OCS LIA

“There is nothing more important than our customers”

Identity Management and Network Access ControlAn open communication solution for location and identity assurance OCS LIA formerly known as SALERNO

Markus Nispel

VP Solutions Architecture

[email protected]

Inderpreet Singh

Director, Solution Architecture

[email protected]

© 2008 Enterasys Networks, Inc. All rights reserved.

Why should you care ?

• OCS LIA is the first technical integration that provides a true unique selling proposition when combining a Enterasys (NAC) solution with a SIEMENS Enterprise Communications UC solution

even using standard protocols and API´s noone in the market is able to provide a similar solution

a unique value in projects and RFP´s and still open to other vendor´s infrastructure as

Enterasys NAC does support this inherently

• It provides a tangible value to the customer that results in a lower TCO (through lower OPEX) and a higher security along with visibility into the IT infrastructure

• The solution is not limited to VOIP only. A professional services based integration into any asset/inventory database at the customer site is always possible: the result is IT workflow integration, reduced operational costs and a loyal customer


What does it for you ?

• Automatic inventory and location service reduces risk of operation of non-compliant end-devices with invalid configuration or software release.

• Automatic adaptation and location-based configuration of end-devices and usage of special functionalities (e.g. configuration of speed dial button)

• IP phone monitoring Detecting non-compliant and compromised end-devices

• Automatic authentication and authorization Warranty of secure, reliable and high-quality operation of real-time applications through automatically assigned QoS-parameter and security profiles (ACL and VLAN)

• Finally the use of this solution provides the following value add:

• Reduces administrative effort and costs

• Increases protection and reliability of real-time applications

• Minimizes the risk of attacks and the probability of outage

• Increases compliance to enterprise’s security policies

• http://www.enterasys.com/company/literature/auto-voip-deploy.pdf

© 2008 Enterasys Networks, Inc. All rights reserved. 4

What is NAC ?

• A User focused technology that:

Authorizes a user or device (PC, Phone, Printer) and

Permits access to resources based on identity authentication of the user (and/or device) as well as based on the security posture of the device along with location and time

The parameters are set in the so called Pre-Connect Assessment (aka Health Check), i.e. before connecting to the infrastructure

However, during normal operation, regular checks should be conducted as part of the Post-Connect Assessment


What do you need to deploy OCS LIA ?

• Enterasys Network Access Control NAC Version 3.1.2 or above

at least implemented in discovery mode (with MAC authentication (802.1x can be used too) enabled on the access sitches and access points) using a default autorization for all endpoints

along with professional services from Enterasys to implement the solution and the OCS LIA middleware

• Siemens HiPath Deployment Service DLS V2R4

supporting OpenStage and Optipoint VOIP endpoints in both SIP and HFA mode

Additional location service licenses for each device that should be supported for this feature

Along with professional services from SEN to properly setup up the DLS (also for web services usage) and optionally configure the infrastructure policies

5


Enterasys NAC - in Any Environment

•Hybrid deployment Best of both models for mixed environments

Single, integrated solution – seamless management from single system

.

EnterpriseNetwork

Enterasys Policy capable switch

RFC3580 capable switch

RFC3580 capable Wireless Access PointNAC Gateway

Core EdgeDistribution

Non-intelligent Wireless

VPN

Non-intelligent edge switches

Shared Access LANNAC Controller

NAC Manager


• Enterasys Matrix™ and SecureStack™ Switches, HiPath WLAN, Roamabout

• and/or

• Third Party Switch or WLAN Access Point(RFC 3580-compliant)

• and/or

• NAC Controller (includes all Gateways functions and Assessment Service)

• Enterasys NAC Manager

Software plugin to NetSight Console

Centralized administration of NAC Gateways and Controllers

Management

Enterasys NAC - Components

Detection, Authentication, Remediation, Assessment

• Enterasys NAC Gateway

(Proxy) RADIUS

Remediation and Registration

Optional Assessment Service integrated

• Assessment Service

optional

Nessus, Retina Eye, Enterasys

Interface to integrate other servers

Authorization


NAC Gateway – with „any“ access device

• Policy Mapping table in NAC 3.2 - create independency of device type and topology

More flexible VLAN name based approaches

Globally configured

Location based = Switch IP and Switch Port (and AP´s, SSID´s etc. ..)

• Will also support authorization methods like Cisco ACL, Login-LAT Group or a combination of these along with fully customizeable radius attributes to map Policy to an appropriate authorization alternative


wiredLAN

SiemensHiPath DLS

Event-based synchronization of data-bases via API: IP phone, phone number, switch, switch-port, building, room

NACManager

HiPath/OpenScape

Platform

Enterasys NAC Appliance

Database with physical infrastructure / cabling - wall-socket - Building- Room

Open Communication Solution for Location and Identity Assurance: Enterasys NAC / Siemens HiPath DLS

12345 10.1.1.10 xx-xy-yy-yz-zz-az Access 1 10.9.9.8 fe.0.15 B. A 130 3 4.2.4

34567 10.1.1.18 aa-bb-cc-dd-ee-ff Access 2 10.9.9.9 fe.1.8 B. B 241 1 4.2.4

56789 10.1.1.25 ab-cd-ef-gh-ij-kl Access 3 10.9.9.10 fe.2.21 B. A 412 2 4.2.2

Phonenumber

Phone IP Address

Phone MAC Address

Switch-name

Switch IP Address

Switch-port

Building Room Wall jacketPhoneSoftware

pro services


Agile enterprises use service-oriented architectures (SOAs) and extend SOA with events where appropriate. Service and event architectures make enterprise computing more effective and flexible than traditional, monolithic "stovepipe" systems. Success requires a knowledge of common deployment patterns and fundamental success factors.

Source: Gartner, 4. April 2007 Applied SOA: Transforming Fundamental Principles Into Best Practices

OCS LIA Integrator/Middleware – SOA based


•WSDL (Web Services Description Language) is the proposed standard that is used for the service interface definition in most new development tools

•XML (eXtended Markup Language) is used to transport the messages in a machine to machine communication scenario over IP based networks

•OCS LIA is based on these widely accepted and deployed standards

OCS LIA Integrator/Middleware – SOA and Web Services


OCS LIA Integrator/Middleware – General Features

• Synchronize endsystem data from NetSight (NAC) database to HiPath DLS

• Synchronize VoIP phone number, type and SW version to NetSight endsystem database

• Detect HiPath DLS restarts (for full re-sync)

• Detect new phones on DLS side (for individual sync)

• Periodic cache cleanup to eliminate old outdated cache entries

• Retry mechanism in case of unreachable external systems

• Detection of IP mismatch due to VLAN configuration with delayed DLS update (to prevent DLS jobs sent to old device IP)

• Flexible logging configuration

• Very flexible component configuration

• Support of multiple switches

• Support of multiple DLS servers


All device relevant data from NetSight, HiPath DLS servers and switches are collected and cached within the Integrator using an internal cache. The IP Infrastructure data record used here contains the following information:

Open Communication Solution for Location and Identity Assurance: IP Infrastructure Cache


• The exchanged data is presented as additional endsystem data in the NAC Manager but also on the HiPath DLS

Device phone number(e.g. 43254)

Device Type and SW version(e.g. OpenStage 80:V1

R4.14.0)

DLS IP Infrastructure

Enterasys NMS NAC Manager: Endsystem View

Open Communication Solution for Location and Identity Assurance: data exchange


Siemens OpenStage VOIP Phone

Open Communication Solution for Location and Identity Assurance: location based configuration


MU

A&

P L

og

ic

802.1X

PWA

MAC

RA

DIU

S au

tho

rity

Dynamic admin rule

DFE

802.1X credentials

PWA credentials

802.1X login

Filter ID policy sales

SMAC = Anita

SMAC = BobPWA login

SMAC = PhoneMAC traffic

MAC credentials

Filter ID policy phone

Dynamic admin rule

Dynamic Admin rule

Port X

Filter ID credit

Policy sales

Policy credit

Policy Phone

• Inherent advantage, from 2 (3) up to 2048 devices per port and system

• Supported by B/C/G/D and N/NGN/S Series (partially dependant on licenses)

• Different authentication methods (in random (depends on the product) combination per port/user)

802.1x, PWA (Web), MAC authentication, RADIUS, Kerberos, Default role ....

• Single physical interface but multiple roles (and VLAN´s)

The value of using Enterasys switch hardware Multi-user authentication AND policy

Enterasys Switch


Roles, Services , Rules

NetworkAdministrator

VOIPOffice Non-Office

De

ny

RIP

De

ny

OS

PF

De

ny

Ap

ple

De

ny

IPX

De

ny

DH

CP

Re

ply

De

ny

IP R

an

ge

Allo

w A

RP

, DN

S

Allo

w R

TP

12

8 k

bit/s

Allo

w S

NM

P

Allo

w S

IP 2

Mb

it/s

De

ny

SN

MP

De

ny

Te

lne

t

De

ny

TF

TP

Dro

p A

pp

le

Dro

p IP

X

Dro

p D

ec

Ne

tDeny FacultyServer Farm

AdministrativeProtocols

Acceptable UseLegacy

Protocols SIP Only

The value of using Enterasys switch hardware Authorization/Policy – roles & rules


Corporate &RegulatoryCompliance

Can I enforce these regulations prior to granting network access?

Do I have reporting and auditing tools to verify compliance?

NAC – other application scenarios

NetworkUsage

Who is using the network infrastructure?Are these users authorized?

Does access correspond to organizational role?

WorkstationSecurity

Does system have up-to-date OS patches?Does every system conform to corporate security standards?

GuestUsers

Does a guest system contain threats?Can I limit access for guest users?

Non-WorkstationEnd Systems

Is this device what it claims to be?Can I assess its security posture?

Can I locate rogue Access Points, hijacked print servers etc?


IAM - principles

• Network technology, distributed computing and the Internet have made it possible to dramatically extend application and information access to users well beyond the typical organizational boundaries. The related security risks, management issues and compliance requirements mus be adressed.

o Who is accessing my applications or data?

o What are they authorized to do?

o Should they have those authorizations?

• The tools that allow to answer these questions and maintain control over users and their access make up an identity and access management (IAM) solution


NAC & IAM integration - Why

• NAC is a very useful tool in reducing and controlling the risks to your network infrastructure. However, although it relies on user authentication, on its own this is really no more than a means to identify a device.

• The problems of providing each individual user with only the access they are authorised for, and no more, remain. The solution is to tie the authentication process with a robust identity management (IDM) solution, applying network controls to an individual or a well-defined group. This process is sometimes referred to as Identity Driven Networking (IDN).


NAC & IAM – Positioning

EnterasysNAC

Gateway

Enterasys NAC

Controller

Directory

MS-NPS

RADIUS

SIEM

802.1X

MS AGENT

1X, M

AC,

WEB

LDAP

EAP-PEAP [TNCCS-SOH]PAP, CHAP, EAP-MD5

HEALTH CHECK

XML_

API

802.1X

IF-M

AP

PEP and PDPPolicy Enforcement Point

Policy Decision Point

Kerberos

Location

Asset Management

Policy provisioning

and assignmentEnterasysAGENT

XML API


NAC & IAM integration - Advantages

• Users are managed centrally in the IDM system for all connected applications (including the network).

• The process of managing joiners, movers and leavers can be automated and linked to other key processes (e.g. HR).

• Users are automatically added or deleted when they join and leave the organisation. This not only eases the administrative burden for IT support, but also enhances security because users have their access revoked or suspended the moment they leave.

Guest

Guest users is allowed to connect to the WWW.

Employee

Manager

Non-compliantEmployee

Corporate LAN

Internet

EnforcementPoint

NAC System

IDM

CorporateResources

HR System

RemediationServer

Employees can access general corporate resources

Managers can additionally access the HR server

Non-compliant users are directed to the remediation server


NAC & IAM - Status

• Integration of Enterasys NAC and the SEN TISA – Totally Integrated Security Architecture

proof of Concept shown at Open Minds event in april 2009

plans to show at Interop 2009

Joint Whitepaper available on BeFirst

• Currently based on NAC 3.2 with LDAP integration (role/policy assigment based on LDAP attributes) and Kerberos based authentication

Offical integration and documentation underway

Possible Web- and 802.1x-based Integration

23


First Win – Higher Education Vertical

European School of Management and Technology (ESMT)

Berlin, Germany

Business Drivers ESMT Solution

Case Results…

Segregated data and telecom networks IP phone inventory and config

management was cumbersome No single view of IP comms

infrastructure and devices for admin and

management

Enterasys NMS and NAC solution HiPath DLS Full policy enabled networking

infrastructure with N-Series switches Voice/Telephony HiPath 3000

Low cost, low effort to integrate ETS and SEN components (within one week) Total view (location, state, posture) of IP devices throughout network under one

management domain Rules based policy enforcement, error flagging and notification in real time

“The open architecture and integration of SEN and Enterasys’ systems required

minimal effort from our team. Their professional services experts succeeded in implementing an overarching management system in just one week, saving us a huge

amount of work while at the same time making communication more secure.”

Thomas Giese, IT Network Services for ESMT.


More questions

• Just contact

Markus Nispel

VP Solutions Architecture

Enterasys Networks

Solmsstrasse 83

60486 Frankfurt

Phone: +49 69 47860 253

Fax: +49 69 47860 364

Cell: +49 172 8638003

Email: [email protected]

www: http://www.enterasys.com

25

Inderpreet Singh

Director, Solutions Architecture

Converged Networks and Security

Siemens Enterprise Communications

271 Mill Road

Chelmsford, MA 01824

USA

Phone: +1 978 367 7604

Cell: +1 978 764 6855

Email: [email protected]

Please contact us if you have additional input on potential joint solutions of Enterasys and SEN

“There is nothing more important than our customers”

Thank YouThank You

OCS LIA

Technology

Transcript of OCS LIA