ist ihr netzwerk sicher genug für ein mobiles unternehmen? · authentication and authorization nac...
TRANSCRIPT
Ist Ihr Netzwerk sicher genug fuumlr ein mobiles Unternehmen
Agenda
1400 Uhr Begruumlssung
Die Gefahren und Risiken in einer vernetzten Welt(Max Klaus stv Leiter MELANI)
1445 Uhr Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobile(Joumlrg Hofmann HPE Aruba)
1530 Uhr Kurze Pause
1545 Uhr Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren Netzwerkzugang
(Manuel Bitzi SOFTEC)
1630 Uhr Aruba ClearPass ndash Live
(Manuel Bitzi SOFTEC)
1700 Uhr Apeacutero und Networking
2
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
Die Gefahren und Risiken in einer vernetzten Welt
Max Klaus stv Leiter MELANI
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 4
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
BR-Auftrag PPP
Schutz kritischer Infrastrukturen in der
Schweiz nur in enger Zusammenarbeit
mit der Wirtschaft moumlglich Public
Private Partnership
Quelle httpventuresafricacomwp-contentuploads201406ppp_2q2012jpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
bull Keine Meldepflicht fuumlr Cybervorfaumllle
bull Subsidiaritaumlt
bull Keine Weisungsbefugnis ausserhalb
der Bundesverwaltung
Rahmenbedingungen fuumlr MELANI
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
MELANI
EFD ISBLeitung und Strategie
GovCERTchTechnische Analysen
VBS NDBOIC MELANINachrichtendienstlicheAnalysen
Geschlossener Kundenkreis
bull Chemie und Pharmabull Energiebull Finanzbull Gesundheitswesenbull Industriebull Medienbull Ruumlstungbull Telekommunikationbull TransportLogistikbull Versicherungenbull Verwaltung
Oumlffentlicher TeilKMU und Buumlrgerwwwmelaniadminch
Internationale Beziehungen
- Interpol- Europol
Software undAntivirenhersteller-Microsoft- Google-Avira- F-Securehellip
EGCEuropean Gov CERTs
Andere Regierungen- CPNI- BSI- A-SIT-
Wissenschaft undForschung-Universitaumlten- Fachhochschulen
FIRSTForum of Incident Responseand Security Teams
Swiss Cyber Experts
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Beobachtung und Darstellung der nationalen Lage
bull PraumlventionAlarmierung
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Geschlossener Kundenkreis (KI-Betreiber)
bull Praumlvention dank Informationen aus oumlffentlich nicht zugaumlnglichen
Quellen
bull Unterstuumltzung bei der Behebung von Cyber-Vorfaumlllen
bull Offener Kundenkreis (KUM NPO Privatpersonen)
bull Sensibilisierung
bull Praumlvention
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Agenda
1400 Uhr Begruumlssung
Die Gefahren und Risiken in einer vernetzten Welt(Max Klaus stv Leiter MELANI)
1445 Uhr Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobile(Joumlrg Hofmann HPE Aruba)
1530 Uhr Kurze Pause
1545 Uhr Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren Netzwerkzugang
(Manuel Bitzi SOFTEC)
1630 Uhr Aruba ClearPass ndash Live
(Manuel Bitzi SOFTEC)
1700 Uhr Apeacutero und Networking
2
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
Die Gefahren und Risiken in einer vernetzten Welt
Max Klaus stv Leiter MELANI
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 4
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
BR-Auftrag PPP
Schutz kritischer Infrastrukturen in der
Schweiz nur in enger Zusammenarbeit
mit der Wirtschaft moumlglich Public
Private Partnership
Quelle httpventuresafricacomwp-contentuploads201406ppp_2q2012jpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
bull Keine Meldepflicht fuumlr Cybervorfaumllle
bull Subsidiaritaumlt
bull Keine Weisungsbefugnis ausserhalb
der Bundesverwaltung
Rahmenbedingungen fuumlr MELANI
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
MELANI
EFD ISBLeitung und Strategie
GovCERTchTechnische Analysen
VBS NDBOIC MELANINachrichtendienstlicheAnalysen
Geschlossener Kundenkreis
bull Chemie und Pharmabull Energiebull Finanzbull Gesundheitswesenbull Industriebull Medienbull Ruumlstungbull Telekommunikationbull TransportLogistikbull Versicherungenbull Verwaltung
Oumlffentlicher TeilKMU und Buumlrgerwwwmelaniadminch
Internationale Beziehungen
- Interpol- Europol
Software undAntivirenhersteller-Microsoft- Google-Avira- F-Securehellip
EGCEuropean Gov CERTs
Andere Regierungen- CPNI- BSI- A-SIT-
Wissenschaft undForschung-Universitaumlten- Fachhochschulen
FIRSTForum of Incident Responseand Security Teams
Swiss Cyber Experts
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Beobachtung und Darstellung der nationalen Lage
bull PraumlventionAlarmierung
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Geschlossener Kundenkreis (KI-Betreiber)
bull Praumlvention dank Informationen aus oumlffentlich nicht zugaumlnglichen
Quellen
bull Unterstuumltzung bei der Behebung von Cyber-Vorfaumlllen
bull Offener Kundenkreis (KUM NPO Privatpersonen)
bull Sensibilisierung
bull Praumlvention
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
Die Gefahren und Risiken in einer vernetzten Welt
Max Klaus stv Leiter MELANI
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 4
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
BR-Auftrag PPP
Schutz kritischer Infrastrukturen in der
Schweiz nur in enger Zusammenarbeit
mit der Wirtschaft moumlglich Public
Private Partnership
Quelle httpventuresafricacomwp-contentuploads201406ppp_2q2012jpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
bull Keine Meldepflicht fuumlr Cybervorfaumllle
bull Subsidiaritaumlt
bull Keine Weisungsbefugnis ausserhalb
der Bundesverwaltung
Rahmenbedingungen fuumlr MELANI
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
MELANI
EFD ISBLeitung und Strategie
GovCERTchTechnische Analysen
VBS NDBOIC MELANINachrichtendienstlicheAnalysen
Geschlossener Kundenkreis
bull Chemie und Pharmabull Energiebull Finanzbull Gesundheitswesenbull Industriebull Medienbull Ruumlstungbull Telekommunikationbull TransportLogistikbull Versicherungenbull Verwaltung
Oumlffentlicher TeilKMU und Buumlrgerwwwmelaniadminch
Internationale Beziehungen
- Interpol- Europol
Software undAntivirenhersteller-Microsoft- Google-Avira- F-Securehellip
EGCEuropean Gov CERTs
Andere Regierungen- CPNI- BSI- A-SIT-
Wissenschaft undForschung-Universitaumlten- Fachhochschulen
FIRSTForum of Incident Responseand Security Teams
Swiss Cyber Experts
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Beobachtung und Darstellung der nationalen Lage
bull PraumlventionAlarmierung
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Geschlossener Kundenkreis (KI-Betreiber)
bull Praumlvention dank Informationen aus oumlffentlich nicht zugaumlnglichen
Quellen
bull Unterstuumltzung bei der Behebung von Cyber-Vorfaumlllen
bull Offener Kundenkreis (KUM NPO Privatpersonen)
bull Sensibilisierung
bull Praumlvention
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 4
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
BR-Auftrag PPP
Schutz kritischer Infrastrukturen in der
Schweiz nur in enger Zusammenarbeit
mit der Wirtschaft moumlglich Public
Private Partnership
Quelle httpventuresafricacomwp-contentuploads201406ppp_2q2012jpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
bull Keine Meldepflicht fuumlr Cybervorfaumllle
bull Subsidiaritaumlt
bull Keine Weisungsbefugnis ausserhalb
der Bundesverwaltung
Rahmenbedingungen fuumlr MELANI
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
MELANI
EFD ISBLeitung und Strategie
GovCERTchTechnische Analysen
VBS NDBOIC MELANINachrichtendienstlicheAnalysen
Geschlossener Kundenkreis
bull Chemie und Pharmabull Energiebull Finanzbull Gesundheitswesenbull Industriebull Medienbull Ruumlstungbull Telekommunikationbull TransportLogistikbull Versicherungenbull Verwaltung
Oumlffentlicher TeilKMU und Buumlrgerwwwmelaniadminch
Internationale Beziehungen
- Interpol- Europol
Software undAntivirenhersteller-Microsoft- Google-Avira- F-Securehellip
EGCEuropean Gov CERTs
Andere Regierungen- CPNI- BSI- A-SIT-
Wissenschaft undForschung-Universitaumlten- Fachhochschulen
FIRSTForum of Incident Responseand Security Teams
Swiss Cyber Experts
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Beobachtung und Darstellung der nationalen Lage
bull PraumlventionAlarmierung
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Geschlossener Kundenkreis (KI-Betreiber)
bull Praumlvention dank Informationen aus oumlffentlich nicht zugaumlnglichen
Quellen
bull Unterstuumltzung bei der Behebung von Cyber-Vorfaumlllen
bull Offener Kundenkreis (KUM NPO Privatpersonen)
bull Sensibilisierung
bull Praumlvention
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
BR-Auftrag PPP
Schutz kritischer Infrastrukturen in der
Schweiz nur in enger Zusammenarbeit
mit der Wirtschaft moumlglich Public
Private Partnership
Quelle httpventuresafricacomwp-contentuploads201406ppp_2q2012jpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
bull Keine Meldepflicht fuumlr Cybervorfaumllle
bull Subsidiaritaumlt
bull Keine Weisungsbefugnis ausserhalb
der Bundesverwaltung
Rahmenbedingungen fuumlr MELANI
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
MELANI
EFD ISBLeitung und Strategie
GovCERTchTechnische Analysen
VBS NDBOIC MELANINachrichtendienstlicheAnalysen
Geschlossener Kundenkreis
bull Chemie und Pharmabull Energiebull Finanzbull Gesundheitswesenbull Industriebull Medienbull Ruumlstungbull Telekommunikationbull TransportLogistikbull Versicherungenbull Verwaltung
Oumlffentlicher TeilKMU und Buumlrgerwwwmelaniadminch
Internationale Beziehungen
- Interpol- Europol
Software undAntivirenhersteller-Microsoft- Google-Avira- F-Securehellip
EGCEuropean Gov CERTs
Andere Regierungen- CPNI- BSI- A-SIT-
Wissenschaft undForschung-Universitaumlten- Fachhochschulen
FIRSTForum of Incident Responseand Security Teams
Swiss Cyber Experts
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Beobachtung und Darstellung der nationalen Lage
bull PraumlventionAlarmierung
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Geschlossener Kundenkreis (KI-Betreiber)
bull Praumlvention dank Informationen aus oumlffentlich nicht zugaumlnglichen
Quellen
bull Unterstuumltzung bei der Behebung von Cyber-Vorfaumlllen
bull Offener Kundenkreis (KUM NPO Privatpersonen)
bull Sensibilisierung
bull Praumlvention
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
bull Keine Meldepflicht fuumlr Cybervorfaumllle
bull Subsidiaritaumlt
bull Keine Weisungsbefugnis ausserhalb
der Bundesverwaltung
Rahmenbedingungen fuumlr MELANI
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
MELANI
EFD ISBLeitung und Strategie
GovCERTchTechnische Analysen
VBS NDBOIC MELANINachrichtendienstlicheAnalysen
Geschlossener Kundenkreis
bull Chemie und Pharmabull Energiebull Finanzbull Gesundheitswesenbull Industriebull Medienbull Ruumlstungbull Telekommunikationbull TransportLogistikbull Versicherungenbull Verwaltung
Oumlffentlicher TeilKMU und Buumlrgerwwwmelaniadminch
Internationale Beziehungen
- Interpol- Europol
Software undAntivirenhersteller-Microsoft- Google-Avira- F-Securehellip
EGCEuropean Gov CERTs
Andere Regierungen- CPNI- BSI- A-SIT-
Wissenschaft undForschung-Universitaumlten- Fachhochschulen
FIRSTForum of Incident Responseand Security Teams
Swiss Cyber Experts
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Beobachtung und Darstellung der nationalen Lage
bull PraumlventionAlarmierung
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Geschlossener Kundenkreis (KI-Betreiber)
bull Praumlvention dank Informationen aus oumlffentlich nicht zugaumlnglichen
Quellen
bull Unterstuumltzung bei der Behebung von Cyber-Vorfaumlllen
bull Offener Kundenkreis (KUM NPO Privatpersonen)
bull Sensibilisierung
bull Praumlvention
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Informatiksteuerungsorgan des Bundes ISB
Nachrichtendienst des Bundes NDB
Melde- und Analysestelle Informationssicherung MELANI
MELANI
EFD ISBLeitung und Strategie
GovCERTchTechnische Analysen
VBS NDBOIC MELANINachrichtendienstlicheAnalysen
Geschlossener Kundenkreis
bull Chemie und Pharmabull Energiebull Finanzbull Gesundheitswesenbull Industriebull Medienbull Ruumlstungbull Telekommunikationbull TransportLogistikbull Versicherungenbull Verwaltung
Oumlffentlicher TeilKMU und Buumlrgerwwwmelaniadminch
Internationale Beziehungen
- Interpol- Europol
Software undAntivirenhersteller-Microsoft- Google-Avira- F-Securehellip
EGCEuropean Gov CERTs
Andere Regierungen- CPNI- BSI- A-SIT-
Wissenschaft undForschung-Universitaumlten- Fachhochschulen
FIRSTForum of Incident Responseand Security Teams
Swiss Cyber Experts
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Beobachtung und Darstellung der nationalen Lage
bull PraumlventionAlarmierung
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Geschlossener Kundenkreis (KI-Betreiber)
bull Praumlvention dank Informationen aus oumlffentlich nicht zugaumlnglichen
Quellen
bull Unterstuumltzung bei der Behebung von Cyber-Vorfaumlllen
bull Offener Kundenkreis (KUM NPO Privatpersonen)
bull Sensibilisierung
bull Praumlvention
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Beobachtung und Darstellung der nationalen Lage
bull PraumlventionAlarmierung
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Geschlossener Kundenkreis (KI-Betreiber)
bull Praumlvention dank Informationen aus oumlffentlich nicht zugaumlnglichen
Quellen
bull Unterstuumltzung bei der Behebung von Cyber-Vorfaumlllen
bull Offener Kundenkreis (KUM NPO Privatpersonen)
bull Sensibilisierung
bull Praumlvention
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Aufgaben von MELANI
bull Geschlossener Kundenkreis (KI-Betreiber)
bull Praumlvention dank Informationen aus oumlffentlich nicht zugaumlnglichen
Quellen
bull Unterstuumltzung bei der Behebung von Cyber-Vorfaumlllen
bull Offener Kundenkreis (KUM NPO Privatpersonen)
bull Sensibilisierung
bull Praumlvention
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (14)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (24)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (34)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche Produkte von MELANI (44)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Phishing DB
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Inhalt
bull Die Melde- und Analysestelle Informationssicherung MELANI
bull Aktuelle Bedrohungslage
Titel Datum AutorIn 15
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Veraumlnderung der Bedrohungslage
19 Jahrhundert
derstandardat
Vor 10 Jahren
augsburgerallgemeinede
heute
jdpowercom
bull Modernere Mittel
bull Vernetzte Bevoumllkerung
bull Zu geringes Sicherheitsbewusstsein
morgen
infosecislandcom
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Am Anfang (fast) allen UumlbelsSocial Engineering
ldquoSocial Engineering ist die Kunst eine Person zu einer Tat zu bewegen die in ihrem Interesse sein
kann oder die ihr Schaden zufuumlgen kannrdquo Quelle wwwsocial-engineerorg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Oumlffentliche WLAN und Gastzugaumlnge
Titel Datum AutorIn 18
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze
webreadersdewp-contentuploads200801botnetzjpg
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Botnetze als DAS Mittel zumZweck
bull Botnetze liegen praktisch allen kriminellen Aktivitaumlten im
Bereich des Internets zu Grunde
wwwanbieter
Bots
Kontrollserver
Botnetzbetreiber
DDoS
Spam
Malware
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Produkt Preis
Einfacher Windows Bot 10 Cents BotampTag
Bot mit guter Bandbreite 1$ BotampTag
Spezialanfertigung 40$ Bot
Quelle SWITCH-CERT
So billig sind Botnetze zu mieten
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Denial of Service
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
Bots
Kontrollserver Armada Collective
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Protonmail
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Der schwarze Montag 2016
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Mirai Botnet by laquoNew World Hackersraquobull Angriffswelle vom 21102016 (ca
50rsquo000 ndash 100rsquo000 Bots)
bull Source Code geleakt
Trittbrettfahrer
bull Konkurrenz zu laquoBashlightraquo
gegenseitiges Kapern
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
DDos Empfehlungen
Praumlvention
bull Businesskritische Systeme identifizieren
bull Schutzmassnahmen mit Provider definieren
Reaktion
bull laquoAussitzenraquo
bull Keinesfalls Loumlsegeld bezahlen
bull Meldung an MELANIKOBIK allenfalls Anzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
CEO Fraud
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Betrug Empfehlungen
bull Klare Weisungen bezuumlglich Zahlungen erteilen
bull Keine internen Informationen weitergeben
bull Im Zweifelsfall bei der GL nachfragen
bull Vorsicht auch bei Mails von vermeintlich bekannten Personen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionageangriff auf BV
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Beispiel aus der Schweiz
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Spionage Empfehlungen
bull Klassifizierung von Dokumenten
bull Regeln fuumlr die verschiedenen Klassfizierungen durchsetzen
bull Netzwerkmonitoring betr verdaumlchtigem Datenverkehr
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Erpressung
httpwwwtrustedwatchde
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (12)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner laquoLockyraquo (22)
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Verschluumlsselungstrojaner Empfehlungen
bull Regelmaumlssige Datensicherung
bull Datentraumlger nach Backup vom PC Netz trennen
bull Qualitaumlt der Backups sporadisch uumlberpruumlfen
bull Keinesfalls Loumlsegeld bezahlen
bull Information an MELANI KOBIK allenfalls Strafanzeige gegen Unbekannt bei KaPo
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ISB NDB
Melde- und Analysestelle Informationssicherung MELANI
Max KlausStv Leiter Melde- und Analysestelle
Informationssicherung MELANI
Schwarztorstrasse 59
3003 Bern
Herzlichen Dank fuumlr Ihre Aufmerksamkeit
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Mobile-First Arubalsquos sichere Netzwerkarchitektur fuumlr die GenMobileJoumlrg Hofmann HPE Aruba
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
MOBILE-FIRST
Sichere Netzwerkarchitektur
fuumlr die GenMobile
People Move
Networks Must Follow
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
WHO ARE WE
Source Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure September 2015 Tim Zimmerman Bill Menezes Andrew Lerner ID Number
G00277052 This Magic Quadrant graphic was published by Gartner Inc as part of a larger research note and should be evaluated in the context of the entire report
The Gartner report is available upon request from HP The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period It depicts
Gartners analysis of how certain vendors measure against criteria for that marketplace as defined by Gartner Gartner does not endorse any vendor product or
service depicted in the Magic Quadrant and does not advise technology users to select only those vendors placed in the Leaders quadrant The Magic Quadrant is
intended solely as a research tool and is not meant to be a specific guide to action Gartner disclaims all warranties express or implied with respect to this research
including any warranties of merchantability or fitness for a particular purpose
ldquoClients globally should consider
Aruba for all wired and wireless
access layer opportunitiesrdquo
Gartner MQ for Wired and Wireless LAN
Access Infrastructure August 2016
Founded 2002 IPO 2007
HPErsquos IT Edge portfolio since June 2015
$24B+ annual revenue run rate
ldquoBiggest Small Companyrdquo
High touch business model
ldquoCustomer First Customer Lastrdquo
Home of 45K+ Mobility Engineers
Airheads Community
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ENABLING GREAT
DIGITAL EXPERIENCES FOR GENMOBILE
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
70 SAY A MOBILE DEVICE MAKES THEM MORE
PRODUCTIVE AT WORK
By 2018 60 of users in mature markets will own and use more
than 3 personal devices
50 of enterprises will allow employees to supply their own
devices by 2017
Forrester ndash CIOs Must Empower the Digital Workplace
Forrester ndash The State of Enterprise Worker Mobility
Gartner ndash The Role of the Desktop in Our Multi-Device World
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
BY 2020 50 OF THE GLOBAL WORKFORCE WILL BE MILLENNIALS
Millennials believe their personal technology is more
effective at work
63 of millennials work for a company that offers a flexible
work environment
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
LESS THAN 50 OF EMPLOYEES ARE
SATISFIED WITH TECH THEY HAVE AT WORK
Employees want an environment where they can access and use the technology hey need to do
their best work
Enterprises need to think how untethered employees can move
easily and seamlessly from personal workspace to huddle
area to open areas
Trends 2016 ndash Code Conference Mary Meeker Annual Presentation
Gartner ndash Millennial Digital Workers Really Are Different From Their Elders
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
80+ NEW IOT PROJECTS TO BE DEPLOYED WITH WIRELESS NETWORK ARCHITECTURE
Installed base of IoTendpoints will grow from
121B in lsquo15 to 30B+ in lsquo20
WLAN will become IoTconnectivity method of choice for many organizations and choosing
the wrong wireless tech can hinder the value of IoT
IDC ndash Planscape Optimizing the WLAN for IoT
IDC ndash Worldwide Internet of Things Forecast Update 2016-2020
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
THE PERFECT STORM
MOBILE IoT and CLOUD
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ldquoOLD STYLErdquo IT INFRASTRUCTURE
Gen Y
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ldquoNEW STYLErdquo IT INFRASTRUCTURE
GenMobile
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
OUR APPROACH
LegacySeparate architectures
Port VLAN aware
Proprietary systems
Mobile FirstSingle set of infrastructure
Insightful context-rich
Developer ready
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
REQUIREMENTS
FOR IT ORGANIZATIONS
Scale network ops
across wireless and
wired infrastructure
Enable high
quality experience
on mobile UC
Stay compliant
while embracing
BYOD and IoT
Deliver apps to
remote locations
in a heartbeat
Improve workplace
productivity and
influence revenue
growth
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
EASY TO CONSUME DEVELOPER READY INFRASTRUCTURE
INNOVATION AT THE SPEED OF THE ECOSYSTEM ndash NOT A SINGLE VENDOR
Aruba infrastructure
Wi-Fi BLE Wired WAN
Aruba Mobile First Platform
x
Micro-location
services
Cloud
networking
Location
analytics
Policy
management
Network
managementNetwork
controls
IT services
Business and user facing applications
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
EMPLOYEE
EXPERIENCE
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
0900
ENROLL
MOBILE DEVICE
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
1100
PRIVILEGED ACCESS
WITH MULTI-FACTOR
AUTHENTICATION
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
1300
BOOK
MEETING ROOM
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
OPERATIONAL
EXPERIENCE
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
0930
UNDERSTAND
APP USAGE
Aruba AppRF
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
1530
MONITOR HEALTH
OF THE SMART
BUILDING
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
IT EXPERIENCE
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
1100
PREDICT
DONrsquoT JUST
TROUBLESHOOT
Aruba Clarity
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
1330
UNDERSTAND
DONrsquoT JUST
MONITOR
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ONCE BYOD AND IoT
ARE ON YOUR
NETWORK hellip
SECURING THE
PERIMETER IS NO
LONGER ENOUGH
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
STAY COMPLIANT
WHILE EMBRACING BYOD AND IOT
Auto-classify unknown devices
on any network with Aruba ClearPass
Automate onboarding of each device
to the network and enforce policy
Detect amp eliminate threats
with ClearPass Exchange partners
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
SOFTWARE CONTROLS FOR
NETWORK ACCESS SECURITY
Internet of
Things (IoT)
BYOD and
corporate owned
REST
API
Security monitoring
and threat prevention
Device management and
multi-factor authentication
Helpdesk and voiceSMS
service in the cloud
Multi-vendor
switching
Multi-vendor
WLANs
Aruba ClearPass with
Exchange Ecosystem
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
SOFTWARE CONTROLS FOR ldquoCOLORLESSrdquo PORTS
Device and
user identity
stores
Ports assigned to new
VLANs through ClearPass
based on device type
IoT devices on the
wired network
connecting to any portPrevention against malware
and insider threats
Secure per device
tunneling to Aruba
Mobility Controller
Aruba
switches
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
LEADING
SWISS
BRANDS
TRUST
US
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Pause
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Aruba ClearPass ndash Die Loumlsung fuumlr einen sicheren NetzwerkzugangManuel Bitzi SOFTEC AG
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Evolution of Access Management and Control
Desktops amp Wired
Basic AAA with UserPort
Control
Windows Vulnerabilities
Perimeter security via
platform silos
High touch IT model
Mobile Devices BYOD amp
Wireless
Multi-factor policy control with
visibility
Multiple Attack Vectors
Cooperative trust via
context sharing
Self Service automated
process
YESTERDAY TODAY
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Time For A New Mobility Defense Model
Static Perimeter Defense
IDSIPS
Firewalls
Adaptive Trust Defense
Perimeter
Defense
Physical
Components
AntiVirus
Security and Policy
for each user or
group
Web
gateways
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Was sind die Hauptgruumlnde fuumlr ein NAC
AuthentifizierungZugriffsschutz
Automatische Konfiguration
Workflows
VisibilitaumltNachvollziehbarkeit
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Top IT NAC Business Drivers
Authentication and Authorization
NAC Services Deployment
Architecture and Coverage
bull Provide secure wired
and wireless access
bull Enhance mobile and
cloud app access
bull Use of certificates
Deployment Services
bull Offer differentiated
access (IT-owned
BYOD IoT)
bull Deliver managed
and reliable guest
access
bull Provide consistent
privileges regardless
of location
bull Leverage 3rd-party
security solutions
bull IT-controlled access
bull Automate workflows
bull Simplicity
bull Possible User-
intervention
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ClearPass Policy Manager and NAC Solution
Onboard Guest
Built-inbull Policy Enginebull RADIUSCoATACACSbull Profilingbull Accountingreportsbull Identity store
Expandable Applications
Remote Location
bull BYOD onboardingbull Simple guest accessbull Health assessments
OnGuard
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Whatrsquos Inside
VISIBILITY
Device Profiling
Troubleshooting
Per Session Tracking
WORKFLOW
Onboarding and
Self-Registration
Guest Management
MDMEMM Integration
RULES
Context based
Device
Posture Checks
Built-in Certificate
Authority
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Authentication based on Device Context
Device
Profiling
bull Samsung SM-G900
bull Android
bull ldquoJons-Galaxyrdquo
EMMMDMOnGuard
bull Personal owned
bull Registered
bull OS up-to-date
bull Hansen Jon [Sales]
bull MDM enabled = true
bull In-compliance = true
Identity
Stores
Network Devices
bull Hansen Jon [Sales]
bull Title ndash COO
bull Dept ndash Executive office
bull City ndash London
bull Location ndash Bldg 10
bull Floor ndash 3
bull Bandwidth ndash 10Mbps
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Value of a Policy EngineRemove SSID Overload
NEW WAY Simplify separate traffic dynamically
by context
OLD WAY Separate access amp
traffic by SSIDs
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ClearPass ExchangeEnd-to-End Control Information and Visibility
Multi-Vendor Infrastructure
Device management and multi-factor authentication
Helpdesk and voiceSMSservice in the cloud
Combine Identity Information
Standard Protocols for custom extensions
REST APISQL
XMLHTTP LDAP
RADIUSTACACS
Traffic control ampthreat prevention
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ClearPass Exchange ExampleExtensions for Intel Security - McAfee ePO
Corporate owned and IoT
BYOD and corporate owned
Multi-vendor switching
Multi-vendor WLAN
McAfee ePO
Devices profiled2 ClearPass checks McAfee ePO for endpoint status
3
ClearPass enforcesaccess privileges4
Devices establish connections1
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ClearPass Exchange ExampleBi-directional Exchange ndash FirewallIPS Event
FirewallIPSSIEMetchellip
user connects and uploads threat
sends event to ClearPass
informs infrastructure
1 2
4
detects and blocks event
3isolates user5
notifies user opens service ticket notify third-party devices6
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ClearPass Profiler Engine
bull ClearPass sammelt so viele Informationen wie moumlglich um einen Geraumltetyp zu bestimmen
bull Category Family Product Name
bull Fingerprint-Datenbank wird regelmaumlssig aktualisiert
bull Eigene Fingerprints erstellen
bull Credentials fuumlr SMNP SSH etc hinterlegen
bull Profiling bei Authentifizierung oder nach Bedarf
bull Erkennen von IoT Devices
DHCP
SNMP
SSH
TCPWMI
CDP LLDP
OnGuard
NMAP
Mac OUI
HTTP
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ClearPass Profiler EngineProfiling on authentication discover IoT
AfterBefore
Lighting Sensorunknown
unknown Temperature Sensor
send to
quarantineprofiling assign
new policy
discover IoT assign appropriated policy
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ClearPass Profiler EngineCustom Fingerprints Rules
NEW WAY Create your own
Fingerprints
OLD WAY Wait for new Fingerprints to be made andor manually override
devices 11
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
ClearPass Universal ProfilerStandalone Profiling Engine
bull Standalone profiling engine
bull Wired and wireless networks
bull Easily distributed for coverage
and scalability
bull New device visibility dashboard
bull Reports
bull Gain Visibility of your Network
bull GA February 2017
ClearPass Universal Profiler
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
DEMO Profiling
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Clearpass Modules WorkflowsOnGuard Client Health Check
bull Automated Healthcheck before Access
bull WiredWireless Ensures posture compliance for laptopscomputers
bull Security Forces use of Anti-VirusAnti-Spyware firewalls disk encryptionhellip
bull Remediation Manual or auto
bull Visibility Identifies poor behavior
bull User Notification Tells User about failed checks
bull Type Service or dissolvable Web Checker
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
DEMO OnGuard
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Clearpass Modules WorkflowsSecure Guest Login
bull Flexible Guest Logins for Any Visitor
bull Customizable Splash Pages
bull Self-Service Workflows
bull SMS Authentication
bull Sponsoring
bull Social Login
bull Vouchers
bull Predefined UserPassword
bull MAC Caching for repeat visitors
bull Suitable for Mobile Devices
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Clearpass Modules WorkflowsSecure Guest Login Look and Feel
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Clearpass Modules WorkflowsOnBoard Employee Device
bull BYOD Employees Login with Personal Devices
bull User and IT friendly One time user registration no IT intervention
bull Security IT managed 8021X and Certificates
bull Context Data added to profile for adaptive policy and troubleshooting
bull Selfmanaged User can manage delete and block devices by their own
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Clearpass Modules WorkflowsCertificate Distribution for BYOD
bull Domain
bull Key amp
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
bull Domain
bull User
bull Device
bull Key amp Unique
Certificate
Personal
Devices
CA
Certificate
Authority
ADRAVA CA
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Clearpass Modules WorkflowsMulti-Factor Authentication
bull Additional Authentication for Guest and Onboard Workflows
bull Multiple Support
bull SMS Verification Code
bull RSA Security
bull Duo
bull Zoom Facial Network
bull Kasada
bull More to come
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
DEMO OnBoard BYOD
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Moumlgliches Zugriffskonzept Wireless
GaumlsteSSID ldquoopenrdquo
Captive-Portal
BYOD
SSID ldquosecurerdquo
Dot1x
SSID ldquoIoTrdquo
PSKMACProfiling
Internet only
Corp LAN
Internet
Corp-PC
others
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Moumlgliches Zugriffskonzept Wired
GaumlsteCaptive-Portal
Dot1x
MAC-Auth
Profiling
Internet only
Corp LAN
Internet
Corp-PC
Cert
others
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Wie geht man ein NAC Projekt anBest Practice und Erfahrungen
bull Die Geraumlte im Netzwerk kennen
bull Was gibt es Wo sind diese Neue
bull Inventar Profilingbull Use Cases definieren
bull Was fuumlr Anspruchsgruppen gibt es
bull Ablaumlufe Prozesse Zugriffe
bull Einfach und Wenige Keep it Simplebull Genug Zeit fuumlr einen Proof of Concept einplanen
bull Erfahrungen aus PoC einbringen und anpassenbull Implementierung Schritt fuumlr Schritt
bull Nicht alles auf ein Mal
bull Aber schlussendlich flaumlchendeckend
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Herzlichen Dankfuumlr Ihre Aufmerksamkeit
Manuel BitziProjektleiter Network Engineering
manuelbitzisoftecch
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Apeacutero und Networking
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60
Herzlichen Dank fuumlr Ihren Besuch
101
SOFTEC AGIndustriestrasse 51CH-6312 Steinhausen
kurtchristensoftecch+41 41 747 07 60