Advanced Wired Network Security Using Aruba ClearPass Policy Manager

Herman Robers, EMEA Security CSE

June 2019

The Status Quo

VLAN 200QoS Policy ‘A’

VLAN 100ACL ‘headless’

VLAN 300ACL ‘desktop’

VLAN 400ACL ‘guest’

2@ArubaEMEA | #ATM19EMEA

Wired “Security” Complexity

CORENETWORK

• Add Guest VLAN

• Set Guest VLAN

Policy

• Repeat for Desktop

VLAN

• Repeat for Voice

VLAN

• Repeat for Headless

VLAN

• Extend to rest of

network

Manual

Moves/Add/Changes

cause operational

burden

Port Policy/VLAN not

tied to “identity” of

device/user plugging

into it.

Policy applied at

Firewall based on

VLAN packet received

on, not “identity” of

user/device

Lack of visibility/control

creates a ”Hacker’s

Paradise” for Malware

to develop undetected.

3@ArubaEMEA | #ATM19EMEA

The Security Dilemma

Risk Cost

4@ArubaEMEA | #ATM19EMEA

Today’s Threats and Regulations Tilt The Scale

• IoT dramatically increases number of devices/vulnerabilities that can be exploited

• GDPR, PCI, and other regulations will cause significant financial impact

• Average dwell time of a APT is >100 days!

• Average mitigation time is >30 days!

Dissecting the Challenge

ACCESSNETWORK

CORENETWORK

Step 0: What is on my network?

Step 1: Apply “best fit” dynamic control at the Edge

Step 2: Orchestrate Security and Experience

Step 3: Analyze Behaviors and React to Threats

Firewall

X

6@ArubaEMEA | #ATM19EMEA

Visibility, Orchestration and Automation

Aruba 360 Secure Fabric

Experience at the EdgeAruba Secure InfrastructureSecure Boot | Encryption | Dynamic Segmentation

ClearPass | IntroSpectDiscovery, Authorization, and Integrated Attack Detection and ResponseAruba

360 SecurityExchange

OtherInfrastructure

Security Analytics

7@ArubaEMEA | #ATM19EMEA

ClearPass Secure Network Access Control

Attack Response

Event-triggered actions

One Role, One Network

AAA and non-AAA options

Precision Access Privileges

Identity and context-based rules

Device Discovery and Profiling

Custom Fingerprinting

Visibility Authorization

EnforcementAuthentication

8@ArubaEMEA | #ATM19EMEA

Step 0: Visibility

Passive

• DHCP Fingerprinting

• HTTP User-Agent

• TCP Fingerprinting

• ARP

• Cisco Device Sensor

• Netflow/IPFIX

• Aruba AMON

Active

• WMI

• NMAP

• SSH

• ARP

• MAC/IF Table

• CDP/LLDP Table

• OnGuard

Exchange

• MDM/EMM

• CMDB

• Endpoint/EDR

ML/AI

• IntroSpect

• Device Insight*

9@ArubaEMEA | #ATM19EMEA

TRADITIONAL PROFILING

TECHNIQUES LACK DEVICE CONTEXT

GENERIC “WINDOWS” OR “LINUX” DEVICESTATIC

ATTRIBUTES

• NMAP

• SNMP

• WMI

10@ArubaEMEA | #ATM19EMEA

DEEP PACKET INSPECTION (DPI)

CLEARPASS DEVICE INSIGHT: FROM GENERIC TO GRANULAR DEVICE VIEW

WINDOWS DEVICE

AXIS DEVICE

AXIS SECURITY CAMERA

AXIS Q35 NETWORK CAMERA

STATIC + BEHAVIORAL

ATTRIBUTES

• APPLICATIONS

• WEB SITES

• PORTS

• PROTOCOLS

CROWD-

SOURCING

MACHINE

LEARNING

11@ArubaEMEA | #ATM19EMEA

STEP 1: AUTHORIZE AND ENFORCE“NO INVISIBLE NETWORK CONNECTIONS”

RADIUS/SNMP

AuthenticationServerAP / Controller / Switch

Use best authentication possible

Step-up authenticationif available

12@ArubaEMEA | #ATM19EMEA

Balancing Security with Configuration & Management

13@ArubaEMEA | #ATM19EMEA

Varying Levels of Control

•AuthN/AuthZ:

•SNMP

•Enforcement:

•Port Based VLAN

•SNMP/CLI

Basic Port Control

•AuthN/AuthZ:

•MAC Authentication

•Allowall

•Enforcement:

•Session Based ACL, Role, VLAN

•RADIUS

Basic Session Control

•AuthN/AuthZ:

•Multi Auth: 802.1X / MAC / WebAuth

•Enforcement:

•Session Based ACL, Role, VLAN

•RADIUS

Full Visibility and Control

VLAN 100QoS Policy ‘A’

VLAN 200ACL ‘headless’

VLAN 300ACL ‘desktop’

VLAN 400ACL ‘guest’

user-role 'PRINTER'

ACL 'CORP'vlan 'SECURE'

user-role 'GUEST'

user-role 'VOIP'

Mac auth, profiling, asset DB

Mac auth, profiling, asset DB

802.1X, profiling, endpoint DB, OnGuard

Web Auth, Self Registration, Mac Auth

14@ArubaEMEA | #ATM19EMEA

user-role 'PRINTER'

ACL 'CORP'vlan 'SECURE'

user-role 'GUEST'

user-role 'VOIP'

Mac auth, profiling, asset DB

Mac auth, profiling, asset DB

802.1X, profiling, endpoint DB, OnGuard

Web Auth, Self Registration, Mac Auth

15@ArubaEMEA | #ATM19EMEA

The Colorless Port

Dynamic Segmentation – No More VLANs!

CORENETWORK

NEW DEVICE

AP VOIP DEVICE QUARANTINE

16@ArubaEMEA | #ATM19EMEA

Step 2: Experience/Security Orchestration

Internet of

Things (IoT)

BYOD and

corporate owned

REST API,

Syslog Security monitoring and

threat prevention

Device management and

multi-factor authentication

Helpdesk and voice/SMS

service in the cloud

Multi-vendor

switching

Multi-vendor

WLANs

Aruba ClearPass with

Exchange Ecosystem

17@ArubaEMEA | #ATM19EMEA

Internet of Things (IoT)

Multi-vendor switching

Multi-vendor WLANs

BYOD and corporate owned

3rd Party Security and Networking Vendors

ClearPass Device InsightENHANCED DISCOVERY /

PROFILING

360 SECURE FABRIC

ECOSYSTEM

Bi-Directional Data Exchange

ClearPass Policy ManagerSEGMENTATION / ENFORCEMENT

18@ArubaEMEA | #ATM19EMEA

CPPM Integration Ensures Secure Access

Logon to Applications (SSO)

Update Firewall

Update Web Proxy / Filter

Update EMM/MDM

Security Orchestration in Action

WHOAD/LDAP

EMM/MDM/CDI WHO WHENWHEREWHAT

Who: Bob

Group: Faculty

Device: Personal iPad

MDM: Airwatch

Location: Room 104

Time: 9am, Monday

Compliance: Healthy

Mac Address: X

IP Address: Y

Airgroup Permissions

Update Enforcement Device (LAN/WAN/VPN)

Adaptive Trust Identity

ClearPass

Service Chaining

19@ArubaEMEA | #ATM19EMEA

Enhanced Experiences

I can’t

connect, now

what?

SMS/Voice with Instructions

Self-Service Pages for

Onboarding/Registration/Remediation

I need

information to

help Bob!

Cre

ate

He

lpD

esk

ticket

with

require

d c

onte

xt

• Ensure user is aware of issues and support

• Provide self-service options to remediate

issue

• Ensure help-desk is prepared to quickly

resolve issue if needed

That was

easy, back to

work!

20@ArubaEMEA | #ATM19EMEA

• Real-time Quarantine • Re-authentication• Bandwidth Control• Blacklist

User/Device Context

ActionableAlerts

ClearPassSecure Access Control

1. Discover and Authorize

2. Monitor and Alert

3. Decide and Act

ClearPass Adaptive Response

360 SecurityExchange Partners

21@ArubaEMEA | #ATM19EMEA

Step 3: Analyzing Behaviors and React to Threats

IntroSpect Use Case Example: Ransomware

InfectCommand

and ControlLateral

SpreadEncrypt

• IOC-STIX

Ransomware Tracker

• Suspicious email

Attachment

• Suspicious email

domain

• Host scan

• Port scan

• Abnormal host

access

• Excessive host

activity

• Failed auths

• New logons

• DNS DGA

• DNS tunneling

• New country

access

• Unusual file activity

• Telltale encryption writes

22@ArubaEMEA | #ATM19EMEA

23@ArubaEMEA | #ATM19EMEA

SUPERVISED

UNSUPERVISED

MACHINE LEARNINGPackets

Flows

Logs

Alerts

IntroSpect Advanced Analytics and Forensics

• Real-time Quarantine • Re-authentication• Bandwidth Control• Blacklist

User/Device Context

ActionableAlerts

ClearPassSecure Access Control Entity360 Profile

with Risk Scoring

1. Discover and Authorize

2. Monitor and Alert

3. Decide and Act

IntroSpect UEBA

CLEARPASS + INTROSPECT = INTEGRATED PROTECTION

ClearPass Adaptive Response

24@ArubaEMEA | #ATM19EMEA

Customer Examples

– Customer Example #1:

– Realized ROI in 7 months on ONE specific use case

– Corporate employees were frequently rearranging their desks, plugging their docking stations and phones into different ports.

– Each time they did this, the helpdesk would have to open a ticket and reconfigure. The cost of this alone paid for their investment.

– Customer Example #2:

– Each time a switch or port had to be reconfigured, this customer had to pay their provider a fee of $100.

– This will eliminate a 7 figure operational cost each year by utilizing the colorless / intelligent ports in ClearPass.

25@ArubaEMEA | #ATM19EMEA

Benefits of a Modern Wired Security Implementation

– Stronger security/compliance posture

– Lower risk to organization

– Improved operations efficiency

– Symbiotic Network and Security Ecosystem

– Networking: Less helpdesk call, less requests from security, less changes

– Security: Enable security to take action on own

– Improved end user experience

26@ArubaEMEA | #ATM19EMEA

UNIQUELY POSITIONED TO DELIVER ADVANCED

SECURITY

ANALYTICS

CONTROL

CONNECTIVITY

VISIBILITY

27@ArubaEMEA | #ATM19EMEA

Expand your solution value with Dynamic SegmentationThis is one of Aruba’s core technical differentiators

Wired

Wireless

ClearPass for Policy Definition

Controller/Gateway for Policy Enforcement

See a Demo in the Innovation Zone!

Dynamic Segmentation

✓ Wired and Wireless Access

✓ Layer 7 Stateful Firewall (DPI)

✓ Intelligent Role-based awareness

✓ Customizable Device Profiling

✓ Centralized Policy Enforcement

28@ArubaEMEA | #ATM19EMEA

29@ArubaEMEA | #ATM19EMEA

Thank You

Still not a part of the Airheads

Community? Sign up today!

community.arubanetworks.com

30@ArubaEMEA | #ATM19EMEA

Please give us your feedback

1. Click on "Agenda" icon

2. Search for the session by session ID or by selecting the session date

3. Click on the session

4. Tap the "Survey" icon