View
596
Download
4
Category
Tags:
Preview:
Citation preview
Access Management with Aruba ClearPass
Austin HawthorneDecember 12th, 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
2 #AirheadsConf
Agenda
Defining Adaptive PoliciesContext CollectionLeveraging Context in NAC PoliciesEnhancing User Experience, Operations, and Security with Context
3CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Why Adaptive Policies?
THENPredictable Desk Access
NOWAccess from Anywhere
4CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Deciphering Context for Policy Decisions
Jailbrokenphone?
BYOD?
Guest?
Office?Device type?
Firewallenabled?
Employee?
Policies must adapt to conditions
Skimmilk?
5CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Common Security Questions
• Is this a corporate device or a personal device connecting to my wireless network with my employee’s account information?
• Is this a Printer or Computer connecting to my wired network without 802.1x?
• How do I keep corporate devices off the Guest SSID?
• I trust my corporate assets, but I need to be able to check the compliance of Contractor computers when they connect, and restrict them from using mobile devices, how?
6CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Adaptive Trust: Context Collection
7CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
The Heart of an Adaptive Trust Decision
User & role
Ownership -IT or BYOD
Device & type
Usable Context
Device assessment
Location -Secure oropen access
Auth type - credentials or certificate
Session rules
Access type
Time-of-day / Day-of-Week
App traffic & behavior
8CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Sources of Usable Context
DeviceProfiling
• Samsung SM-G900• Android• “Jons-Galaxy”
EMM/MDM
• Personal owned• Registered• OS up-to-date
• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true
IdentityStores
EnforcementPoints
• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London
• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps
9CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Sources of Usable Context
DeviceProfiling
• Samsung SM-G900• Android• “Jons-Galaxy”
EMM/MDM
• Personal owned• Registered• OS up-to-date
• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true
IdentityStores
EnforcementPoints
• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London
• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps
Adaptive Trust Identity• Hansen, Jon [Sales]• COO, Executive Office• London• Personal Owned • Samsung SM-G900• Android 4.4, Knox
• MDM enabled = true• In-compliance = true• At Bldg 10, floor 3• 21:22GMT, 21/12/14
10CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Context Sources
• External:• Network Devices
• Radius/TACACS• AD/LDAP• SAML/OAUTH2/Okta• Radius• Kerberos• Token Servers• SQL Databases• MDM Systems• Aruba Activate• HTTP
• Internal:• Endpoint DB
• Profiling information from:• DHCP• HTTP• SNMP• IOS Device Sensor• ActiveSync• OnGuard• Onboard
• Insight DB• Session/State Information
• Guest User/Device DB• Date/Time• LocalUser DB
11CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Context Examples
12CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Adaptive Trust: Leverage Context in Policy Decisions
13CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Adaptive Policy Driven by Context
Corporate Tablet BYOD Tablet
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet OnlyInternetand Corporate Apps
14CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Policy Model – AuthN vs AuthZ
ClearPass Policy Manager
AD/LDAP
Guest
Insight
Endpoint
Onboard
Service Matching
SQL
MDM
HTTP
Authentication
Authorization
Role Mapping
Enforcement
Username = BobMac Address = XYZSSID = SecureLocation = Building 1Request = Radius
Response = Radius- Accept- Reject- Attributes
Added Context:MDM Enrolled = TrueDevice Type = iPadOwner = BobRequired Apps = TrueActive Sessions = 2AD Group = ExecCorp Asset = True
15CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Role-Mapping
• Role-Mapping used to filter collected contextual data into “tags” (roles) that can be used for enforcement conditions.
• “Select All” vs “Select First” condition matching• Careful of the “AND” “OR” conditons• Available Options:
• Radius/TACACS Attributes• Authentication Attributes• Authorization Attributes (from any source)• Certificate Attributes• Endpoint Attributes• Date/Time Attributes
16CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Sample Role MappingDevice Context
AuthContext
UserContext
Cert Context
MDMContext
Onboard Context
17CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Enforcement Policies
• Condition based rules to determine which enforcement profile(s) to use.• Can signal multiple actions, more on that later.
• Leverages “Roles” assigned during Role-Mapping.
• Leverages “Posture” token assigned during posture check.
• Typically a top down, “First Match” rule matching algorithm.
18CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Sample Enforcement Policy
Using Roles for User and Device
Using Roles and Posture
Enforcement Policy
19CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Enforcement Profiles
• Profiles are essentially the enforcement “actions” you want to signal based on the set conditions.
• Multiple Types of Enforcement Profiles:• Radius• Radius CoA• SNMP• CLI• HTTP• Entity Update• OnGuard Agent• TACACS
20CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Adaptive Trust: Security, Operational, and User Experience Advantages
21CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Security Disconnect
Who: BobGroup: FacultyDevice: Personal iPadLocation: Room 104Time: 9am, MondayCompliance: Healthy
VPN
AAA/NAC
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
? Accept, Policy = Faculty-BYOD
?
?
?
?
22CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
User and Operational Disconnect
VPN
AAA/NAC
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
XX
• User can’t connect to the network
• User application access is slow or disconnects
• Where does the problem exist?
• When do you know about the problem?
• Where do you start?
???????
?
??
?
23CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Perimeter Defense
IDS/IPS
Firewalls
Mobility Defense
Firewalls
IDS/IPS/AV Enforcement Points
EMM/MDM
Physical
Webgateways
A/V
Time for a New Perimeter Defense Model
Policy needed for central point of control
Access Policy Management
24CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Security and Usability Coordination
VPN
ClearPass
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
Who: BobGroup: FacultyDevice: Personal iPadLocation: Room 104Time: 9am, MondayCompliance: HealthyMac Address: XIP Address: YAirgroup Permissions
What if when the user connects:- Update the FW- Update the IPAM- Update the Proxy- Logon the application- Update the WLAN
25CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
User Self Service
VPN
ClearPass
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
Self Service:- BYOD Portal- Device/Guest Registration- Device Access Management- Auto-Remediation- Notification Pages
26CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Operational Integration
VPN
ClearPass
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
- Auto Open Help Desk Ticket
- Notify User - Integration into Network
Management
27CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Integration Options
• “Built In” Integration• MDM Actions• Palo Alto HIP Updates• Syslog
• Splunk App• CEF/LEEF Support (Future)
• Radius Proxy (future)• Inbound API• Web Pages:
• OnGuard DA, OnBoard, Device/User Registration, Notification/Warning
• “Build your own” Integration• ClearPass Exchange
• REST/XML Based API
28CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
ClearPass Exchange
Mitigating Risks using 3rd Party Integration
Third-party Systems
Payment Management
Patient Check-in
Helpdesk Tickets
EMMSolutions
SIEM Systems
Jail-broken device
detected
Helpdesk ticket auto generated
Message to device auto generated
1.
2.3.
ClearPass denies access
to device
RESTful APIs
Syslog Messages
Adaptive TrustIdentity
Jailbreak example
29CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Enforcement Example
Radius Action to force notification page
Send user SMS notification
Update Palo Alto Firewall
Open Help Desk Ticket
Sound the alarm!
Send Email to security team
30CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Dynamic Content based on Context
• Device, User, and Posture context can be pulled into actions and web pages.
• Leverages “NameSpace” variables in enforcement actions and web login pages.
31CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
NameSpaces in ClearPass
• Almost all of the “context” that is collected by ClearPass can be called up and used via dynamic “namespace” variables.
• For example:• %{Endpoint:Model}• %{Radius:Aruba:Aruba-Location-Id}• %{Authentication:Full-Username}
• These can be used in role mapping, enforcement profiles and policies, auth source filters/queries, etc in place of static variables.
• When used, the value is replaced with information pertaining to that device or user dynamically
32CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Conclusion
33CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
NameSpaces in ClearPass
• Context is the foundation of ClearPass• More contextual sources than any other
vendor!• Ability to share context with more vendors
than our competitors!• Context provides for greater security, visibility,
and flexibility to support ever-changing #GenMobile environment.
• Please check out the “Secure Air” booth during your break for a demonstration of these principles in action!
34
Thank You
#AirheadsConfCONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Recommended