Transcript Program podnoszenia poziomu świadomości w zakresie

Bring Your Own Device
Wiesław Stawiski, CISSP
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
1
Onslaught of Apple Devices
iPad, MacBook
• No Ethernet ports on the
MacAir and the iPad
• >17M iPads to date (1,2)
• >80% of Fortune 100 is
deploying/piloting iPad (2)
iPhone, iPod Touch
• 88 of Fortune 100 now
deploying iPhone (2)
• 40M iPhone sales in 2010,
and >45M iPod Touch sales
to date (2)
Use Cases
•
(1) Businessweek, July 2010
(2) Apple Financial Results
Employee owned Apple devices at work
– Bring Your Own Device (BYOD)
•
Enterprise sponsored roll out of Apple devices
– eg. SAP, Ottawa Hospital
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
2
iPad in the News
“More and more iPads will find there way into the
workplace in 2011, but the vast majority won’t (60 to 70%)
be purchased by IT departments.”
“Financial Services will lead the way in iPad adoption.”
“iPad poised to revolutionize retail industry.”
“Math that moves: Schools embrace the iPad.”
“Restaurants uploading menus to iPad for diners.”
“With the iPad, Apple may just revolutionize medicine.”
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
3
Moving to a New Type of On-Ramp
Network Cost per User
•
•
4 Ports per User
Desktop, IP Phone
•
•
•
2 Ports per User
Overlay Wi-Fi
Laptop, IP Phone
•
•
•
OverEngineered
Network
Rightsizing
2001
2009
1 Port per User
Pervasive Wi-Fi
Tablet, Smartphone
MobilityCentric
2011+
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
4
Frustrated Users!
Can I use an
iPad?
End
Users
Can I roam
freely?
No!
No!
IT
Managers
Can I run
video on
WLAN?
No!
Can I
collaborate
with Skype
No!
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
5
The IT Challenge
Balancing Risk and Cost while Keeping Users Happy
Authorized, Secure
Network Access
Reliable Multimedia
Connectivity
Minimized Cost for
Network Planning
Option 1
Option 2
Not IT Supported
Managed by IT
 Low Opex
⊗ High Security Risk
⊗ No Visibility
⊗ High Opex
 Reduced Risk
 Improved Visibility
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
6
Authorize and Secure
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
7
Key Requirements for Mobility:
Device Aware
User Aware
 Role based access
 Per user visibility
 Easy to scale
Port and VLAN Aware
⊗ Limited policy enforcement
⊗ Hard to scale at large sites
⊗ Too costly to manage
Legacy Access
Device Aware
 Device enrollment
 Per device policies
 Device inventory
App Aware
 Per application QoS
 Stateful QoS for UC
 Supports high density
Next-Gen Access
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
8
Mobile Device Access Control - Solution Components
Device
Fingerprinting
Device
Enrollment
Device
Inventory
Understand what is on
your network
Secure the device, specify
& control access
Inventory, Report,
Helpdesk
Security & Bandwidth
policies by Device
Zero Touch Device
Authorization
Troubleshooting &
Capacity Planning
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
9
Device Fingerprinting
Port, VLAN Aware
User, Device Aware
vs.

DHCP and HTTP signature matching
within OS identifies device type and
model
× All devices and users assigned
to same network access policy,
increasing risk

Enables per user and per device access
control, enrollment, authentication and
management
× Network operations costs
increase due to manual
troubleshooting and monitoring
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
10
Step 1 - Authorized, Secure Network Access
Apple Devices
AP
2. Device
Enrolment
Self-registration for
secure corporate access
1. Device
Fingerprinting
eg. Apple iPad
Mobility
Controller
Amigopod
Centralized, automated
with no IT touch
3. Role Based
Access
Network access policies
per user and device
4. Content
Security
CSS in
the Cloud
eg. Filter web traffic for the iPad
Corporate
Servers
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
11
Role & Device Based Access
Staff
Contractors
SSID-Based
Access Control
Virtual AP 1
SSID: Corp
Role-Based
Access Control
AAA
FastConnect
Access Rights
RADIUS
LDAP
AD
Windows user
iPad user
Corporate
Services
Blackberry
Voice
Video
Virtual AP 2
SSID: GUEST
HR
Guest
Secure Tunnel
To DMZ
Captive Portal
Guest
•
•
•
•
DMZ
Single Infrastructure
Continuous Compliance Monitoring for Sensitive Data
Differentiated Access
Zero-Day Attack Detection and Protection
By User, Device, App
User Bazy
Quarantine
vs. User
Blacklisting
12
InfoTRAMS „Fusion Tematyczny,
Danych, Kariera
I Prywatny
Sprzęt W Pracy"
By Time,
Location
Reliable Multimedia Connectivity
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
13
Key Requirements for Mobility:
Adaptive Radio Management
1. Adaptive RF – Automate RF setup and optimization
2. Band Steering – Load balance clients to higher capacity 5GHz band
3. Spectrum Load Balancing – Load balance clients across channels
4. Co-Channel Interference – Coordinated access to APs that share a single channel
5. Airtime Fairness – Scheduled access for dense deployment of mixed clients
6. Self-Healing – Adjust power to address coverage holes
5 GHz
Ch 52
5 GHz
Ch 149
X
2.4 GHz
Ch 1
5 GHz
Ch 36
5 GHz
Ch 161
2.4 GHz
Ch 11
2.4 GHz
Ch 6
X
X
2.4 GHz
Ch 1
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
14
Key Requirements for Mobility:
Always-On Spectrum Analysis
Cost Effective
•
•
Integrated to Wi-Fi chipset in all
Aruba 802.11n APs
Does not require specialized AP
or external laptop for monitoring
Always On
•
•
•
No specialized chip in AP
No need to spare scanning time
Record and Playback on Demand
Detailed Charts
•
•
14 simultaneous views within the
Aruba Mobility Controller
No need for external laptop
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
15
Step 2 - Reliable Multimedia Connectivity
Apple Devices
AP
Highest density of devices
with ARM
2. Multicast
Optimization
1. QoS
per app
Mobility
Controller
Predictable performance
for custom and video apps
eg. Hospital EMR and video app
Video Server
Stateful protection and
QoS for UC tools
4. SIP
QoS
3. Facetime
QoS
eg. Apple Facetime
Voice PBX
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
16
Network Planning
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
17
Step 3 – Minimized Cost for Network Planning
Apple Devices
AP
Centralized device
inventory management
3. Bandwidth
contracts
1. Device
inventory
eg. Apple iPhone inventory report
Mobility
Controller
Monitor, troubleshoot
per device type
Air Mgmt
4. VLAN
Pooling
2.Per device
troubleshooting
5. EAPTLS
Offload
Integrated traffic and
network management
eg. Reduce WAN bandwidth usage
AAA Servers
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
18
Managing Access and Devices
Mobile Device Access
Control
Mobile Device
Management
Device Inventory
Management
Device and Mobile
App Configuration
Network Access
Enrollment
Service Management
and Compliance
Network Access Policy
Enforcement
Hardware/Firmware
Monitor and Control
InfoTRAMS „Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt W Pracy"
19
Bring your own device
QUESTIONS?
[email protected]
All rights reserved. iPhone , FaceTime and iPad are trademarks of Apple Inc., registered in the
U.S. and other countries. All other trademarks are the property of their respective owners.
20