building a byod network - airheads - airheads
TRANSCRIPT
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Building a BYOD network
Carlos Gómez Gallego
Director Product Management [email protected]
January 2012
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 2
What is BYOD?
• The buzz is uncontrollable – Any device, any user, any time
• What have we learnt from the originators of BYOD…? • Education has been doing BYOD for years – Lots of diverse devices to manage = lots of helpdesk calls – Securing the network and the application is key – Expand cloud applications or leverage VDI – End users demand simplicity
• So from a security perspective – Is the BYOD craze, just masking weaknesses in your existing
network?
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 3
BYOD Provisioning Use Cases
1. Guest Access with Sponsor Approval – Self Registration with SMS delivery à Guest Role
2. Corporate Issued Laptop – Machine + User Authentication à Employee Role
3. Executive BYOD iPad – Unique Device Credential 802.1x authentication à BYOD Exec
4. Employee/Student BYOD Windows Laptop – Unique Device Credential 802.1x authentication à BYOD LAZ
5. Executive/Student BYOD MacBook – Unique Device Credential 802.1x authentication à BYOD Exec
6. Employee/Student BYOD Android Smartphone – Unique Device Credential 802.1x authentication à BYOD LAZ
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 4
Network Policy Examples
WIRELESS WIRED VPN REMOTE OFFICE OUTDOOR
Context-based Policies User, Device, Location and Application Aware
Allow personal devices into a limited access zone (LAZ)
BYOD Policy
Deliver executive traffic with higher priority
Executive Class Policy
Optimize delivery of Lync traffic over the air
Multimedia Policy
Disable Rogue AP, Blacklist User
Unauthorized Use Policy
Disable device access, not user access, if stolen/lost
Device Revocation Policy
Quarantine unhealthy devices for remediation
Device Quarantine Policy
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 5
The right way, not just for BYOD
• Supplicant Config • Push Trusted Cert • Enable Posture • Set Auth type
• Enrolment workflow • Authorize User to provision device • Device credential push • Link User to Device
• Complete view device & network • Command & Control • Inventory • Diagnostics
• Revoke Device Access • Device Profiling • Role Derivation • Corp vs Employee Liable
Device Access Controls
AAA
Visibility & Reporting
Onboard Device
1
2
3
4
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 6
Apple ‘over the air’ Profile Delivery
Phase 1: Authentication - Ensures enrollment request from authorized users - Capture device information for enrollment process
Phase 2: Certificate enrollment (X.509 and SCEP) - Obtain signed X.509 certificate
Phase 3: Device Configuration and Encrypted Profiles - Delivery of iOS configuration profile
After Enrollment: - Device installs profile
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 7
iOS User Scenario
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 8
Challenges with MDM for BYOD
• Diversity – Multiple manufacturers, multiple operating systems, multiple
ecosystems – New devices, software revisions every day
• Feature parity across BYOD devices – How do I enforce common policies across mobile and traditional
laptop devices? – Do I have remote wipe for a BYOD windows laptop?
• Integration with Infrastructure Another piece of the puzzle
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 9
Secure the Network or the Device • Network Approach: – Enrollment workflow, simple, intuitive – Per device credential that can be revoked – Strong application and firewall security, web based apps – VDI from Citrix or other
• Device Approach: – Enrollment workflow, simple, intuitive – Install persistent sw client – Issue per device credential – Manage mobile with point solution but full control
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 10
NAS Policy
A Mobility-Centric Access Network
Policy Definition and Control
• AAA services • Policy Management • NAC • BYOD • Guest
Policy Enforcement
• Security Policies • L4-7 Application Delivery Policies
• WLAN, Wired, Remote • Role based access
Visibility and Management
• Network Management • Security Management • Device Management • Application Visibility • Location Services
Mobility Access Network Architecture
Monitoring
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved
Thank You