tw2392 suhay imc getting started with byod_final
DESCRIPTION
TRANSCRIPT
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
IMC BYOD Workshop:Getting StartedTW2392Bob Suhay & Juliano Forti / June 5, 2012
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Balancing Security and Ease of Use
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Balancing Security and Ease of Use
Protected Vulnerable
Ease of UseSecurity
802.1x + Fingerprinting
MAC Authentication / Fingerprinting
Easy to DeployComplex
Enterprise SMB
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Features and Technologies
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
Network Access Control Requirements
Identity and Access Management
Real-time, Device and OS Agnostic802.1X, Fingerprinting, Portal, Client, Digital Certificates
Policy Enforcement Who, What, When, WhereVLAN, ACL, URL Filtering, Location, Time-of-day
Health and Compliance Patch Management, Application ControlWSUS / Live Application Policy Enforcement
Quarantine Real-time Detection, Location and Isolation
HP TippingPoint IPS Integration
Active vs. Passive Access Control vs. Access Detection
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
Guest and Employee Access Control Requirements
Guests Employees
BYOD Company Asset BYOD
MAC Authentication 4 3 3
Portal Authentication 4 0 3
Device Finger Printing 4 0 3
Policy Enforcement 4 “W’s” 4 4 4
802.1x Authentication 0 4 3
Digital Certificates 0 4 3
Client Posture 0 4 3
User Behavior Analysis 2 4 4
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Device Fingerprinting Solutions
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
Device Fingerprinting with Active Solutions
SuperScan Run TCP port scanner
MetaSploit Analyze Vulnerability and Ports
NMAP Use Port scanning, Probes
HP iNode HP Portal, 802.1X and VPN Client
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Device Fingerprinting with Passive Solutions
DHCP Options Analyze DHCP Request Options
HTTP User Agent View HTTP User-Agent Details
MAC OUI Use MAC Prefix to Determine Vendor
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
• MAC OUI: 00-30-6E-xx-xx-xx• Assigned by IEEE to Specific Vendors• Usually only identifies Device Vendor, not device type• Easy to change with Locally Administered Addresses• Example: HP MAC Prefixes
• 00-30-6E… 00-80-A0…• 08-00-09… 08-2E-5F…• 80-C1-6E… A0-B3-CC…• AC-16-2D… E4-11-5B…• E8-39-35… EC-9A-74…
Fingerprinting via MAC OUI (Vendor ID)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
Fingerprinting via DHCP Request Monitoring
• Device Classification Based on DHCP Request Options / Fields
• Can Change by Software Version / Vendor Implementation
[os 907]description=HP ProCurve 3500ylfingerprints=<<EOT1,3,4,23,67,66,43EOT
[os 1102]description=Apple iPod, iPhone or iPadfingerprints=<<EOT1,3,6,15,119,78,79,95,2521,3,6,15,119,2521,3,6,15,119,252,46,208,921,3,6,15,119,252,67,52,13EOT
[os 1103]description=HTC Androidfingerprints=<<EOT1,121,33,3,28,51,58,59EOT
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
• Not 100% Reliable• Many Overlapping Device Signatures
[os 1111]description=Generic Android# 1,121,33,3,6,28,51,58,59 disambiguated from HTC# - confirmed as HTC ADP1 with 1.5 # - confirmed as Samsung Galaxy S running Android 2.2# - also seen on two other MAC vendor (Samsung, Motorola) unconfirmed device,# 1,3,6,28,33,51,58,59,121 disambiguated from HTC: seen on three other MAC Vendor (Sony-Ericsson, Maruta, Samsung, Motorola)# 1,121,33,3,6,15,28,51,58,59,119 disambiguated from HTC by community member.# - seen as Samsung (Galaxy S and Nexus S) running Android 2.2 and 2.3.6# 1,121,33,3,6,12,15,28,51,58,59,119 disambiguated from Pantech Android: seen on a Samsung MAC Vendorfingerprints=<<EOT1,121,33,3,6,28,51,58,591,3,6,28,33,51,58,59,1211,121,33,3,6,15,28,51,58,59,1191,121,33,3,6,12,15,28,51,58,59,119EOT
Fingerprinting via DHCP Request Monitoring (cont.)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
• Attempts to determine device type base on HTTP User-Agent Details
• Example – Same Device – Two Different Browsers• Your User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101
Firefox/10.0.2Your IP Address: 166.249.193.65
• Your User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Your IP Address: 166.249.193.65
Fingerprinting via HTTP User-Agent Analysis
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Best Guess
HTTP
DHCP
MACPassive Fingerprinting produces “Best Guess”
• Useful to Classify Unsecure Devices for Policy enforcement
• Guests & Employee BYOD
Results of Passive and Active Fingerprinting
“No false positive”
Resident or Dissolvable Client “No false positive”
• Provides Visibility to “full” OS & Device Details
• Allow for Device Posture Checking• Can provide “Control” of End Device
• USB Management• Proxy Control• Many others
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Identity-Aware Solution Positioning
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
HP Identity-Aware Solution Positioning
Protected Vulnerable
Ease of UseSecurity
HP IMC HP IMC SNAC
Enterprise SMB
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
IMC SNAC IMC UAM + EAD
MAC Authentication 4 4
Portal Authentication 4 4
Device Finger Printing 1 4
Policy Enforcement 4 “W’s” 4 4
802.1x Authentication 0 4
Digital Certificates 2 4
Client Posture Check 0 4
User Behavior Analysis 4 4
HP Wired and Wireless Support 4 4
HP Identity-Aware Solution Comparison
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Identity-Aware Solution for BYOD
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
HP Identity-Aware Solution – BYOD ArchitectureOne Network, One Policy, Any Device with Single Pane-of-Glass Management
Authentication
Device Agnostic
Network Agnostic
User SecurityCheck
Time Aware
Location Aware
Authorization Audit
Traffic Monitoring
UserBehavior
UserSelf-Service
Monitoring Provisioning
Policy enforcement based on level of trust
Traffic and User Behavior Analysis
User registrationDevice profiling
Onboarding
Employee Guest
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
HP Identity-Aware Solution – BYOD Combined Infrastructure and Access Management for BYOD, Wired and Wireless
• Seamless Wired and Wireless management
• BYOD user and device management
• Security policy provisioning and enforcement
• Network traffic monitoring
• User behavior analysis by user and device type
• Posture check and agent control
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
HP Identity-Aware – BYOD Diagram
IMCUAM (Mandatory)EADUBA/NTAWSM
Access Switch
(Agnostic)
WLAN Controller
AP
Employee
Guest
DHCP
DHCP ServerDHCP IMC Plugin
Core Switch(Comware)
BYOD
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
HP IMC BYOD
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
HP IMC BYOD Demonstration
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you