200 likes | 448 Views
Helsinki – 13 March 2013. MOTOROLA SECURE ACCESS BYOD AND SECURE GUEST ACCESS SOLUTION. BYOD Opportunities and Challenges. BYOD CHALLENGES & OPPORTUNITIES. Challenges. Opportunities. Lack of Visibility. Mobility. Security. Productivity. Performance. Responsiveness. IT Overhead.
E N D
Helsinki – 13 March 2013 MOTOROLA SECURE ACCESS BYOD AND SECURE GUEST ACCESS SOLUTION
BYOD Opportunities and Challenges BYOD CHALLENGES & OPPORTUNITIES Challenges Opportunities • Lack of Visibility • Mobility • Security • Productivity • Performance • Responsiveness • IT Overhead • Reduced Cost
SECURE GUEST ACCESS What do you authenticate the guest user against? Corporate Users BYOD Guest access INTRANET ? ? ? ? ? MS Active Directory What is your Identity?
OPEN GUEST WiFi VULNERABILITIES • EAVESDROPPING Honeypot 01001001101$1001010011001$010110010 0$100100110101$0010100110100110$0 010010011$101001010$1101001010 010010011$10100101001101001 01 01 Hacker Hacker Airport Free WiFi OpenWiFi All data on air is open – clear as a bell Rogue ap broadcasting legitimate ssid INFORMATION IS EASILY COMPROMISED EASY AVAILABILITY OF TOOLS Very easy for anyone to eavesdrop Guest connects to rogue ap NO WAY TO KNOW IF SOMEBODY IS EAVESDROPPING Login credentials are compromised
HOW TO SECURE YOUR CONNECTION CHALLENGES Infrastructure based Universal - works across any device, application WPA2™ • Infrastructure based • Universal - works across any device, application What do you authenticate the guest user against? What method to be used to encrypt the Data End device configuration for unmanaged user devices Support for wide range of device vendors and OS
SECURE ACCESS USE CASES: BYOD AND GUEST ACCESS BYOD • Employees/Contractors with login credentials (802.1x/WPA2) • Personal devices accessing corporate resources • Differentiated services based on user and device SECURE GUEST ACCESS • Unknown guest, no credentials • Establish credentials • Secured Wi-Fi connections with 802.1x/WPA2
UNIVERSAL SECURE ACCESS WORKFLOW Open SSID User Connects to Open SSID, and authenticates through Captive Portal 1 • Authenticate The User: Active Directory, Facebook, LinkedIn, Google, External OAuth Sources, Plain email address etc. Onboard CA 2 Generate CA for the user with expiry date 2. Issue Certificate: A unique user certificate is issued to the user through the onboard CA and pushed to the end device. 3 WPA2-Enterprise 3. Move User To The Appropriate SSID. User May Be Given A Choice Of The Available Options Or Presented With Only One Option. Configure SSID, installs certificates and Move User To WPA2-Enterprise SSID.
CLOUDPATH XpressConnect Capabilities SECURE ACCESS FEATURES SECURE ACCESS Onboarding Automated, Self-Service On-Boarding Broad Platform Support Credentials (PEAP) or Certificates (TLS) Install Client Certificates & Trusted Root CAs Handle Additional Dependencies (Software, Proxies, Health, Etc.) Enrollment System Features Workflow Definition and Enforcement Mix & Match Active Directory & OAuth Authentication On-board Certificate Authority and Microsoft CA Integration Visibility & Reporting Integration Module for Microsoft CA Extend TLS to Non-Domain Devices Plug & Play Integration with Microsoft & Other CAs
Step by step SECURE ACCESS – HOW IT WORKS 1 FROM YOUR SECURE ACCESS ACCOUNT ON THE CLOUD CONFIGURE YOUR WLAN, SECURITY, PLATFORM… SETTINGS AND CREATE A VIRTUAL MACHINE 2 DOWNLOAD THE VIRTUAL MACHINE TO YOUR LOCAL APPLIANCE 3 START ONBOARDING USERS WITH YOUR WLAN, SECURITY, PLATFORM… SETTINGS NEED TO MAKE CHANGES? RETURN TO STEP 1 4
DEVICE Scope Employee’s Personal Devices (BYOD) Differentiate From Corporate-Owned Devices Broadest Platform Support Non-Domain Corporate Assets Self-Service or IT-Provisioned Differentiate from Personal Devices Secure Guest & Contractor Access Sponsored Access Authentication via Facebook, LinkedIn, Google
ASPECTS OF ENROLLMENT • 1. Messaging & Policy Acceptance • 2. Authentication • Active Directory • Facebook, LinkedIn, Google • 3. Authorization • Active Directory Groups • Facebook, LinkedIn Groups • Vouchers (One-Time Password) • On-boarding • Issue and Install Policy-Flagged Certificate • Configure & Move to Secure SSID
Sample WORKFLOW Use Policy Acceptance Visitor Partner Employee Login via Active Directory Login by Facebook or LinkedIn Login by Facebook or LinkedIn Internal Access Internet Only Personal Device Corporate Asset Issue Certificate from onboard CA Issue Certificate from onboard CA Issue Certificate from MS CA Sponsor Voucher Prompt @guest @byod @corp @partner
Product Positioning • BYOD + Guest Access • Secure Access Enrollment Server • Authenticate with Active Directory, Facebook, Google and Linkedin.. • Onboard CA – in addition to MS CA integration • BYOD, Onboarding for wide array of devices and OS • Secure Hotspot Access • Secure Access Hotspot • Authenticate with Facebook, Google and Linkedin • Onboard CA • Support for wide array of devices and OS
SECURE ACCESS COMPONENTS Implementing BYOD With WiNG5 Architecture ES pulls config from Admin console No dependency on cloud for onboarding One time config Admin Console SSID Security Network Parameters Communication Paths ES<->AD : LDAP Lookup ES<->IIS MS CA Int Mod: Client Cert Request IIS MS CA Int Mod<->MS CA: Cert Req NX9510<->ES: HTTP redirection and Post back for allowing guest internet access NX9510<->AAA: Radius and VLAN Assignment ES<->Admin Console: N/W Config Pull Secure Access Enrollment System Virtual Image on ESXi AAA Server Microsoft AD Secure EAP-TLS SSID Onboard Open SSID NX9510 Microsoft CA BYOD Devices BYOD VLAN Cert: @byod.xyz.com Microsoft IIS MS CA Integration Module CORP Devices Corp VLAN Cert: @corp.xyz.com Vendor Devices Vendor VLAN Cert: @vendor.xyz.com Secure Access Admin Console
BYOD DESIGN CONSIDERATIONS Band Steering, Air Time Fairness Multicast optimizations, Broadcast / Multicast Controls Client Load Balancing Differential QoS WiFi Controls Health Checks / Anti-virus / Postures Remote lock / wipe / application management NAC / MDM Ongoing Differentiate corporate devices from BYOD Differential access for Corporate / BYOD / Guest / Vendor devices WiNG 5 Role Based Firewall (Fingerprinting / SSID / VLAN) Access Control Moving clients from Open to Secure SSID Employee devices / Guests / Vendors Onboard CA or Integration with MS CA Enrollment One time
BYOD DESIGN CONSIDERATIONS MOTOROLA SOLUTIONS WiNG5 SMART-RF, CAPACITY CONTROLS WiFi Controls MOTOROLA TECHNOLOGY PARTNER ECOSYSTEM Forescout, Bradford, Packetfence, MSP, Soti NAC / MDM MOTOROLA SOLUTIONS SECURE ACCESS ENROLLMENT SYSTEM WiNG5 ROLE BASED FIREWALL Access Control Enrollment
REALM BASED ROLE ASSIGNMENT User Experience REALM BASED FORWARDING AP Forwards RADIUS to appropriate AAA Servers based on realm on certificate AAA Server sends appropriate VLAN / Role Information BYOD devices on restricted VLAN / ROLE. CORP Devices with unrestricted Access BYOD Device on Restricted VLAN Multiple Users with differentiated access on the same SSID AAA Load-Balancing in Enterprise Environment AAA Server 2 AAA Server 1 CORP VLAN /ROLE BYOD VLAN /ROLE RADIUS RADIUS @byod.motorola.com @corp.motorola.com
ACCESS CONTROL User Experience Corporate Role BYOD Role Windows 7 Windows XP iOS Android Device Fingerprinting Device unregistered with MDM Server Device registered with MDM Server MDM Agent check Certificates Realm @corp.mot.com @byod.mot.com SSID - WLAN “mot-corp” “mot-byod” BYOD VLAN Restricted Access Corporate VLAN Unrestricted Access
CORPORATE BYODVULNERABILITIES IF NOT DONE RIGHT COFFEE SHOP Enterprise Hacker Corporate SECURE SSID Corporate SECURE SSID DEVICE KEEPS LOOKING FOR CORPORATE-SSID IF WIFI IS ON TRIES TO CONNECT TO THE ROGUE AP AS SERVER VALIDATION IS DISABLED CLIENT CREDENTIALS EXPOSED (CHAPCRACKER) USERNAME AND PASSWORD BASED AUTHENTICATION NO SERVER CERTIFICATE VALIDATION DEVICE CONFIGURED TO CONNECT TO CORPORATE SSID