Extreme Networks Identity Manager

licoricehealthΤεχνίτη Νοημοσύνη και Ρομποτική

14 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

479 εμφανίσεις

© 2011 Extreme Networks, Inc. All rights reserved.

© 2011 Extreme Networks, Inc. All rights reserved.

Extreme Networks Identity Manager

User, Device, Location, and Presence

Timo Lonka, Country Manager


© 2011 Extreme Networks, Inc. All rights reserved.

Page
2

User and Traffic Profiles Have Changed

More users
with different
roles...

More devices
with unique
requirements...

More applications
generating
demanding traffic...

More resources
with different
security demands...

Who are you
?

Employee vs. Contractor vs. Guest

What are you
?

Managed or
u
nmanaged device

Is it a threat or is it okay
?

Increased risk of data in motion

Are you supposed to be here
?

Pressure of internal/external
regulatory compliance …


© 2011 Extreme Networks, Inc. All rights reserved.

Day
-
to
-
Day Pain Points


80% of IT resources are spent being reactive to network

and help desk calls


Too many help desk calls related to network configuration


More calls means more support personnel


Network adds moves and changes are labor intensive and costly



may require reconfiguration at times


Need for troubleshooting is high as it relates to user issues


Need to reduce network down time as it relates to configuration


Need a dynamic way of dealing with application performance


E.g. bandwidth allocation to higher bandwidth applications


Network configuration is manual and laborious


Compliance becomes complicated


E.g. keeping non
-
accounting people out of the accounts servers etc.


3

© 2011 Extreme Networks, Inc. All rights reserved.

Dynamic

Static

Extreme Networks enables IT organizations to…

4

Proactively Manage Business Operations

Limited visibility of User, Device,
Location, and Presence

Network provisioning and
monitoring based on:


IP Address


TCP/UDP Port
I
nformation


Static ACLs

Manual Configuration

Awareness of User, Device,
Location, and Presence

Network provisioning and
monitoring based on:


User Identity, Device Identity


Virtual Machine Identity


Role
-
based Access, Dynamic

ACLs

Automated

Configuration

Proactive
Management

Reactive
Management

Enabling the Move from a Static Network to a
Dynamic Network (Identity
-
Aware)

© 2011 Extreme Networks, Inc. All rights reserved.

Traditional

IdAM

Application / Data Center

User Community

Network Infrastructure

Identity and Access Management (IdAM) provisioning at the
application

(i.e. resource) level

Protected

Application / Data Center

IP Manager: John

Finance: Bob

Sales: Alice

Intellectual
property
data

Customer
data

Financial
resource
systems

Page
5

© 2011 Extreme Networks, Inc. All rights reserved.

Protected
Application / Data Center

User Community

Network Infrastructure

Identity and Access Management (IdAM) provisioning at the

network

and
application

level with
Extreme Networks

Intellectual
property
data

Protected

Network Infrastructure

Customer
data

Financial
resource
systems

Extreme Networks Identity Manager


Increased Network Availability


Eliminate “noise” traffic and malicious
activity within the infrastructure



Network and data access provisioned
based on roles and
identity



Audit network activity per
user

IP Manager: John

Finance: Bob

Sales: Alice

Page
6

© 2011 Extreme Networks, Inc. All rights reserved.

Network authentication methods today…


Netlogin 802.1X Login ID


Netlogin Web
-
based ID


Netlogin MAC
-
radius


What’s Needed:


Non
-
Intrusive, Transparent Authentication


Windows Domain Login


Kerberos Snooping


Tying authentication and identity to roles and dynamic policies


Tracking of endpoints based on:


User


Device


LLDP
-
based device identification (e.g. VoIP Phone, Printers, etc…)


Computer Name


Location, location, location!

Page
7

Identity and Network Authentication

© 2011 Extreme Networks, Inc. All rights reserved.

Active Directory
Server

RADIUS Server

LDAP Server

Page
8

Internet

Intranet

Mail
Servers

CRM
Database

1

User logs
into the Active
Directory domain with
username and password

2

Extreme

snoops” the
Kerberos login by capturing
the username

3

Active Directory validates and
approves user credentials and
responds to host

4

Extreme grants network
access based
on AD server response

Username

IP

MAC

Computer
Name

VLAN

Location

Switch Port

#

John_Smith

10.1.1.101

00:00:00:00:01

Laptop_1011

1

24

Success

User

and Device Awareness through Transparent Authentication

»
No

software agents required


utilize existing authentication methods

»
Do not need to retrain users on logging on to the network

Transparent Authentication with Kerberos

© 2011 Extreme Networks, Inc. All rights reserved.

Page
9

Active Directory
Server

RADIUS Server

LDAP Server

Who is
John?

Match


Department =
Employee

Internet

Intranet

Mail
Servers

Data

Center

Who is
Alice?

Role

Internet

Intranet

Mail

CRM/Database

VLAN

Unauthenticated

Yes

No

No

No

Default

Contractor

Yes

Yes

No

No

Default

Employee

Yes

Yes

Yes

Yes

Default

Role Derivation

»
Users are assigned to a “role” based on their attributes
(e.g. job function, location, etc…)

»
Users then inherit network
policies within
the
roles to
control access to network resources regardless location

User:

John

Role:

Employee

Resource Access = Permit All

User:

Alice

Role:

Contractor

Resource Access = Deny Mail and CRM

User:

Bob

Role:

Unauthenticated

Resource Access = Internet Only

Match

Company =

IBM

LDAP
Response

LDAP
Response

No Authentication
Detected =

Unauthenticated
Role

Internet

Intranet

Mail
Servers

Data
Center

Awareness Enables … Role
-
based Access

© 2011 Extreme Networks, Inc. All rights reserved.

Page
10

For Internal Use Only. Extreme Networks Confidential and Proprietary.
Not to be distributed outside of Extreme Networks, Inc.

Active Directory
Server

RADIUS Server

LDAP Server

Role

Internet

Intranet

Mail

CRM/Database

VLAN

Unauthenticated

Yes

No

No

No

Default

Contractor

Yes

Yes

No

No

Default

Employee

Yes

Yes

Yes

Yes

Default

Role Derivation

»
Users are assigned to a “role” based on their attributes
(e.g. job function, location, etc…)

»
Users then inherit network
policies within
the
roles to
control access to network resources regardless
location

User:

John

Role:

Employee

Resource Access = Permit All

Summit WM3000

Query

Response

Match

Group =
Employee

Role
-
based access regardless
of location, wired, or wireless!

Not dependent on
VLANs
!

Internet

Intranet

Mail
Servers

Data

Center

Awareness Enables … Role
-
based Access

© 2011 Extreme Networks, Inc. All rights reserved.

Child and Parent Role Relationship

Page
11

For Internal Use Only. Extreme Networks Confidential and Proprietary.
Not to be distributed outside of Extreme Networks, Inc.

User gets placed into a defined role, which will then “dynamically” inherit a
set of policies configured for each specific role

English Role

Engineering
Role

Student Role

Faculty Role

Visitor Role

Mathematics
Role

Contains Policy 1, 2, 3

Contains Policy 4, 5

Contains Policy 6, 7

Contains Policy 8, 9, 10

Contains Policy 11, 12, 13

Contains Policy 14, 15

© 2011 Extreme Networks, Inc. All rights reserved.

Page
12


if
” user matches a defined attribute
value …

LDAP Attributes

Employee/User ID

Title

Department

Company

City

State

Country


RADIUS
Attributes

Calling Station



Location
:
The zone the client is
located



ESSID
:
The ESSID the client is
associated



Group:

The Group assigned by AAA



MAC:

The MAC address of the device



Authentication
: Authentication
used



Encryption
:

Encryption
used


…. “
then
” place user into a defined ROLE

Wired

Wireless

Provisioning: Utilizing Existing Data Stores…

© 2011 Extreme Networks, Inc. All rights reserved.

Employee Outdoor

Group: Corp

State: Compliant

Auth: Any

Encp: Any

Location: Outdoor

Policy:
Remote Access

Page
13


Physical security without
impacting mobility



Locate users/devices and
enforce policies based on it’s
current location



Define/configure multiple
GeoFencing zones


Site dimensions, zones and Access
Point locations


Visitor Outdoors

Group: Public

Device: Any

State: Compliant

Auth: Any

Encp: Any

Location: Outdoors

Policy:
Access Denied



Warehouse Area

Office Area


Conference
Room

Visitor
-

Conference
Room

Group: Public

Device: Any

State: Compliant

Auth: Any

Encp: Any

Location: Indoor

Policy:
Internet Only

Employee Indoor

Group: Corp

State: Compliant

Auth: Any

Encp: Any

Location: Indoor

Policy:
Intranet Access



Warehouse Area

Office Area


Conference
Room

Provisioning: Location
-
based Access Control

© 2011 Extreme Networks, Inc. All rights reserved.

Identity Manager: Addressing Needs Today

14



Onboarding Users Securely


Provisioning of users and devices with Roles, based on
their profiles




Onboarding IT Assets Securely





Rich Visibility of User/Device Identity, and their Location

Wired Ethernet

Extreme
Switching
Solution

Wireless

Ethernet

Extreme
Wireless
Solution

Onboarding Users

802.1X, Web
Portal



Available today



Available today

Onboarding
Users

Windows Active
Directory



Available today

N/A

802.1X and WPA PSK
more common
authentication on
Wireless.

Onboarding IT
Assets

LLDP Attributes,
MAC OUI



Available today

N/A

Critical IT Assets are
Wired Connections

Role
-
based
Provisioning



Available today



Available today

LDAP Profile of
Users and
Devices



Available today



Summer 2012

© 2011 Extreme Networks, Inc. All rights reserved.

Onboarding Users and their BYOD


ExtremeXOS switches and Summit WM will have the ability to provide
OS fingerprinting of the connected device


Wired or Wireless!


Utilize DHCP Fingerprinting and/or HTTP User Agent


Allows for
e
nhancements
to Role
-
based Policies that now include
Device/OS type as an
attribute. For example:


15

If User Identity, or
User

Attribute
Equals

Department = Sales

Location = Student
Dorm

…and if Device

Class Type Equals

iPhone

Windows PC

Game Console

…then place User and
Device in Role:

Mobile Sales Role

Corporate

Sales Role

Game

Console Role

…and dynamically
apply

the following
policies



Permit Sales Server


Deny

Finance Servers


Permit Sales Server


健牭楴 c楮慮i攠卥牶敲


a敮e C潲灯牡瑥

o敳潵牣敳


o慴攠汩l楴 t牡rf楣 ㄰N

© 2011 Extreme Networks, Inc. All rights reserved.

Network Visibility of Users and Devices

Page
16

001010100010101101010 010101010101010010010

Username

Device Identity

IP

MAC

Computer
Name

Role

VLAN

Location

Switch Port

#

Location

Switch

Location

John_Smith

10.1.1.101

00:00:00:00:00:01

John’s_Laptop

Employee

1

24

Wiring closet, building 2

Alice_Jones

10.1.1.200

00:00:00:00:00:02

Science_PC

Contractor

1

1

3
rd

floor,

building 3

Cisco VoIP
Phone

10.1.2.100

00:00:00:00:00:03

n/a

Voice

10

2

3
rd

floor,

building 4

Dell iSCSI_Array

10.3.1.111

00:00:22:00:00:10

n/a

Storage

20

8

Data Center

<unknown>

10.1.1.50

00:00:00:00:00:50

n/a

Guest

1

1

Media building

User and
Device
Identity

Turning bits and bytes of information into “rich content” (users,
devices,
and their
location) and achieving automatic provisioning
with
Role
-
based Policies

© 2011 Extreme Networks, Inc. All rights reserved.

Centralized Reporting
is Critical

Page
17

Top 10 Dashboard

Detail User Views

© 2011 Extreme Networks, Inc. All rights reserved.

Extreme Switching Infrastructure

Extreme XOS Software Modules

Embedded
Security

(e.g. DoS,
IP Spoof,
ARP, etc..)

Identity and
Role
-
based

Wireless
Convergence

Firewall

VPN

IPS

SIEM

DLP

AD/LDAP

RADIUS

UTM

3
rd

party interface
(XML, SNMP,
etc…)

Partner

Solutions

Page
18

Open Standards Architecture

Ridgeline

Network and Services
Mgr

Device
Mgmt

Identity
Reporting

Role
-
based
Mgmt

Application
Monitoring

© 2011 Extreme Networks, Inc. All rights reserved.

Modular

Extreme Networks Product Portfolio

19

Fixed

10/100M

1G

10G

40G

1/10/40G

10/40/100G

Summit X250e

Summit X150

E4G 200/400

Only 400 model stacks

Summit
X480

Summit X450e

Summit X450a

Summit X460

Summit X350

Summit X650

Summit X670

BlackDiamond 8800
with 8500
-
Series
Modules

BlackDiamond X
Series

SummitStack™

Wireless

Single
-
Radio AP

Adaptive AP

Wallplate AP

Controller w/ AP



Network
Management



Ridgeline™



Motorola ADSP



EAS



ReachNXT




Summit
®

WM3000Series

BlackDiamond 8800
with C
-
Series
Modules

BlackDiamond
®

8800
with 8900
-
Series
Modules

8900
-
40G6X
-
Xm

VIM3
-
40G4X

Summit X440

© 2011 Extreme Networks, Inc. All rights reserved.

Summit
®

X440 Products

20



Summit
®

X440
-
8t


Summit X440
-
8p


Summit X440
-
24t


卵浭楴⁘㐴0
J
㈴2


Summit X440
-
48t


Summit X440
-
48p


卵浭楴⁘㐴0
J
㈴2
J
㄰N


Summit X440
-
24p
-
10G


Summit X440
-
48t
-
10G


卵浭楴⁘㐴0
J
㐸4
J
㄰N


Summit X440
-
L2
-
24t*


Summit X440
-
L2
-
48t*

The Intelligent Edge

*Future availability

© 2011 Extreme Networks, Inc. All rights reserved.

In Summary:

Page
21

A more intelligent switch fabric: Extreme Networks


User, Device, Location, and Presence

Layer 1: Physical

Layer 2: Data Link

Layer 3: Network

Layer 4: Transport

Layer 7: Application

Application Awareness
(Virtualization, VM
mobility), User Awareness,
Device Awareness, etc…

Today’s
Network

Extreme Networks

© 2011 Extreme Networks, Inc. All rights reserved.

© 2011 Extreme Networks, Inc. All rights reserved.

Thank You