Udi and juniper networks BYOD

SIMPLY CONNECTED

BYOD

Presented by Richard Tando

Chief Technology Officer

Universal Data, Inc.

2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

MEET THE UDI TEAM

Richard Tando

CTO


Alex Battard

Senior Connectivity Engineer


Peter Dakin

Sales Manager


Denise Biskupovich

SLED Account Executive


Rachel Hymel

Connectivity Account Manager


Joelle McWilliams

Account Executive



MEET THE JUNIPER TEAM

Molly Marks

Sr. Partner Account Manager

Juniper Networks

Chris Calvert

Mobility Product Specialist

Juniper Networks

Greg Luebke

Commercial Account Manager

Juniper Networks


Founded 30 years ago by Jim Perrier and remains

active President.

A company built on the principle as technology

changes UDI will adapt additionally helping our clients

realize change.

UDI is not identified by a single product or service, but

by the adaptability and the strength of our team.


UDI AND JUNIPER


TODAY’S MOBILE WORKFORCE DEMANDS AND CHALLENGES

ANY Device

Personal devices used

for work – BYOD

Work devices used for

personal activities

Multiple device types

and service providers

ANY Location

Anytime, anywhere

mobile remote access

Users with multiple

devices

ANY Application

User’s download

unknown or ill-secured

apps

User’s access, store

data from

personal, business

apps


0

50000

100000

150000

200000

250000

300000

350000

400000

Unique Daily Wireless Sessions

Large American University ~50,000 Students, Multiple Devices Per Student

6x

FallSummerSpring

2011

INCREASED EXPECTATIONS FOR NETWORKS

FallSpring Summer

2010


MAJOR MARKET TRENDS…MOBILITY WITH INCREASING SCALE

Device

proliferation

App

proliferation

Security

risks

proliferation

So

ph

istica

tio

n

(Matu

rity

)

Type of Attack

Botnets

Trojans

VirusWorms

DOS

APT

Malware

New Devices

ERP

Internet Information Services

New Applications


IF A COFFEE SHOP CAN DO IT, WHY CAN’T I?


HOW ARE WE ADDRESSING THESE CHALLENGES?SIMPLY CONNECTED

Switching Wireless

Security Routing

Industry’s most comprehensive solution with

unified policy and security for BYOD and

Mobility

Industry’s highest performance network

Industry’s only full automated, uninterrupted

network service

Unified Policy / Security

High Performance at Scale

Highly Resilient

“All the great things are simple.” - Albert Einstein


MOBILE USER TYPES

Employee OwnedDevices

GuestDevices

CorporateOwnedDevices

Open access,

Captive Portal• Self provisioning

• Simple experience

• Device type aware policy

BYOD (Employee owned)• Self provisioning

• Secure Cert based auth


• Application aware policy

Corporate Issued Devices• Self provisioning

• Secure Cert based auth


• Application aware policy

• On Device Security

• Device Management

• Application Management

• Content Monitoring


WHAT ARE THE NEEDS OF BYOD?

Provisioning

Need to on-board mobile devices easily: clientless & app based

Support full cross section of devices (iOS, Android, Windows, Mac)

Self contained certificate management

Pulse Device Id server: for Pulse based provisioning

Device Profiling and Policy

Classify the devices types

Based on device type apply policy

Continuously profile devices for audit and other security reasons

Visibility

Inventory of device types, driver version

Reduce Help desk calls, by simplifying provisioning and remediation

Keep audit trail of client config


JUNIPER WIRELESS BYOD SOLUTION COMPONENTS

Clientless Provisioning Smart Pass Connect

Client based Provisioning: JUNOS PULSE

Provisioning

Ringmaster, SmartPassVisibility and

Management

WLANManagement

RingmasterSmartPass

Smart Pass

Connect

Device Profiling

Basic ProfilingJuniper WL Controllers/ SmartPass

Advanced Profiling


SMART PASS CONNECTCLIENTLESS PROVISIONING

Product Offering

Wireless Provisioning

Windows,

Mac,

iOS,

Android

…even Linux!

Software Provisioning Can provision NAC agents

Can provision JUNOS Pulse

Or any other mandatory software

Advanced Validation Check requirements on driver versions

Disable existing Config applications

Normalize the Config elements and applications

Management

Closed loop

Feedback

Network management gains a 360 deg view

Ability to post full details about devices

Device type, driver version, ..etc can be sent

Wired Provisioning Provisioning of wired Windows, MAC, Linux devices

Wired/Wireless endpoint provisioning

Clientless provisioning: Complementary to JUNOS Pulse

Best of breed in the industry, very highly tested and widely deployed


IT Admin configures network parameters

IT Admin deploys the configuration files to local web server

User connects to local web server downloads configuration

SPC’s (dissolvable) client runs through configuration on device

User device connects to secure network

SPC Client securely logs device details to the network mgmt application and dissolves

How does SmartPass Connect Work?

Admin

Console

Web Server AAA Server

Open SSID Secure

SSID

1 2

3 5

4

1

SPC allows agent-less network provisioning:

2

3

4

5

6

6

Network

Management


WLC

Wireless User

Tablet/smartphone

Unknown device

connects to open

captive portal SSID

1

User session is

captured and redirected

to SmartPass

2

User selects SmartPass

self-registration and

creates a temporary

user credential

3

User uses temporary

credentials to

authenticate against

SmartPass

5

SmartPass sends

temporary credential

to end user via

Clickatell SMS

service

4

User is connected to

the network using

mobile phone number

and temporary

password

6

SmartPass

EX SeriesAP

EX Series

ONBOARDING GUEST USERS

Clickatell SMS

Gateway service


WLC

Corporate

Data

Center

Unknown device

connects to open

captive portal SSID

1

User session is

captured and redirected

to SmartPass

2

SmartPass web portal

presents captive portal

and redirects client to

provisioning portal

3

Provisioning portal gets

user credentials from

wizard; validates against

AD; and requests user

cert for end user

5

Provisioning portal

pushes native

supplicant config

wizard to client device

4

SmartPass

EX SeriesAP

UAC

ONBOARDING EMPLOYEE OWNED MOBILE DEVICES

SmartPass

Connect

AD/Certificate

Authority

User selects secure wireless network

and device authenticates to RADIUS

without requiring user to enter

credentials

7

Wireless User

Tablet/smartphone

Provisioning wizard gets EAP-TLS

configuration profile (and cert) from

provisioning portal; agent dissolves

6

EX Series


WLC

Wireless User

Tablet/smartphone

Corporate

Data

Center

Mobile Security

Suite

Device completes

registration with MSS

and downloads

wireless iOS profile via

MDM profile (user is

still connected to open

SSID)

1

Device installs profile

and acquires user cert

from Corp Certificate

Authority via SCEP

enrollment process

3

User is now connected

to secure SSID with no

user input of credentials

required

5User connects to

secure SSID and

authenticates to

RADIUS using

certificate

4

W2K8 Certificate

Server

EX SeriesAP

EX Series UAC

PROVISIONING CORPORATE OWNED MOBILE DEVICES

Wireless profile

contains: 1) WiFi EAP-

TLS settings

(certificate based auth)

2) SCEP profile for

device to enroll for

new certificate 3) CA

cert to use for server

validation

2


WLC

Android

Tablet/smartphone

Mobile device connects

to secure wireless

network

1

User dot1x

authenticates to

wireless network

2

Device type policy is

configured to restrict

iPads; WLA holds

device traffic for

inspection

3

Device is determined to

be an Android device

and is allowed on the

network

5

WLA sends device

type info to WLC for

matching against

policy

4

UAC

EX SeriesAP

EX Series

ENFORCING A “NO BYOD” POLICY WITH DEVICE PROFILING


NETWORK SEGREGATION AND APPLICATION FILTERING FOR BYOD DEVICES

Device authenticated

on wireless network

1DHCP Server/Smartpass

communicates User and

IP information to UAC

via IF-MAP

2

UAC pushes role based

ACL and FW policies to

EX and SRX

3SRX AppSecure

Polices block non-work

related applications

like Hulu and Netflix

5SRX enforces user

policies allowing user

basic access to all

servers except finance

4Apps

Data

Finance

Video

Active Directory

/LDAP

Corporate Data Center

WLC

Wireless UserTablet/smartphone

UAC

SRX

AP

DHCP and

IF-MAP

SRX AppTrack feature

combined with MAG

data collects per user

application information

providing detailed

reports in STRM

Internet

EX Series


ENFORCING NETWORK ACCESS POLICIES

PC user

Corporate Data Center

Apps

Data

Finance

Video

Active Directory/LDAP

Patch Remediation

MAG

WLCs

Pulse detects

device is on

corporate

network and

per user policy

disables any

active VPN

sessions

1

During 802.1x

authentication.

MAG verifies

PC meets

company

software and

security policy

requirements

2Compliance check fails. Antivirus signatures are out of date and useris quarantined to remediation VLAN. Patch server updates signatures.User is now in compliance and granted network access

3

EX4500 VC and EX4200 VC

SRX

EX4200 VC

SRX AppTrack feature

combined with MAG

data collects per user

application information

providing detailed

reports in STRM

SRX AppSecure

Polices block non-

work related

applications

6

SRX enforces user

policies allowing

user basic access

to all servers

except finance

5

MAG pushes role

based FW policies

to EX and SRX

4

Virus

SW too

old

Internet


Simply Connected

Unified Network Architecture

Complete enterprise portfolio with

options for deployments of all

sizes: WL, EX, SRX, UAC, Pulse

Architectural evolutions for

seamless integration and

investment protection

Best in class security for BYOD

and corporate liable devices

Full lifecycle network management

Application, user, device, location

aware network

Unified Management

JUNOS Space

Single pane of glass

Proactive fault mgmt

Automated services

Policy lifecycle mgmt

Ringmaster

Full lifecycle

Advanced troubleshooting

Automated reporting

Integrated guest access

Unified Policy

Unified Access Control

Wired/Wireless/VPN

Role based access

Policy orchestration

Host checking

Wired or wireless

Guest self provisioning

Sophisticated policy

IF-MAP coordination

Unified Services

AppSecure / Firewall

Wired /wireless

L2-L7 app aware policy

App aware QoS

App aware firewall

Location

Seamless integration

3rd Party support

RF-Firewall

Unified Network

EX Series Switching

Virtual chassis

Highly scalable

High performance

Highly resilient

WL Series Wireless

Clustering

Highly scalable

High performance

Highly resilient

SIMPLY CONNECTED MOST COMPLETE CAMPUS/BRANCH ARCHITECTURE

One Policy

One Network

One Mgmt


LEARN MORE ABOUT SIMPLY CONNECTED

Simply Connected

Solution Brief

More Simply Connected Information

Enterprise Strategy Group White Paper:

A Business-Driven Approach to Mobile

Enterprise Security

Topographies for the

Simply Connected Campus

Solution Brochure

Horizontal Campus

Validated Design Guide

Udi and juniper networks BYOD

Technology

Transcript of Udi and juniper networks BYOD