![© 2008 Enterasys Networks, Inc. All rights reserved.
NAC & IAM – Positioning
Enterasys
NAC
Gateway
Enterasys
NAC
Controller
Directory
MS-NPS
RADIUS
SIEM
802.1X
MS
AGENT
1X,MAC,WEB LDAP
EAP-PEAP [TNCCS-SOH]
PAP, CHAP, EAP-M
D5
HEALTH CHECK
XM
L_API
802.1X
IF-MAP
PEP and PDP
Policy Enforcement Point
Policy Decision Point
Kerberos
Location
Asset Management
Policy provisioning
and
assignm
ent
Enterasys
AGENT
XM
L API](https://image.slidesharecdn.com/ocsliaeng-isversion-101125035518-phpapp01/85/OCS-LIA-21-320.jpg)
OCS LIA
- 1. “There is nothing more important than our customers” Identity Management and Network Access Control An open communication solution for location and identity assurance OCS LIA formerly known as SALERNO Markus Nispel VP Solutions Architecture markus.nispel@enterasys.com Inderpreet Singh Director, Solution Architecture inderpreet.singh@siemens-enterprise.com
- 2. © 2008 Enterasys Networks, Inc. All rights reserved. Why should you care ? • OCS LIA is the first technical integration that provides a true unique selling proposition when combining a Enterasys (NAC) solution with a SIEMENS Enterprise Communications UC solution even using standard protocols and API´s noone in the market is able to provide a similar solution a unique value in projects and RFP´s and still open to other vendor´s infrastructure as Enterasys NAC does support this inherently • It provides a tangible value to the customer that results in a lower TCO (through lower OPEX) and a higher security along with visibility into the IT infrastructure • The solution is not limited to VOIP only. A professional services based integration into any asset/inventory database at the customer site is always possible: the result is IT workflow integration, reduced operational costs and a loyal customer
- 3. © 2008 Enterasys Networks, Inc. All rights reserved. What does it for you ? • Automatic inventory and location service reduces risk of operation of noncompliant enddevices with invalid configuration or software release. • Automatic adaptation and location-based configuration of end devices and usage of special functionalities (e.g. configuration of speed dial button) • IP phone monitoring Detecting noncompliant and compromised enddevices • Automatic authentication and authorization Warranty of secure, reliable and highquality operation of realtime applications through automatically assigned QoS-parameter and security profiles (ACL and VLAN) • Finally the use of this solution provides the following value add: • Reduces administrative effort and costs • Increases protection and reliability of realtime applications • Minimizes the risk of attacks and the probability of outage • Increases compliance to enterprise’s security policies • http://www.enterasys.com/company/literature/auto-voip-deploy.pdf
- 4. © 2008 Enterasys Networks, Inc. All rights reserved. 4 What is NAC ? • A User focused technology that: Authorizes a user or device (PC, Phone, Printer) and Permits access to resources based on identity authentication of the user (and/or device) as well as based on the security posture of the device along with location and time The parameters are set in the so called Pre-Connect Assessment (aka Health Check), i.e. before connecting to the infrastructure However, during normal operation, regular checks should be conducted as part of the Post-Connect Assessment
- 5. © 2008 Enterasys Networks, Inc. All rights reserved. What do you need to deploy OCS LIA ? • Enterasys Network Access Control NAC Version 3.1.2 or above at least implemented in discovery mode (with MAC authentication (802.1x can be used too) enabled on the access sitches and access points) using a default autorization for all endpoints along with professional services from Enterasys to implement the solution and the OCS LIA middleware • Siemens HiPath Deployment Service DLS V2R4 supporting OpenStage and Optipoint VOIP endpoints in both SIP and HFA mode Additional location service licenses for each device that should be supported for this feature Along with professional services from SEN to properly setup up the DLS (also for web services usage) and optionally configure the infrastructure policies 5
- 6. © 2008 Enterasys Networks, Inc. All rights reserved. Enterasys NAC - in Any Environment •Hybrid deployment Best of both models for mixed environments Single, integrated solution – seamless management from single system . Enterprise Network Enterasys Policy capable switch RFC3580 capable switch RFC3580 capable Wireless Access PointNAC Gateway Core EdgeDistribution Non-intelligent Wireless VPN Non-intelligent edge switches Shared Access LAN NAC Controller NAC Manager
- 7. © 2008 Enterasys Networks, Inc. All rights reserved. 7 • Enterasys Matrix™ and SecureStack™ Switches, HiPath WLAN, Roamabout • and/or • Third Party Switch or WLAN Access Point (RFC 3580-compliant) • and/or • NAC Controller (includes all Gateways functions and Assessment Service) • Enterasys NAC Manager Software plugin to NetSight Console Centralized administration of NAC Gateways and Controllers Management Enterasys NAC - Components Detection, Authentication, Remediation, Assessment • Enterasys NAC Gateway (Proxy) RADIUS Remediation and Registration Optional Assessment Service integrated • Assessment Service optional Nessus, Retina Eye, Enterasys Interface to integrate other servers Authorization
- 8. © 2008 Enterasys Networks, Inc. All rights reserved. NAC Gateway – with „any“ access device • Policy Mapping table in NAC 3.2 - create independency of device type and topology - More flexible VLAN name based approaches - Globally configured - Location based = Switch IP and Switch Port (and AP´s, SSID´s etc. ..) • Will also support authorization methods like Cisco ACL, Login-LAT Group or a combination of these along with fully customizeable radius attributes to map Policy to an appropriate authorization alternative
- 9. © 2008 Enterasys Networks, Inc. All rights reserved. wired LAN Siemens HiPath DLS Event-based synchronization of data-bases via API: IP phone, phone number, switch, switch-port, building, room NAC Manager HiPath/OpenSc ape Platform Enterasys NAC Appliance Database with physical infrastructure / cabling - wall-socket - Building - Room Open Communication Solution for Location and Identity Assurance: Enterasys NAC / Siemens HiPath DLS 12345 10.1.1.10 xx-xy-yy-yz-zz-az Access 1 10.9.9.8 fe.0.15 B. A 130 3 4.2.4 34567 10.1.1.18 aa-bb-cc-dd-ee-ff Access 2 10.9.9.9 fe.1.8 B. B 241 1 4.2.4 56789 10.1.1.25 ab-cd-ef-gh-ij-kl Access 3 10.9.9.10 fe.2.21 B. A 412 2 4.2.2 Phone number Phone IP Address Phone MAC Address Switch- name Switch IP Address Switch- port Building Room Wall jacket Phone Software pro services
- 10. © 2008 Enterasys Networks, Inc. All rights reserved. 10 Agile enterprises use service- oriented architectures (SOAs) and extend SOA with events where appropriate. Service and event architectures make enterprise computing more effective and flexible than traditional, monolithic "stovepipe" systems. Success requires a knowledge of common deployment patterns and fundamental success factors. Source: Gartner, 4. April 2007 Applied SOA: Transforming Fundamental Principles Into Best Practices OCS LIA Integrator/Middleware – SOA based
- 11. © 2008 Enterasys Networks, Inc. All rights reserved. 11 •WSDL (Web Services Description Language) is the proposed standard that is used for the service interface definition in most new development tools •XML (eXtended Markup Language) is used to transport the messages in a machine to machine communication scenario over IP based networks •OCS LIA is based on these widely accepted and deployed standards OCS LIA Integrator/Middleware – SOA and Web Services
- 12. © 2008 Enterasys Networks, Inc. All rights reserved. OCS LIA Integrator/Middleware – General Features • Synchronize endsystem data from NetSight (NAC) database to HiPath DLS • Synchronize VoIP phone number, type and SW version to NetSight endsystem database • Detect HiPath DLS restarts (for full re-sync) • Detect new phones on DLS side (for individual sync) • Periodic cache cleanup to eliminate old outdated cache entries • Retry mechanism in case of unreachable external systems • Detection of IP mismatch due to VLAN configuration with delayed DLS update (to prevent DLS jobs sent to old device IP) • Flexible logging configuration • Very flexible component configuration • Support of multiple switches • Support of multiple DLS servers
- 13. © 2008 Enterasys Networks, Inc. All rights reserved. All device relevant data from NetSight, HiPath DLS servers and switches are collected and cached within the Integrator using an internal cache. The IP Infrastructure data record used here contains the following information: Open Communication Solution for Location and Identity Assurance: IP Infrastructure Cache
- 14. © 2008 Enterasys Networks, Inc. All rights reserved. • The exchanged data is presented as additional endsystem data in the NAC Manager but also on the HiPath DLS Device phone number (e.g. 43254) Device Type and SW version (e.g. OpenStage 80:V1 R4.14.0) DLS IP Infrastructure Enterasys NMS NAC Manager: Endsystem View Open Communication Solution for Location and Identity Assurance: data exchange
- 15. © 2008 Enterasys Networks, Inc. All rights reserved. Siemens OpenStage VOIP Phone Open Communication Solution for Location and Identity Assurance: location based configuration
- 16. © 2008 Enterasys Networks, Inc. All rights reserved. 16 MUA&PLogic 802.1X PWA MAC RADIUSauthority Dynamic admin rule DFE 802.1X credentials PWA credentials 802.1X login Filter ID policy sales SMAC = Anita SMAC = Bob PWA login SMAC = Phone MAC traffic MAC credentials Filter ID policy phone Dynamic admin rule Dynamic Admin rule Port X Filter ID credit Policy sales Policy credit Policy Phone • Inherent advantage, from 2 (3) up to 2048 devices per port and system • Supported by B/C/G/D and N/NGN/S Series (partially dependant on licenses) • Different authentication methods (in random (depends on the product) combination per port/user) 802.1x, PWA (Web), MAC authentication, RADIUS, Kerberos, Default role .... • Single physical interface but multiple roles (and VLAN´s) The value of using Enterasys switch hardware Multi-user authentication AND policy Enterasys Switch
- 17. © 2008 Enterasys Networks, Inc. All rights reserved. Roles, Services , Rules Network Administrator VOIPOffice Non-OfficeDenyRIP DenyOSPF DenyApple DenyIPX DenyDHCPReply DenyIPRange AllowARP,DNS AllowRTP128kbit/s AllowSNMP AllowSIP2Mbit/s DenySNMP DenyTelnet DenyTFTP DropApple DropIPX DropDecNet Deny Faculty Server Farm Administrative Protocols Acceptable Use Legacy Protocols SIP Only The value of using Enterasys switch hardware Authorization/Policy – roles & rules
- 18. © 2008 Enterasys Networks, Inc. All rights reserved. 18 Corporate & Regulatory Compliance Can I enforce these regulations prior to granting network access? Do I have reporting and auditing tools to verify compliance? NAC – other application scenarios Network Usage Who is using the network infrastructure? Are these users authorized? Does access correspond to organizational role? Workstation Security Does system have up-to-date OS patches? Does every system conform to corporate security standards? Guest Users Does a guest system contain threats? Can I limit access for guest users? Non-Workstation End Systems Is this device what it claims to be? Can I assess its security posture? Can I locate rogue Access Points, hijacked print servers etc?
- 19. © 2008 Enterasys Networks, Inc. All rights reserved. IAM - principles • Network technology, distributed computing and the Internet have made it possible to dramatically extend application and information access to users well beyond the typical organizational boundaries. The related security risks, management issues and compliance requirements mus be adressed. o Who is accessing my applications or data? o What are they authorized to do? o Should they have those authorizations? • The tools that allow to answer these questions and maintain control over users and their access make up an identity and access management (IAM) solution
- 20. © 2008 Enterasys Networks, Inc. All rights reserved. NAC & IAM integration - Why • NAC is a very useful tool in reducing and controlling the risks to your network infrastructure. However, although it relies on user authentication, on its own this is really no more than a means to identify a device. • The problems of providing each individual user with only the access they are authorised for, and no more, remain. The solution is to tie the authentication process with a robust identity management (IDM) solution, applying network controls to an individual or a well defined group. This process is sometimes referred to as Identity Driven Networking (IDN).
- 21. © 2008 Enterasys Networks, Inc. All rights reserved. NAC & IAM – Positioning Enterasys NAC Gateway Enterasys NAC Controller Directory MS-NPS RADIUS SIEM 802.1X MS AGENT 1X,MAC,WEB LDAP EAP-PEAP [TNCCS-SOH] PAP, CHAP, EAP-M D5 HEALTH CHECK XM L_API 802.1X IF-MAP PEP and PDP Policy Enforcement Point Policy Decision Point Kerberos Location Asset Management Policy provisioning and assignm ent Enterasys AGENT XM L API
- 22. © 2008 Enterasys Networks, Inc. All rights reserved. NAC & IAM integration - Advantages • Users are managed centrally in the IDM system for all connected applications (including the network). • The process of managing joiners, movers and leavers can be automated and linked to other key processes (e.g. HR). • Users are automatically added or deleted when they join and leave the organisation. This not only eases the administrative burden for IT support, but also enhances security because users have their access revoked or suspended the moment they leave.
- 23. © 2008 Enterasys Networks, Inc. All rights reserved. NAC & IAM - Status • Integration of Enterasys NAC and the SEN TISA – Totally Integrated Security Architecture proof of Concept shown at Open Minds event in april 2009 plans to show at Interop 2009 Joint Whitepaper available on BeFirst • Currently based on NAC 3.2 with LDAP integration (role/policy assigment based on LDAP attributes) and Kerberos based authentication Offical integration and documentation underway Possible Web and 802.1xbased Integration 23
- 24. © 2008 Enterasys Networks, Inc. All rights reserved. First Win – Higher Education Vertical European School of Management and Technology (ESMT) Berlin, Germany Business Drivers ESMT Solution Case Results… Segregated data and telecom networks IP phone inventory and config management was cumbersome No single view of IP comms infrastructure and devices for admin and management Enterasys NMS and NAC solution HiPath DLS Full policy enabled networking infrastructure with N-Series switches Voice/Telephony HiPath 3000 Low cost, low effort to integrate ETS and SEN components (within one week) Total view (location, state, posture) of IP devices throughout network under one management domain Rules based policy enforcement, error flagging and notification in real time “The open architecture and integration of SEN and Enterasys’ systems required minimal effort from our team. Their professional services experts succeeded in implementing an overarching management system in just one week, saving us a huge amount of work while at the same time making communication more secure.” Thomas Giese, IT Network Services for ESMT.
- 25. © 2008 Enterasys Networks, Inc. All rights reserved. More questions • Just contact Markus Nispel VP Solutions Architecture Enterasys Networks Solmsstrasse 83 60486 Frankfurt Phone: +49 69 47860 253 Fax: +49 69 47860 364 Cell: +49 172 8638003 Email: markus.nispel@enterasys.com www: http://www.enterasys.com 25 Inderpreet Singh Director, Solutions Architecture Converged Networks and Security Siemens Enterprise Communications 271 Mill Road Chelmsford, MA 01824 USA Phone: +1 978 367 7604 Cell: +1 978 764 6855 Email: inderpreet.singh@siemensenterprise.c Please contact us if you have additional input on potential joint solutions of Enterasys and SEN
- 26. “There is nothing more important than our customers” Thank You
Editor's Notes
- #3: Enterasys was originally founded as Cabletron Systems in March of 1983. Today Enterasys has thousands of active customers in more than 70 countries around the world – including over 20% of the Fortune Global 500. The company holds hundreds of patents and has invested over US$1 Billion in research and development. The joint venture with SIEMENS is unique in our ability to deliver secure, anywhere, anytime access to information by reading, listening or watching from desktop, laptop, handset, Blackberry, iPhone and Windows Mobile endpoints across wired and wireless infrastructures. The joint venture is a global provider of voice, data and services to deliver unified communications that are open, mobile and secure. We’re the perfect sized company in that we are big enough to meet your needs now and in the future, yet small enough to have a personal relationship with you. We encourage direct access to our talented developers and experienced executives. How we measure our success is through your satisfaction. By delivering on our promises on-time and on-budget, we earn the right to your business by putting the words “There is nothing more important than our customers” into action every day.