Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL.

Similar presentations


Presentation on theme: "©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL."— Presentation transcript:

1 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL

2 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL @shmulik247 #AvayaATF Shmulik Nehama, Identity Engines Portfolio Leader Avaya Network Access and the Acronym Soup – NAC, MDM, SBC & SSO

3 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Agenda The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources 3 Disclaimer Some of the material provided in this presentation is looking forward and may be subject to change without advance notice!

4 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL The Acronym Soup Avaya Identity Engines Authenticates & authorizes network access of users and any network attached device (IP phones, medical devices, user devices, printers etc.). Dynamically provisions the network to contain the access of users and the network attached devices Avaya Identity Engines Single Sign On (SSO) is an area of access control that enables users to login once and/or with same enterprise credentials and gain access to applications without being prompted to login again at each of them and/or without the need to maintain different set of credentials. MDM manages mobile devices in the context of which applications should / should not be on user handheld devices, password management, patch and software management. MDM manages mobile device data and apps but NOT control / provisions the network for access Provides network security for SIP-based applications without the need for a VPN client on the accessing device. Controls access of UC applications (NOT network access of users / devices) DevConnect (MobileIron) Avaya Session Border Controller Avaya Solution NAC Network Access Control SSO Single Sign On SBC Session Border Control MDM Mobile Device Management Avaya Solution 4

5 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL The Acronym Soup Avaya Identity Engines Authenticates & authorizes network access of users and any network attached device (IP phones, medical devices, user devices, printers etc.). Dynamically provisions the network to contain the access of users and the network attached devices Avaya Identity Engines Single Sign On (SSO) is an area of access control that enables users to login once and/or with same enterprise credentials and gain access to applications without being prompted to login again at each of them and/or without the need to maintain different set of credentials. MDM manages mobile devices in the context of which applications should / should not be on user handheld devices, password management, wipe out and software. MDM manages mobile device data and apps but NOT control / provisions the network for access Provides network security for SIP-based applications without the need for a VPN client on the accessing device. Controls access of UC applications (NOT network access of users / devices) DevConnect (MobileIron) Avaya Session Border Controller Avaya Solution NAC Network Access Control SSO Single Sign On SBC Session Border Control MDM Mobile Device Management Avaya Solution 5

6 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Agenda 6 The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources

7 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL What is it? Network Access with policies, controls and provisions access to a network –Including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do Role-based Access is where access to the network is given according to profile of the person and the results of a posture / health check. –e.g. in an enterprise, the HR dept could access only HR dept files if both the role & endpoint meets anti-virus being up-to-date. 7

8 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Enterprise Network w/Multiple Policy Enforcement Locations 8 Multiple repositories of identity information Multiple locations of enforcement points Challenges with in providing access to Guest Access Contractors Access Challenges in implementing consistent access behavior across the network Challenges with mergers and acquisitions Enterprise Network with Multiple Constituents and Policy-Enforcement Locations

9 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Enterprise Network w/Centralized Identity and Policy Services 9 Identity and Policy Service in the Enterprise Network Network Access Control is centralization of both identity and policy information in a single location Simplification Consistency Facilitate self-service Guest Access IT Hands-off Contractor Access

10 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Why is it important? Granular Control Network operators define policies, such as roles of users and the allowed network areas to access and enforce them based in switches, WLAN Controllers etc. Enhanced Security Ability to prevent access from end-stations that do not meet security posture requirements Regulatory Compliance Enforce access policies based on authenticated user identities 1. Define roles 2. Define network access level 10

11 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Network Access Features 11 IP Phone Visitor or Business Partner Personal Machine Corporate Desktop Network Printer Network Device Wireless Access Point Surveillance Camera Fax Machine Medical Device Local Server/App Guests & Guest Devices Enterprise Network It is not only about users and their devices but also about any network attached device Each access port is not assigned until a user/device attempts access. Once authenticated & authorized, user/device is granted appropriate access level.

12 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Typical Network Access Architecture 12 NETWORK ABSTRACTION LAYER DIRECTORY ABSTRACTION LAYER Reporting & Analytics Posture Assessment Guest Access Mgmt Identity Engines Access Portal CASE Wizard Policy Enforcement Point Policy Decision Point Policy Information Point

13 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Network Access Features Basic Features Authentication & Authorization Guest Access Management Posture Compliance Compliance checking for un- managed devices e.g. BYOD Reporting and Analytics Directory Federation 13 Advanced Features Unified Solution for wired and wireless network access IT Hands-Off self-service Guest access management Device Finger-printing BYOD On-boarding High Availability

14 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL SPB Network Access Automation 14 UC Zone Corporate Zone Guest Zone Contractor Zone CAMPUS BRANCH DATA CENTER BRANCH CAMPUS User connects to edge switch User placed on a VLAN VLAN mapped to an ISID Done! 1 2 3

15 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Multi-Host Multi-Authentication MHMA is a network switch capability where Identity Engines separately authenticates and authorizes multiple clients connected to a switch port Each client must complete EAP authentication before the port allows traffic from the users MAC address, only traffic from authorized hosts is allowed Enables to direct multiple hosts on a single port to different VLAN’s. Used for separating voice and data traffic on the same port 15

16 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Agenda 16 The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources

17 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL What is it? Mobile Device Management (MDM) secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. MDM functionality typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices Smart-phones, tablets, mobile printers, mobile POS devices, etc 17

18 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Why is it important? Reduce support costs and business risks Control and protect the data and configuration settings for all mobile devices in the network Manage devices IT can use MDM to manage the devices over the air with minimal intervention in employee schedules Visibility With mobile devices becoming present “everywhere” and applications flooding the market, mobile monitoring is growing in importance. Support Saying YES to BYOD 18

19 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL …Anyone here still using flip phone? 19 Time Magazine cover Aug 18 1997. Bill Gates invests $150M to save Apple. Android apps iPhone/iPad apps Tablets in 2012 Smartphones in 2011 Smartphones in 2012 Social Media Users 700 000 119 000 000 491 000 000 686 000 000 1 200 000 000  Tablet market $45B by 2014 – Yankee 2011  50% Enterprise users interested in or using consumer applications – Yankee 2011  Smartphone app revenue to triple by 2014 – Yankee 2011

20 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Typical MDM Solution Server & Client Components Server component sends out management commands to devices Client component runs on device to receive and implement commands Must have an agent installed and maintained Constant 24x7 race after device and OS updates Deployment -- On-premise and Cloud based solutions 20

21 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL MDM Capabilities Basic Features Inventory Management & Real Time Reporting Setting Passcode Policies Remote Lock and Full Wipe Remote Selective Wipe Configuration of Email, Wi-Fi, VPN, Certs. Email Access Controls Jail-broken / Rooted Device Detection Advanced Features Enterprise App Catalog App Blacklisting / Whitelisting Secure Document Sharing Geo Location Event-based Security and Compliance Rules Engine Roaming Usage Dual Persona  separate Personal vs. Corporate content Monitor access to App Store Data encryption 21

22 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL MDM Market Landscape 100+ vendors who claim some level of MDM functionality 20 vendors in Gartner MDM MQ None of the Networking vendors provide true MDM capabilities Requires to keep-up with intense pace of mobile device market updates and innovation 22

23 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL MDM Capabilities and the Use Cases Cross platform device support Configuration management Device monitoring License control Software distribution Inventory & asset control 23 MDM requirements vary depending on use case

24 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL MDM Capabilities and the Use Cases 24 MDM requirements vary depending on use case organizations w/ very large number of mobile users small number of mobile users non-regulated organizations (e.g. retail) strongly regulated e.g. Finance, defense data encryption, dual persona, selective wipe detect OS & version, installed apps, roaming usage, content, device wipe

25 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Avaya’s MDM strategy Today Avaya Flare and one-XC Applications interoperability tested with MobileIron Tomorrow Identity Engines MDM integration with top vendors Ignition Server will query mobile device attributes from the MDM and make attributes part of the Access Policy Avaya Flare & one-XC Applications on user devices 25

26 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Avaya’s MDM strategy MDM 26

27 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Avaya’s MDM strategy MDM Identity Engines Access Policy 27

28 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Agenda 28 The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources

29 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL What is it? A device or application that governs the manner in which calls, also called sessions, are initiated, conducted and terminated in a VoIP network. An SBC can facilitate VoIP sessions between phone sets or proprietary networks that use different signaling protocols. An SBC can include call filtering, bandwidth use management, firewalls and anti-malware programs to minimize abuse and enhance security 29

30 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Why is it important? Denial of Service Call/registration overload Malformed messages (fuzzing) Configuration errors Misconfigured devices Operator and application errors Theft of service Unauthorized users Unauthorized media types Viruses and SPIT Viruses via SIP messages Malware via IM sessions SPIT – unwanted traffic 30 Source: Nemertes Research Enterprise Adoption of Collaboration Tools Mobile Collaboration Security Threats

31 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL UC Security – Should You Care? 31 Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC. Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications 5 Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications 5 Collection of Analysts (Yankee survey & Aberdeen)

32 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL OSI Model - 7 Layers of Attacks 32 Typical firewall protection Layer 3-4 protection Emerging layer 7 FWs Email spam filters layer 7 application specific email firewall SIP, VoIP, UC layer 4 to layer 7 application SIP Trunking - a trunk side application SIP Line (phone) side (internal and external) access another application Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Modelhttp://en.wikipedia.org/wiki/OSI_Model Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection Think of OSI model as a 7 foot high jump

33 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Agenda 33 Complements Existing Security Architecture Avaya SBCE Firewall Application Level Security Proxy (Policy Application, Threat Protection Privacy, Access Control)

34 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Session Border Control Use Cases 34 SIP Trunking Remote Worker Avaya SBC for Enterprise CS1000 Avaya SBC for Enterprise Use Cases Avaya SBC for Enterprise

35 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL SBC Use Cases – SIP Trunking 35 Use Case: SIP Trunking to Carrier  Carrier offering SIP trunks as lower-cost alternative to TDM Carrier SIP trunks to the Avaya SBC  Avaya SBC located in the DMZ behind the Enterprise firewall  Services  security and demarcation device between the IP-PBX and the Carrier − NAT traversal − Securely anchors signaling and media, and can − Normalize SIP protocol InternetEnterprise IP PBX Avaya SBCE DMZ SIP Trunks Carrier

36 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Secure Remote Worker with BYOD 36  Personal PC, Mac or iPad devices  Avaya Flare ®, Avaya one-X ® SIP client app  App secured into the organization, not the device  One number UC anywhere Avaya SBCE Avaya Aura ® Presence Server System Manager Communication Manager Avaya Aura Conferencing Aura Messaging Session Manager Untrusted Network (Internet, Wireless, etc.)

37 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Secure Remote Worker with BYOD 37 Use Case: Remote Worker  Extend UC to SIP users remote to the Enterprise  Solution not requiring VPN for UC/CC SIP endpoints Remote Worker are external to the Enterprise firewall  Avaya Session Border Controller for Enterprise − Authenticate SIP-based users/clients to Aura Realm − Securely proxy registrations and client device provisioning − Securely manage communications without requiring a VPN InternetEnterprise Avaya SBCE DMZ Remote Workers IP PBX

38 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Agenda 38 The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources

39 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL What is it? Single Sign On (SSO) is a property of access control that enables users to login with one set of enterprise credentials and gain access to systems without being prompted for different credentials or login again. Maintaining one set of credentials and reducing multiple logins. 39

40 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Why is it important? Reduces password fatigue from different user name and password combinations Reduces time spent re- entering passwords for the same identity Reduces IT costs due to lower number of IT help desk calls about passwords 40

41 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Single-Sign-On 41 ERP HRM CRM Intranet Applications Enterprise Identity Realm 3 rd Party Web Sites Salesforce Social Media Web Single-Sign-On Enterprise Directory Infrastructure Local Single-Sign-On

42 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Single-Sign-On 42 SM AAC CM PS Enterprise Identity Realm Enterprise Directory Infrastructure Aura Applications Identity Realm Current Situation  The enterprise and Aura realms are separate where each app has its own notion of user identity, credentials and manages them separately.  Integration with enterprise AAA is difficult, inconsistent and brittle

43 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Single-Sign-On 43 SM AAC CM PS Enterprise Identity Realm Enterprise Directory Infrastructure Customers Want  Users to authenticate to enterprise AAA service  Minimize the number of user identities and credentials  Minimize and standard approach to authentication & credential mgmt  Consistent user experience Aura Applications

44 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Stepping Identity Engines Up into the Applications Access Incorporating SAML as an authentication protocol Web Clients Think Clients Introducing the concept of Identity Provider for Applications Introducing the concept of Service Providers Focus on Aura UC Applications Flare One-X Communicator Avaya Aura Conferencing 44

45 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Agenda Network Access Mobile Device Management Network Access Control SIP Security Single Sign On Resources 45

46 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL NAC Network Access Control NAC Network Access Control SBC Session Border Controller SBC Session Border Controller MDM Mobile Device Management MDM Mobile Device Management SSO Single Sign On SSO Single Sign On “ Avaya is the company that is stepping in with a true, holistic BYOD proposal that covers all the pieces.” Zeus Kerravala, ZK Research 46

47 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Resources Identity Engines Product Management Shmulik Nehama snehama@avaya.com Session Border Controller Product Management Jack Rynes jrynes@avaya.com Secure BYOD YouTube Video http://www.youtube.com/watch?v=0ZrMOqzGMpE 47

48 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Thank you! @shmulik247 #AvayaATF 48


Download ppt "©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL."

Similar presentations


Ads by Google