FL
Agenda
Application Level
Security Proxy
Firewall
(Policy Application,
Threat Protection Privacy,
Access Control)
Firewall
Avaya
SBCE
Complements Existing
Security Architecture
©2013 Avaya Inc. All rights reserved
33
February 26-28, 2013 | Orlando, FL
Session Border Control Use Cases
Use Cases
SIP Trunking
Remote Worker
CS1000
Avaya SBC
for Enterprise
SIP Trunking
SIP Trunking
©2013 Avaya Inc. All rights reserved
SIP Trunking
Avaya SBC
for Enterprise
Avaya SBC
for Enterprise
SIP Trunking
34
Avaya SBC
for Enterprise
February 26-28, 2013 | Orlando, FL
SBC Use Cases – SIP Trunking
Use Case: SIP Trunking to Carrier
Carrier offering SIP trunks as lower-cost alternative to TDM
Enterprise
Internet
DMZ
SIP Trunks
Avaya
SBCE
Firewall
Firewall
IP PBX
Carrier
Carrier SIP trunks to the Avaya SBC
Avaya SBC located in the DMZ behind the Enterprise firewall
Services  security and demarcation device between the IP-PBX and the Carrier
− NAT traversal
− Securely anchors signaling and media, and can
− Normalize SIP protocol
©2013 Avaya Inc. All rights reserved
35
February 26-28, 2013 | Orlando, FL
Secure Remote Worker with BYOD
Avaya Aura
Conferencing
Aura
Messaging
Session Manager
Avaya
Presence
Server
System
Manager
Communication
Manager
Avaya
SBCE
Aura®
Personal PC, Mac or iPad devices
Avaya Flare®, Avaya one-X® SIP client app
App secured into the organization,
not the device
One number UC anywhere
©2013 Avaya Inc. All rights reserved
Untrusted Network
(Internet, Wireless, etc.)
36
February 26-28, 2013 | Orlando, FL
Secure Remote Worker with BYOD
Use Case: Remote Worker
Extend UC to SIP users remote to the Enterprise
Solution not requiring VPN for UC/CC SIP endpoints
Enterprise
Avaya
SBCE
Firewall
Firewall
IP PBX
Internet
DMZ
Remote Workers
Remote Worker are external to the Enterprise firewall
Avaya Session Border Controller for Enterprise
− Authenticate SIP-based users/clients to Aura Realm
− Securely proxy registrations and client device provisioning
− Securely manage communications without requiring a VPN
©2013 Avaya Inc. All rights reserved
37
February 26-28, 2013 | Orlando, FL
Agenda
•
•
•
•
•
•
The Acronym Soup
Network Access Control
Mobile Device Management
Session Border Control
Single Sign On
Resources
©2013 Avaya Inc. All rights reserved
38
February 26-28, 2013 | Orlando, FL
What is it?
• Single Sign On (SSO) is a property of
access control that enables users to
login with one set of enterprise
credentials and gain access to
systems without being prompted for
different credentials or login again.
• Maintaining one set of credentials and
reducing multiple logins.
©2013 Avaya Inc. All rights reserved
39
February 26-28, 2013 | Orlando, FL
Why is it important?
• Reduces password fatigue
from different user name
and password
combinations
• Reduces time spent reentering passwords for the
same identity
• Reduces IT costs due to
lower number of IT help
desk calls about
passwords
©2013 Avaya Inc. All rights reserved
40
February 26-28, 2013 | Orlando, FL
Single-Sign-On
Enterprise
Identity Realm
•3rd Party
Web Sites
•Salesforce
•Social
Media
•Social
Media
Web
Single-Sign-On
©2013 Avaya Inc. All rights reserved
•Enterprise
Directory
Infrastructure
41
•ERP
•HRM
Local
Single-Sign-On
•CRM
•Intranet
Applications
February 26-28, 2013 | Orlando, FL
Single-Sign-On
Current Situation
Enterprise
Identity Realm
 The enterprise and Aura realms are
separate where each app has its
own notion of user identity,
credentials and manages them
separately.
 Integration with enterprise AAA is
difficult, inconsistent and brittle
•Enterprise
Directory
Infrastructure
Aura Applications
Identity Realm
•SM
•AAC
©2013 Avaya Inc. All rights reserved
42
•CM
•PS
February 26-28, 2013 | Orlando, FL
Single-Sign-On
Customers Want
Enterprise
Identity Realm
 Users to authenticate to enterprise
AAA service
 Minimize the number of user
identities and credentials
 Minimize and standard approach to
authentication & credential mgmt
 Consistent user experience
•Enterprise
Directory
Infrastructure
Aura Applications
•SM
•AAC
©2013 Avaya Inc. All rights reserved
43
•CM
•PS
February 26-28, 2013 | Orlando, FL
Stepping Identity Engines Up
into the Applications Access
• Incorporating SAML as an
authentication protocol
•
•
Web Clients
Think Clients
• Introducing the concept of
Identity Provider for
Applications
• Introducing the concept of
Service Providers
• Focus on Aura UC
Applications
•
•
•
Flare
One-X Communicator
Avaya Aura Conferencing
©2013 Avaya Inc. All rights reserved
44
February 26-28, 2013 | Orlando, FL
Single-Sign-On
Policy Decision
VPN
Firewall
HTTP, SIP
SessionM
anager
App
Services
Voice/
Video
SAML Assertions
802.1X
Application SSO
Wired
Secure Enterprise Network
RADIUS
Identity Routing
LDAP
Access Portal
Identity Engines
Unified
Identity Provider
Federated Identity Layer
Wireless
Management and Session Provisioning
Users
Devices
Applications
Core
RADIUS
Access
Kerberos
Active Directory
Novell/Oracle
Directory
Presence
Multi-factor
Authentication
©2013 Avaya Inc. All rights reserved
45
February 26-28, 2013 | Orlando, FL
Single-Sign-On for one-X Comm.
Public Network
IDE Proxy
DMZ
Intranet Zone
1
Active Directory
4
4
Auth Req + Challenge
Credentials + AuthReq
5
SMGR
3
H.323
(incl. Adopter EMs)
Authorized + AuthResp
Get Credentials
6
7
Avaya One-X
Identity Engines
IDP
SSO/RBAC
4
Realm
Mapping
Data
IDE
4
Session
Database
Kerberos
2
Provisioning /
Management
HTTP, PAOS Get Credentials
OpenA/M
4
LDAP Sync / Flow-through Provisioning
Database &
Directory
Policy Decision
Mgmt
LDAP
CM Sync
CM
Novell/Oracle
Directory
IAM
LDAP Sync
©2013 Avaya Inc. All rights reserved
46
February 26-28, 2013 | Orlando, FL
Single-Sign-On for Flare
Public Network
IDE Proxy
DMZ
Intranet Zone
1
Active Directory
4
4
Auth Req + Challenge
Credentials + AuthReq
5
SMGR
3
SIP
(incl. Adopter EMs)
Authorized + AuthResp
Get Credentials
6
8
7
Identity Engines
IDP
SSO/RBAC
4
Realm
Mapping
Data
IDE
4
Session
Database
Kerberos
2
Provisioning /
Management
HTTP, PAOS Get Credentials
OpenA/M
4
LDAP Sync / Flow-through Provisioning
Database &
Directory
Policy Decision
Mgmt
LDAP
DRS
SM/PPM
Novell/Oracle
Directory
AAC
OPI
IAM
LDAP Sync
©2013 Avaya Inc. All rights reserved
47
February 26-28, 2013 | Orlando, FL
Agenda
•
•
•
•
•
Network Access
Mobile Device Management
Network Access Control
SIP Security
Single Sign On
• Resources
©2013 Avaya Inc. All rights reserved
48
February 26-28, 2013 | Orlando, FL
NAC
Network Access
Control
SBC
Session Border
Controller
MDM
Mobile Device
Management
SSO
Single Sign On
“Avaya is the company that is stepping in with
a true, holistic BYOD proposal that covers all
the pieces.”
Zeus Kerravala, ZK Research
©2013 Avaya Inc. All rights reserved
49
February 26-28, 2013 | Orlando, FL
Resources
• Identity Engines Product Management
• Shmulik Nehama
• snehama@avaya.com
• Session Border Controller Product Management
• Jack Rynes
• jrynes@avaya.com
• Secure BYOD YouTube Video
•
http://www.youtube.com/watch?v=0ZrMOqzGMpE
©2013 Avaya Inc. All rights reserved
50
February 26-28, 2013 | Orlando, FL
Thank you!
@shmulik247
#AvayaATF
©2013 Avaya Inc. All rights reserved
51
February 26-28, 2013 | Orlando, FL