1
WELCOME TO THE
NEW PC ERA
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Die Verwaltung mobiler Endgeräte – eine vielschichtigeHerausforderungHauke HeineckeMärz, 2014
2
BRING YOUR OWN DEVICEGibt man jedem mit jedem Gerät auf alles Zugriff von überall?
2
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
2
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Einige kleine Hürden….
• Mischung von privaten und dienstlichen Daten
• Mischung von privaten und dienstlichen Applikationen/Apps
• Möglicher Verlust des Gerätes
• Verschiedenste Betriebssysteme
• Arbeiten dort, wo es angenehm ist
3
Einige rechtliche Themen im Zusammenhang mit BYODNur einige Themen
• Nutzung von privaten Geräten durch dritte ist nicht ausgeschlossen
• Private Apps können unbemerkt auch dienstliche Daten absaugen
• Wie sind Backups geregelt
• Wie sieht die Update-Pflicht aus (Sicherheitsupdates)
• Mögliche Kontrolle der Regelarbeitszeit durch den Arbeitgeber
3
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
3
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• Mögliche Kontrolle der Regelarbeitszeit durch den Arbeitgeber
• Dienstliche und private Daten unterliegen anderen rechtlichen Rahmenbedingungen
- möglicher Zugriff des Arbeitgebers auf private Daten
- Sind dienstliche Daten auf privaten Geräten eine Weitergabe an Dritte und wer muss hier zustimmen
(z.B. Kundendatenbanken)
• Der Einsatz von MDM-Lösungen ist mitbestimmungspflichtig, da Informationen über
Nutzungsverhalten gesammelt werden können
4
Welche Optionen gibt es?
???
4
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
4
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Firmengeräte
Container /VDI Lösung
5
APPLIKATIONS KONTROLLE: PERSÖNLICH VS. FIRMA/INSTITUT
5
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
5
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ClearPass with WorkSpace
Unified Access
6
Radius Authentisierung – reicht das?Einflussfaktoren auf den Netzwerkzugriff
• Gästezugang
• Geräte on-boarding • Geräte Profiling
Integritätsprüf. des Endgeräts (HIC)
BENUTZEREntwicklung Finanzen Gäste Zeitarbeiter
GERÄT
+
SmartphoneTabletDesktopDrucker IP Telefon
+
6
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
6
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• Integritätsprüf. des Endgeräts (HIC) • Management mob. Endgeräte (MDM)
• Sichtbarkeit und Reporting• Rollenbasierte Zugangskontrolle• Richtlinien-Management
• SIP Snooping• DPI (Paketanalyse)
SITUATIONZeit Lokation PrüfungMedium
NAHTLOSESERLEBNIS
=
WWW QuarantäneServer Email
Email Video Spiele Soziale Netze
APPLIKATION
+
7
NetzwerkinfrastrukturNMS
Controller (SDN/WLAN)
Access Management
Core
Multimedia Fluency
OperationsControl
Architecture
•Eine Infrastruktur für alle Dienste
•Erkennung der applikationsbezogenen Flows
•Support von VDI
•Support von HIC
•Erkennung von Endgerätetypen /Betriebssystemen(Device Fingerprinting)
7
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
7
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
LAN Switch
Firmengerät
Mitarbeitergerät
XenDesktop /
XenApp ServerICA Channel
Virtual Machines – Virtual Desktop
ICA very high priority Flows – TCP Port 2599
ICA Interactive Flows – Fester TCP Port 2598
ICA Medium Priority Flows – TCP Port 2597
ICA Low Priority Flows – TCP Port 2596
ICA RTP Audio Flows – UDP Port 16501OmniSwitch
DSCP – AF41, 802.1p - 4, Q
DSCP – AF42, 802.1p - 4 , Q
DSCP – AF21, 802.1p - 2, Q
DSCP – BE, 802.1p - 0, Q
DSCP – EF, 802.1p - 5, Q
•Differenzierung der Flows, die von einem Endgerätkommen
•Optimierte Wegewahl und Absicherung durch SDN
8
Netzwerk und gerätebezogene SichtweiseSoftware und Verwaltungsstruktur-Aspekte
NetzwerkinfrastrukturManagement Netzwerkzugang
Desktop ManagementGeräte-Management
8
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
8
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Schutz des
Netzwerkes
Identifizierung
des Nutzers
Eingrenzen von
Nutzungsmöglichkeit
en und Bandbreite
Sicht auf
Geräteebene
Konfiguration von
Netzwerk-
einstellungen
Firmware- und
Patchmanagement
Kontrolle und
Zurücksetzen
(remote)
Ausrollen und
Provisionieren von
Apps
Provisionierung und
Zurücksetzen von
Geräteeinstellungen
Unified Acces
Systeme
z.B. Clearpass MDM/MAM
9
CORE COMPONENTS OF UNIFIED ACCESSFOUNDATION FOR BYOD
DEVICE PROVISIONING• Self-Provisioning for Wired & WiFi
Windows, iOS, Android devices
• Simplified 802.1X deployment and
management for Unified Access ONBOARD
ADVANCED GUEST MANAGEMENT• Simplified management of HotSpot
with advanced customizable portal
• Guest management in enterprise with
self and sponsor registrations
workflows
GUEST
DHCP Server
Active Directory
CLEARPASS POLICY MANAGER
LAN NMS
WLAN Controller
WLAN NMS
Core
9
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
9
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
POSTURE/HEALTH CHECKS• Enforced constantly security policy of devices
accessing the corporate network
• Profile and Role based security enforcement
management solution
ONGUARD
APPLICATION MANAGEMENT• First integrated solution to control devices,
users, network and applications altogether
• Leverage investments of MDM/MAM and extends
it to the Network Access Control
WORKSPACEExisting RADIUS
(e.g. eduroam)
POLICY MANAGER
MDMLAN Switch
Guest Contractor Employee
10
MULTIPLE GUEST REGISTRATION OPTIONS
10
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
10
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Self-registration•Customizable,
automated workflows
•Notification via SMS, email, badge printer
•One time registration
Sponsored Guest Access•Reception sponsor
interface
•Email sponsor approval workflow
•Enable employees to instantly sponsor
Pre-registration•Bulk import from file
eg. Excel, text
•Generate visitor badges or notify via branded email templates
3rd Party Integration•XML API’s for
integration with existing applications
11
Access NetworkClearPass Policy Manager
Sponsor
SECURE REGISTRATION WORKFLOW
11
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
11
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
1. Sponsor creates credentials for new guest
2. Account enabled, visitor notified via screen, SMS, or
3. User logs in when they arrive
12
CUSTOMIZABLE GUEST PORTAL BRANDING
• Replicates existing web branding
• Automatic optimization for mobile
browsers
• Options for portal per department
• Easily add/change fields
12
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
12
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• Easily add/change fields
- User info, terms of use acceptance and
verbiage
13
EASY-TO-USE GUEST SELF-REGISTRATION
• Self-help Kiosks
- No IT involvement
- Integrated SMS/email credential
delivery
- Printable name badges
with credentials
13
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
13
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
with credentials
- Offloads IT, sponsors,
receptionists
- Cached credentials for one time
login
14
CORE COMPONENTS OF UNIFIED ACCESSFOUNDATION FOR BYOD
DEVICE PROVISIONING• Self-Provisioning for Wired & WiFi
Windows, iOS, Android devices
• Simplified 802.1X deployment and
management for Unified Access ONBOARD
ADVANCED GUEST MANAGEMENT• Simplified management of HotSpot
with advanced customizable portal
• Guest management in enterprise with
self and sponsor registrations
workflows
GUEST
DHCP Server
Active Directory
CLEARPASS POLICY MANAGER
LAN NMS
WLAN Controller
WLAN NMS
Core
14
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
14
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
POSTURE/HEALTH CHECKS• Enforced constantly security policy of devices
accessing the corporate network
• Profile and Role based security enforcement
management solution
ONGUARD
APPLICATION MANAGEMENT• First integrated solution to control devices,
users, network and applications altogether
• Leverage investments of MDM/MAM and extends
it to the Network Access Control
WORKSPACEExisting RADIUS
(e.g. eduroam)
POLICY MANAGER
MDMLAN Switch
Guest Contractor Employee
15
CLEARPASS CERTIFICATE AUTHORITY
• Easily differentiate devices
- User iPhone / iPad versus corporate issued Windows laptop
• Guarantees user / device identity
- Includes: serial number, user info, device information, etc.
15
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
15
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Unique Cert
Device enrollment / onboarding
16
Provisions 802.1X configuration
User ExperienceUser Experience
� Self-serve connectivity
� Windows, Mac, iOS, Android
OR
SIMPLE 802.1X DEVICE CONFIGURATION
Local or Remote Access
Does not require Policy Manager or Certificates
16
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
16
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Network Access
Access toSecure Network
Impact to ITImpact to IT
� Eliminates time to provision new devices
� Allows for faster updates
Captive Portalor
Distributed Media
17
CORE COMPONENTS OF UNIFIED ACCESSFOUNDATION FOR BYOD
DEVICE PROVISIONING• Self-Provisioning for Wired & WiFi
Windows, iOS, Android devices
• Simplified 802.1X deployment and
management for Unified Access ONBOARD
ADVANCED GUEST MANAGEMENT• Simplified management of HotSpot
with advanced customizable portal
• Guest management in enterprise with
self and sponsor registrations
workflows
GUEST
DHCP Server
Active Directory
CLEARPASS POLICY MANAGER
LAN NMS
WLAN Controller
WLAN NMS
Core
17
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
17
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
POSTURE/HEALTH CHECKS• Enforced constantly security policy of devices
accessing the corporate network
• Profile and Role based security enforcement
management solution
ONGUARD
APPLICATION MANAGEMENT• First integrated solution to control devices,
users, network and applications altogether
• Leverage investments of MDM/MAM and extends
it to the Network Access Control
WORKSPACEExisting RADIUS
(e.g. eduroam)
POLICY MANAGER
MDMLAN Switch
Guest Contractor Employee
18
COMPLIANCE CONTROL FOR LAPTOPS/DESKTOPS
Quarantine / Remediation
• Out of date A/V, A/S Restricted / Denial of Access
• VM not allowed
• Firewall off
• USB Device not allowed
Checks prior to Access
18
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
18
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Full Access
• Firewall on
• Encrypted disk
• Current A/S, A/V Dat file
• All Services on
Checks prior to Access
Wireless, Wired, VPN
19
APP SPECIFIC BASED POLICIES
Mobile Context
TIME-FENCING
Point of Sale App:Must be used during store hours
GEO- FENCING EMR Apps:Must be used at hospital or member facilities
19
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
19
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
MOTIONSENSING
Email App:Can not be used while driving/moving
DEVICE CONTROL
Device Status:Cut & paste restrictions, Jailbreak / Root detection, Cloud backup
CONTENTCONTROL
Browser App:Can not access torrent sites
20
CORE COMPONENTS OF UNIFIED ACCESSFOUNDATION FOR BYOD
DEVICE PROVISIONING• Self-Provisioning for Wired & WiFi
Windows, iOS, Android devices
• Simplified 802.1X deployment and
management for Unified Access ONBOARD
ADVANCED GUEST MANAGEMENT• Simplified management of HotSpot
with advanced customizable portal
• Guest management in enterprise with
self and sponsor registrations
workflows
GUEST
DHCP Server
Active Directory
CLEARPASS POLICY MANAGER
LAN NMS
WLAN Controller
WLAN NMS
Core
20
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
20
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
POSTURE/HEALTH CHECKS• Enforced constantly security policy of devices
accessing the corporate network
• Profile and Role based security enforcement
management solution
ONGUARD
APPLICATION MANAGEMENT• First integrated solution to control devices,
users, network and applications altogether
• Leverage investments of MDM/MAM and extends
it to the Network Access Control
WORKSPACEExisting RADIUS
(e.g. eduroam)
POLICY MANAGER
MDMLAN Switch
Guest Contractor Employee
21
VIRTUAL DESKTOP INFRASTRUKTUR
VDI App(Desktop App
zentrale Speicherung von Daten)
Data CenterVDI Server
21
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
21
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
22
Container Prinzip
Container App(App in App
Lokale Speicherung von Daten)
Data Center
22
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
22
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
23
CAN LEVERAGE THIRD-PARTY MDM INVESTMENTS
3rd Party Device Management
23
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
23
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Network Policies• Firewall policy
• BW prioritization
• RF Location
Unified AccessManagement
Device Context
• Black, whitelisted apps
• Jailbreak detection
• GPS location
Context: • Exchange rich
endpoint data
• Trigger on or off
network policies
• Extendable
architecture
24
MANAGEABILITY AND REPORTING
• Central Dashboard
- Different views and privileges by IT role,
location
• Pre-defined Services Templates
- Wired, Wireless, Mac Auth, TACACS+
- Point-n-Click to add auth/authz identity
24
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
24
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
- Point-n-Click to add auth/authz identity
stores, EAP methods
• Trouble-shooting Utilities
- Per session logs
- 3 click problem solving
- Full reporting capabilities
25
PROFILING FOR FULL VISIBILITY
25
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
25
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
26
ClearPass Policy
Manager
DNS/DHCP
Large office
• Centralized/Distributed Administrative Domains
• Active Redundancy/Load Balancing• Cluster wide licenses
EXPLAIN DEPLOYMENT OPTIONS
CPPM Node
Identity Stores
26
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
26
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Identity Stores
Main location
Small office
DMZ
ClearPass Onboard
CPPM Node
LAN Switch
FWFW
Home office
Virtual
CPPM Node
27
UNIFIED ACCESSDie Produktseite
Network Infrastructure
(OmniVista)
MPLS
Service
Router
Branch
Routers
Advanced Policy &BYOD Services
VPN
Client
Management Wide Area Network
Local Area Network
Core
OA5800 ESR OA5700 ESR7750 SRMPLS WAN & LAN
(5620 SAM)
VIA
• BYOD und AAA Dienste
• Access Switch SW
Evolution
- AirGroup Unterstützung
- Regelbasierender Access
- HIC
- Flow basierte ACL/QoS
27
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
27
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Service Level
(VitalSuite)
IP address Management
(VitalQIP)
On The Road Home Office Branch Office Corporate Office Data Center
(ClearPass)
OS10K OS6900 OS9000E
OS6850E/
OS6855/6860OS6450 OS6250
OA4x04, OA4x50
IAP, AP, RAP
Core
Unified Access
BYODBUILT-IN
- Flow basierte ACL/QoS
• SDN Integration vom DC
und WAN bis zum Edge
• OmniVista SW Evolution
- AirGroup switch Konfig
- ClearPass Integration
28
UNIFIED ACCESS
Edge Switch
VEREINHEITLICHUNGCONSISTENTE NETZWERKDIENSTE IM WIRED UND WIRELESS
PERSONALISIERUNG VON DIENSTEN AUF APPLE GERÄTEN
• Kontextabhängiger Zugriff auf Apple Geräte
• Nutzer und IT kann die Geräte selbst registrierenAIRGROUP
CITRIX VDI APPLICATION FLUENCY• Bietet QoS in einer VDI Session
• Simple Administration: One Touch KonfigurationVDI FLUENCY
SEAMLESS
28
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
28
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
Access
Points
WLAN
Controller
SIP FLUENCY• Spezielle QoS für SIP video, voice und andere
• Dashboard der aktuell erreichten Qualität
MULTIMEDIAFLUENCY
USER NETWORK PROFILE• Regelbezogener automatischer Netzwerk Zugang für mobile
Nutzer
• Regelbezogene Konfiguration, Sicherheit and Priorisierung
PROFILINGBYODSERVICES
SEAMLESS NETWORK SERVICES
Integration von fremden Geräten• Kontextabhängiger Netzwerkzugang
29
www.twitter.com/ALUEnterprise
www.facebook.com/ALUEnterprise
www.youtube.com/user/enterpriseALU
FOLLOW US ON
enterprise.alcatel-lucent.com
29
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
29
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
www.linkedin.com - Group Alcatel-Lucent Enterprise
www.slideshare.net/tagged/Enterprise
www.storify.com/ALUEnterprise