©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
@shmulik247#AvayaATF
Shmulik Nehama, Identity Engines Portfolio LeaderAvaya
Network Access and the Acronym Soup – NAC, MDM, SBC & SSO
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Agenda
• The Acronym Soup• Network Access Control• Mobile Device Management• Session Border Control• Single Sign On• Resources
3
DisclaimerSome of the material provided in this presentation is looking forward and may be subject to change without advance notice!
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
The Acronym Soup
Avaya Identity Engines
Authenticates & authorizes network access of users and any network attached device (IP phones, medical devices, user devices, printers etc.).
Dynamically provisions the network to contain the access of users and the network attached devices
Avaya Identity Engines
Single Sign On (SSO) is an area of access control that enables users to login once and/or with same enterprise credentials and gain access to applications without being prompted to login again at each of them and/or without the need to maintain different set of credentials.
MDM manages mobile devices in the context of which applications should / should not be on user handheld devices, password management, patch and software management.
MDM manages mobile device data and apps but NOT control / provisions the network for access
Provides network security for SIP-based applications without the need for a VPN client on the accessing device.
Controls access of UC applications (NOT network access of users / devices)
DevConnect(MobileIron)
Avaya SessionBorder Controller
Avaya Solution
NACNetwork Access
Control
SSOSingle Sign On
SBCSession Border
Control
MDMMobile Device Management
Avaya SolutionAvaya Solution Avaya Solution
4
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
The Acronym Soup
Avaya Identity Engines
Authenticates & authorizes network access of users and any network attached device (IP phones, medical devices, user devices, printers etc.).
Dynamically provisions the network to contain the access of users and the network attached devices
Avaya Identity Engines
Single Sign On (SSO) is an area of access control that enables users to login once and/or with same enterprise credentials and gain access to applications without being prompted to login again at each of them and/or without the need to maintain different set of credentials.
MDM manages mobile devices in the context of which applications should / should not be on user handheld devices, password management, wipe out and software.
MDM manages mobile device data and apps but NOT control / provisions the network for access
Provides network security for SIP-based applications without the need for a VPN client on the accessing device.
Controls access of UC applications (NOT network access of users / devices)
DevConnect(MobileIron)
Avaya SessionBorder Controller
Avaya Solution
NACNetwork Access
Control
SSOSingle Sign On
SBCSession Border
Control
MDMMobile Device Management
Avaya SolutionAvaya Solution Avaya Solution
5
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Agenda
6
The Acronym SoupNetwork Access ControlMobile Device ManagementSession Border ControlSingle Sign OnResources
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
What is it?
Network Access with policies, controls and provisions access to a network
Including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do
Role-based Access is where access to the network is given according to profile of the person and the results of a posture / health check.
e.g. in an enterprise, the HR dept could access only HR dept files if both the role & endpoint meets anti-virus being up-to-date.
7
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL8
Enterprise Networkw/Multiple Policy Enforcement Locations
• Multiple repositories of identity information
• Multiple locations of enforcement points
• Challenges with in providing access to• Guest Access• Contractors Access
• Challenges in implementing consistent access behavior across the network
• Challenges with mergers and acquisitions Enterprise Network with Multiple Constituents
and Policy-Enforcement Locations
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL9
Enterprise Networkw/Centralized Identity and Policy Services
Identity and Policy Service in theEnterprise Network
• Network Access Control is centralization of both identity and policy information in a single location• Simplification• Consistency
• Facilitate self-service Guest Access• IT Hands-off
• Contractor Access
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Why is it important?
• Granular Control• Network operators define
policies, such as roles of users and the allowed network areas to access and enforce them based in switches, WLAN Controllers etc.
• Enhanced Security • Ability to prevent access from
end-stations that do not meet security posture requirements
• Regulatory Compliance• Enforce access policies based
on authenticated user identities
1. Define roles
2. Define network access level
10
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL11
Network Access Features
IP Phone Visitor or Business Partner
Personal Machine
Corporate Desktop
Network Printer
Network Device
Wireless Access Point
Surveillance Camera
Fax Machine
Medical Device
Local Server/App
Guests & Guest Devices
EnterpriseNetwork
• It is not only about users and their devices but also about any network attached device
• Each access port is not assigned until a user/device attempts access.
• Once authenticated & authorized, user/device is granted appropriate access level.
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL12
Typical Network Access Architecture
NET
WO
RK A
BSTR
ACTI
ON
LAY
ER
DIRE
CTO
RY A
BSTR
ACTI
ON
LAY
ER
Reporting & Analytics
Posture Assessment
Guest Access Mgmt
Identity Engines
Access Portal
CASE Wizard
PolicyEnforcement Point
PolicyDecision Point
PolicyInformation Point
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL13
Network Access Features
Basic Features Authentication & Authorization Guest Access Management Posture Compliance Compliance checking for un-
managed devices e.g. BYOD Reporting and Analytics Directory Federation
Advanced Features Unified Solution for wired and
wireless network access IT Hands-Off self-service
Guest access management Device Finger-printing BYOD On-boarding High Availability
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL14
SPB Network Access Automation
UC Zone
Corporate Zone
Guest Zone
Contractor Zone
CAMPUSBRANCH
DATA CENTERDATA CENTER
BRANCHCAMPUS
• User connects to edge switch
• User placed on a VLAN• VLAN mapped to an ISID• Done!
1
2
3
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL15
Multi-Host Multi-Authentication
• MHMA is a network switch capability where Identity Engines separately authenticates and authorizes multiple clients connected to a switch port
• Each client must completeEAP authentication beforethe port allows traffic fromthe users MAC address,only traffic from authorizedhosts is allowed
• Enables to direct multiple hosts on a single port to different VLAN’s. Used for separating voice and data traffic on the same port
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Agenda
16
The Acronym SoupNetwork Access ControlMobile Device ManagementSession Border ControlSingle Sign OnResources
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
What is it?
• Mobile Device Management (MDM) secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises.
• MDM functionality typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices • Smart-phones, tablets, mobile printers,
mobile POS devices, etc
17
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Why is it important?
• Reduce support costs and business risks• Control and protect the data and
configuration settings for all mobile devices in the network
• Manage devices• IT can use MDM to manage the devices
over the air with minimal intervention in employee schedules
• Visibility• With mobile devices becoming present
“everywhere” and applications flooding the market, mobile monitoring is growing in importance.
Support SayingYES to BYOD
18
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
…Anyone here still using flip phone?
19
Time Magazine cover Aug 18 1997.Bill Gates invests $150M to save Apple.
Android appsiPhone/iPad appsTablets in 2012Smartphones in 2011Smartphones in 2012Social Media Users
700 000700 000
119 000 000491 000 000686 000 000
1 200 000 000
Tablet market $45B by 2014– Yankee 2011
50% Enterprise users interested in or using consumer applications– Yankee 2011
Smartphone app revenue to triple by 2014– Yankee 2011
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Typical MDM Solution
• Server & Client Components• Server component
sends out management commands to devices
• Client component runson device to receive and implement commands
• Must have an agentinstalled and maintained• Constant 24x7 race after
device and OS updates• Deployment -- On-premise
and Cloud based solutions
20
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL21
MDM Capabilities
Basic Features Inventory Management &
Real Time Reporting Setting Passcode Policies Remote Lock and Full Wipe Remote Selective Wipe Configuration of Email, Wi-Fi,
VPN, Certs. Email Access Controls Jail-broken / Rooted Device
Detection
Advanced Features Enterprise App Catalog App Blacklisting / Whitelisting Secure Document Sharing Geo Location Event-based Security and
Compliance Rules Engine Roaming Usage Dual Persona separate
Personal vs. Corporate content
Monitor access to App Store Data encryption
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
MDM Market Landscape
• 100+ vendors who claim some level of MDM functionality
• 20 vendors in Gartner MDM MQ
• None of the Networking vendors provide true MDM capabilities• Requires to keep-up with
intense pace of mobile device market updates and innovation
22
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL23
MDM Capabilities and the Use Cases
• Cross platform device support• Configuration management• Device monitoring
• License control• Software distribution• Inventory & asset control
MDM requirements vary depending on use case
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL24
MDM Capabilities and the Use Cases
MDM requirements vary depending on use case
organizations w/ very large number of mobile users
small number of mobile users
non-regulated organizations (e.g. retail)
strongly regulated e.g. Finance, defense
data encryption, dual persona, selective wipe
detect OS & version, installed apps, roaming usage, content, device wipe
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Avaya’s MDM strategy
• Today Avaya Flare and one-XC
Applications interoperability tested with MobileIron
• Tomorrow Identity Engines MDM
integration with top vendors• Ignition Server will query
mobile device attributes from the MDM and make attributes part of the Access Policy
Avaya Flare & one-XC Applications on user devices
25
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Avaya’s MDM strategy
MDM
26
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Avaya’s MDM strategy
MDM
Identity EnginesAccess Policy
27
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Agenda
28
The Acronym SoupNetwork Access ControlMobile Device ManagementSession Border ControlSingle Sign OnResources
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
What is it?
• A device or application that governs the manner in which calls, also called sessions, are initiated, conducted and terminated in a VoIP network.• An SBC can facilitate VoIP sessions
between phone sets or proprietary networks that use different signaling protocols.
• An SBC can include call filtering, bandwidth use management, firewalls and anti-malware programs to minimize abuse and enhance security
29
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Why is it important?
• Denial of Service• Call/registration overload• Malformed messages (fuzzing)
• Configuration errors• Misconfigured devices• Operator and application errors
• Theft of service• Unauthorized users• Unauthorized media types
• Viruses and SPIT• Viruses via SIP messages • Malware via IM sessions• SPIT – unwanted traffic
30
Source: Nemertes Research
Enterprise Adoptionof Collaboration Tools
Mobile Collaboration Security Threats
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
UC Security – Should You Care?
31
Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC.
In 2010
50% Increase
In VoIP hacking at new levels
Up to 25%of attacks
VoIP scanning - botnets, Cloud used for VoIP fraud Huge Bills
Reduce Deployments by
1/3
VoIP / UC security reduces VoIP / UC deployment timeby one third
Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications5
Collection of Analysts (Yankee survey & Aberdeen)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL32
OSI Model - 7 Layers of Attacks
• Typical firewall protection • Layer 3-4 protection• Emerging layer 7 FWs
• Email spam filters layer 7 application specific email firewall
• SIP, VoIP, UC layer 4 to layer 7 application
• SIP Trunking - a trunk side application
• SIP Line (phone) side (internal and external) access another application
OSI Model
Data Unit Layer Function
Host Layers
Data
7. Application Network process to application
6. Presentation
Data representation, encryption and
decryption, convert machine dependent
data to machine independent data
5. Session Inter-host communication
Segments 4. TransportEnd-to-end
connections and reliability,
flow control
Media Layers
Packet/Datagram 3. Network Path determination and logical addressing
Frame 2. Data Link Physical addressing
Bit 1. Physical Media, signal and binary transmission
Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model
Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection
Think of OSI model as a 7 foot high jump
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Agenda
33
Complements Existing Security Architecture
Avaya SBCE
Firewall
FirewallApplication LevelSecurity Proxy(Policy Application,
Threat Protection Privacy,Access Control)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL34
Session Border Control Use Cases
SIP Trunking Remote Worker
SIP Trunking
Avaya SBCfor
Enterprise SIP Trunking Avaya SBCfor
Enterprise
CS1000
SIP Trunking
Avaya SBCfor
Enterprise
Use Cases
Avaya SBCfor
EnterpriseSIP Trunking
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL35
SBC Use Cases – SIP Trunking
Use Case: SIP Trunking to Carrier Carrier offering SIP trunks as lower-cost alternative to TDM
Carrier SIP trunks to the Avaya SBC Avaya SBC located in the DMZ behind the Enterprise firewall Services security and demarcation device between the IP-PBX and the Carrier
− NAT traversal− Securely anchors signaling and media, and can− Normalize SIP protocol
Firewall
InternetEnterprise
IP PBX
Avaya SBCE
DMZ
SIP TrunksFirewall
Carrier
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL36
Secure Remote Worker with BYOD
Personal PC, Mac or iPad devices Avaya Flare®, Avaya one-X® SIP client app App secured into the organization,
not the device One number UC anywhere
Avaya SBCEAvaya Aura®
PresenceServer
SystemM
anager
Communication Manager
Avaya Aura Conferencing
Aura Messaging
Session Manager
Untrusted Network(Internet, Wireless, etc.)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL37
Secure Remote Worker with BYOD
Use Case: Remote Worker Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints
Remote Worker are external to the Enterprise firewall Avaya Session Border Controller for Enterprise
− Authenticate SIP-based users/clients to Aura Realm− Securely proxy registrations and client device provisioning− Securely manage communications without requiring a VPN
Firewall
InternetEnterprise
Avaya SBCE
DMZ
Firewall
Remote WorkersIP PBX
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Agenda
38
The Acronym SoupNetwork Access ControlMobile Device ManagementSession Border ControlSingle Sign OnResources
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
What is it?
Single Sign On (SSO) is a property of access control that enables users to login with one set of enterprise credentials and gain access to systems without being prompted for different credentials or login again.
Maintaining one set of credentials and reducing multiple logins.
39
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Why is it important?
• Reduces password fatigue from different user name and password combinations
• Reduces time spent re-entering passwords for the same identity
• Reduces IT costs due to lower number of IT help desk calls about passwords
40
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Single-Sign-On
41
• ERP
• HRM
• CRM
• Intranet Applications
EnterpriseIdentity Realm•3rd Party Web
Sites
• Salesforce
•Social Media
•Social Media
WebSingle-Sign-On
• EnterpriseDirectory
InfrastructureLocalSingle-Sign-On
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Single-Sign-On
42
• SM
• AAC
• CM
• PS
EnterpriseIdentity Realm
• EnterpriseDirectory
Infrastructure
Aura ApplicationsIdentity Realm
Current Situation The enterprise and Aura realms are
separate where each app has its own notion of user identity, credentials and manages them separately.
Integration with enterprise AAA is difficult, inconsistent and brittle
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Single-Sign-On
43
• SM
• AAC
• CM
• PS
EnterpriseIdentity Realm
• EnterpriseDirectory
Infrastructure
Customers Want Users to authenticate to enterprise
AAA service Minimize the number of user
identities and credentials Minimize and standard approach to
authentication & credential mgmt Consistent user experience
Aura Applications
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Stepping Identity Engines Up into the Applications Access
• Incorporating SAML as an authentication protocol
• Web Clients• Think Clients
• Introducing the concept of Identity Provider for Applications
• Introducing the concept of Service Providers
• Focus on Aura UC Applications
• Flare• One-X Communicator• Avaya Aura Conferencing
44
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Agenda
• Network Access• Mobile Device Management• Network Access Control• SIP Security• Single Sign On• Resources
45
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
NACNetwork Access
Control
SBCSession Border
Controller
MDMMobile Device Management
SSOSingle Sign On
“Avaya is the company that is stepping in with a true, holistic BYOD proposal that covers all
the pieces.”
Zeus Kerravala, ZK Research
46
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Resources
• Identity Engines Product Management• Shmulik Nehama• [email protected]
• Session Border Controller Product Management• Jack Rynes• [email protected]
• Secure BYOD YouTube Video• http://www.youtube.com/watch?v=0ZrMOqzGMpE
47
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Thank you!@shmulik247#AvayaATF
48