Udi and juniper networks BYOD
-
Upload
stefriche0199 -
Category
Technology
-
view
925 -
download
3
Transcript of Udi and juniper networks BYOD
SIMPLY CONNECTED
BYOD
Presented by Richard Tando
Chief Technology Officer
Universal Data, Inc.
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MEET THE UDI TEAM
Richard Tando
CTO
Universal Data, Inc.
Alex Battard
Senior Connectivity Engineer
Universal Data, Inc.
Peter Dakin
Sales Manager
Universal Data, Inc.
Denise Biskupovich
SLED Account Executive
Universal Data, Inc.
Rachel Hymel
Connectivity Account Manager
Universal Data, Inc.
Joelle McWilliams
Account Executive
Universal Data, Inc.
3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MEET THE JUNIPER TEAM
Molly Marks
Sr. Partner Account Manager
Juniper Networks
Chris Calvert
Mobility Product Specialist
Juniper Networks
Greg Luebke
Commercial Account Manager
Juniper Networks
4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Founded 30 years ago by Jim Perrier and remains
active President.
A company built on the principle as technology
changes UDI will adapt additionally helping our clients
realize change.
UDI is not identified by a single product or service, but
by the adaptability and the strength of our team.
5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UDI AND JUNIPER
6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TODAY’S MOBILE WORKFORCE DEMANDS AND CHALLENGES
ANY Device
Personal devices used
for work – BYOD
Work devices used for
personal activities
Multiple device types
and service providers
ANY Location
Anytime, anywhere
mobile remote access
Users with multiple
devices
ANY Application
User’s download
unknown or ill-secured
apps
User’s access, store
data from
personal, business
apps
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
0
50000
100000
150000
200000
250000
300000
350000
400000
Unique Daily Wireless Sessions
Large American University ~50,000 Students, Multiple Devices Per Student
6x
FallSummerSpring
2011
INCREASED EXPECTATIONS FOR NETWORKS
FallSpring Summer
2010
8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MAJOR MARKET TRENDS…MOBILITY WITH INCREASING SCALE
Device
proliferation
App
proliferation
Security
risks
proliferation
So
ph
istica
tio
n
(Matu
rity
)
Type of Attack
Botnets
Trojans
VirusWorms
DOS
APT
Malware
New Devices
ERP
Internet Information Services
New Applications
9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IF A COFFEE SHOP CAN DO IT, WHY CAN’T I?
10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HOW ARE WE ADDRESSING THESE CHALLENGES?SIMPLY CONNECTED
Switching Wireless
Security Routing
Industry’s most comprehensive solution with
unified policy and security for BYOD and
Mobility
Industry’s highest performance network
Industry’s only full automated, uninterrupted
network service
Unified Policy / Security
High Performance at Scale
Highly Resilient
“All the great things are simple.” - Albert Einstein
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MOBILE USER TYPES
Employee OwnedDevices
GuestDevices
CorporateOwnedDevices
Open access,
Captive Portal• Self provisioning
• Simple experience
• Device type aware policy
BYOD (Employee owned)• Self provisioning
• Secure Cert based auth
• Device type aware policy
• Application aware policy
Corporate Issued Devices• Self provisioning
• Secure Cert based auth
• Device type aware policy
• Application aware policy
• On Device Security
• Device Management
• Application Management
• Content Monitoring
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHAT ARE THE NEEDS OF BYOD?
Provisioning
Need to on-board mobile devices easily: clientless & app based
Support full cross section of devices (iOS, Android, Windows, Mac)
Self contained certificate management
Pulse Device Id server: for Pulse based provisioning
Device Profiling and Policy
Classify the devices types
Based on device type apply policy
Continuously profile devices for audit and other security reasons
Visibility
Inventory of device types, driver version
Reduce Help desk calls, by simplifying provisioning and remediation
Keep audit trail of client config
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNIPER WIRELESS BYOD SOLUTION COMPONENTS
Clientless Provisioning Smart Pass Connect
Client based Provisioning: JUNOS PULSE
Provisioning
Ringmaster, SmartPassVisibility and
Management
WLANManagement
RingmasterSmartPass
Smart Pass
Connect
Device Profiling
Basic ProfilingJuniper WL Controllers/ SmartPass
Advanced Profiling
15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SMART PASS CONNECTCLIENTLESS PROVISIONING
Product Offering
Wireless Provisioning
Windows,
Mac,
iOS,
Android
…even Linux!
Software Provisioning Can provision NAC agents
Can provision JUNOS Pulse
Or any other mandatory software
Advanced Validation Check requirements on driver versions
Disable existing Config applications
Normalize the Config elements and applications
Management
Closed loop
Feedback
Network management gains a 360 deg view
Ability to post full details about devices
Device type, driver version, ..etc can be sent
Wired Provisioning Provisioning of wired Windows, MAC, Linux devices
Wired/Wireless endpoint provisioning
Clientless provisioning: Complementary to JUNOS Pulse
Best of breed in the industry, very highly tested and widely deployed
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IT Admin configures network parameters
IT Admin deploys the configuration files to local web server
User connects to local web server downloads configuration
SPC’s (dissolvable) client runs through configuration on device
User device connects to secure network
SPC Client securely logs device details to the network mgmt application and dissolves
How does SmartPass Connect Work?
Admin
Console
Web Server AAA Server
Open SSID Secure
SSID
1 2
3 5
4
1
SPC allows agent-less network provisioning:
2
3
4
5
6
6
Network
Management
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WLC
Wireless User
Tablet/smartphone
Unknown device
connects to open
captive portal SSID
1
User session is
captured and redirected
to SmartPass
2
User selects SmartPass
self-registration and
creates a temporary
user credential
3
User uses temporary
credentials to
authenticate against
SmartPass
5
SmartPass sends
temporary credential
to end user via
Clickatell SMS
service
4
User is connected to
the network using
mobile phone number
and temporary
password
6
SmartPass
EX SeriesAP
EX Series
ONBOARDING GUEST USERS
Clickatell SMS
Gateway service
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WLC
Corporate
Data
Center
Unknown device
connects to open
captive portal SSID
1
User session is
captured and redirected
to SmartPass
2
SmartPass web portal
presents captive portal
and redirects client to
provisioning portal
3
Provisioning portal gets
user credentials from
wizard; validates against
AD; and requests user
cert for end user
5
Provisioning portal
pushes native
supplicant config
wizard to client device
4
SmartPass
EX SeriesAP
UAC
ONBOARDING EMPLOYEE OWNED MOBILE DEVICES
SmartPass
Connect
AD/Certificate
Authority
User selects secure wireless network
and device authenticates to RADIUS
without requiring user to enter
credentials
7
Wireless User
Tablet/smartphone
Provisioning wizard gets EAP-TLS
configuration profile (and cert) from
provisioning portal; agent dissolves
6
EX Series
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WLC
Wireless User
Tablet/smartphone
Corporate
Data
Center
Mobile Security
Suite
Device completes
registration with MSS
and downloads
wireless iOS profile via
MDM profile (user is
still connected to open
SSID)
1
Device installs profile
and acquires user cert
from Corp Certificate
Authority via SCEP
enrollment process
3
User is now connected
to secure SSID with no
user input of credentials
required
5User connects to
secure SSID and
authenticates to
RADIUS using
certificate
4
W2K8 Certificate
Server
EX SeriesAP
EX Series UAC
PROVISIONING CORPORATE OWNED MOBILE DEVICES
Wireless profile
contains: 1) WiFi EAP-
TLS settings
(certificate based auth)
2) SCEP profile for
device to enroll for
new certificate 3) CA
cert to use for server
validation
2
20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WLC
Android
Tablet/smartphone
Mobile device connects
to secure wireless
network
1
User dot1x
authenticates to
wireless network
2
Device type policy is
configured to restrict
iPads; WLA holds
device traffic for
inspection
3
Device is determined to
be an Android device
and is allowed on the
network
5
WLA sends device
type info to WLC for
matching against
policy
4
UAC
EX SeriesAP
EX Series
ENFORCING A “NO BYOD” POLICY WITH DEVICE PROFILING
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NETWORK SEGREGATION AND APPLICATION FILTERING FOR BYOD DEVICES
Device authenticated
on wireless network
1DHCP Server/Smartpass
communicates User and
IP information to UAC
via IF-MAP
2
UAC pushes role based
ACL and FW policies to
EX and SRX
3SRX AppSecure
Polices block non-work
related applications
like Hulu and Netflix
5SRX enforces user
policies allowing user
basic access to all
servers except finance
4Apps
Data
Finance
Video
Active Directory
/LDAP
Corporate Data Center
WLC
Wireless UserTablet/smartphone
UAC
SRX
AP
DHCP and
IF-MAP
SRX AppTrack feature
combined with MAG
data collects per user
application information
providing detailed
reports in STRM
Internet
EX Series
22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ENFORCING NETWORK ACCESS POLICIES
PC user
Corporate Data Center
Apps
Data
Finance
Video
Active Directory/LDAP
Patch Remediation
MAG
WLCs
Pulse detects
device is on
corporate
network and
per user policy
disables any
active VPN
sessions
1
During 802.1x
authentication.
MAG verifies
PC meets
company
software and
security policy
requirements
2Compliance check fails. Antivirus signatures are out of date and useris quarantined to remediation VLAN. Patch server updates signatures.User is now in compliance and granted network access
3
EX4500 VC and EX4200 VC
SRX
EX4200 VC
SRX AppTrack feature
combined with MAG
data collects per user
application information
providing detailed
reports in STRM
SRX AppSecure
Polices block non-
work related
applications
6
SRX enforces user
policies allowing
user basic access
to all servers
except finance
5
MAG pushes role
based FW policies
to EX and SRX
4
Virus
SW too
old
Internet
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Simply Connected
Unified Network Architecture
Complete enterprise portfolio with
options for deployments of all
sizes: WL, EX, SRX, UAC, Pulse
Architectural evolutions for
seamless integration and
investment protection
Best in class security for BYOD
and corporate liable devices
Full lifecycle network management
Application, user, device, location
aware network
Unified Management
JUNOS Space
Single pane of glass
Proactive fault mgmt
Automated services
Policy lifecycle mgmt
Ringmaster
Full lifecycle
Advanced troubleshooting
Automated reporting
Integrated guest access
Unified Policy
Unified Access Control
Wired/Wireless/VPN
Role based access
Policy orchestration
Host checking
Wired or wireless
Guest self provisioning
Sophisticated policy
IF-MAP coordination
Unified Services
AppSecure / Firewall
Wired /wireless
L2-L7 app aware policy
App aware QoS
App aware firewall
Location
Seamless integration
3rd Party support
RF-Firewall
Unified Network
EX Series Switching
Virtual chassis
Highly scalable
High performance
Highly resilient
WL Series Wireless
Clustering
Highly scalable
High performance
Highly resilient
SIMPLY CONNECTED MOST COMPLETE CAMPUS/BRANCH ARCHITECTURE
One Policy
One Network
One Mgmt
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LEARN MORE ABOUT SIMPLY CONNECTED
Simply Connected
Solution Brief
More Simply Connected Information
Enterprise Strategy Group White Paper:
A Business-Driven Approach to Mobile
Enterprise Security
Topographies for the
Simply Connected Campus
Solution Brochure
Horizontal Campus
Validated Design Guide