SOLUCIONES DE CONTROL DE ACCESO

Are you ready?

Guillermo Arroyave
CSE Networking
garroyaveper@avaya.com
Evolution of a Problem

Multiple
Access Wireless Wired Remote/VPN
Methods

Multiple
Identity MSFT AD Sun, Novell, Oracle RSA Token
Stores

Across multiple
locations, buildings, for
multiple users Auxiliary
Distance  Bookstore
Learning  Food services
Science  Music
Engineering Library
Business Hosted Events
 Concerts
Health  Athletics
Housing  Summer programs
Center
Community
Access
 Library
 Fitness Center

Guest Users?
What is Network Access Control (NAC)
 Ensures consistent and predictable network
access for managed and unmanaged devices
 Controls who can use the network to access
which resources, when and where they may do so
 Supports any device, any network, any vendor

 Centralised, out-of-line solution for maximum

scalability and cost effectiveness
 Automated, standards-based

 Software-only, highly available

 Facilitates regulatory compliance

Why Employ NAC?
Corporate Governance
Do world class companies try to exceed customer
expectations?
Regulatory Compliance
Do you have a legal / regulatory obligation to
uphold (ex. HIPAA, SOX, PCI)?
Operations Cost Reduction
Do you have to choose between leaving your network wide open or investing
excessively in network operations to deal with all the change requests?
Do you have employees bringing in their own personal devices now with
expectations of accessing the network?
Network Analytics
How well do you know your network? What type of asset logs on the most? When
do peak logons occur? How much are iPads/Tablets growing on your network?

Identity Aware Networking is NOT ABOUT

keeping people off the network

Identity Aware Networking is ABOUT

giving appropriate level of access as safely and as efficiently as possible
Corporate Governance
& Regulatory Compliance
Corporate Governance
Do world class companies try to exceed customer expectations?
– Corporate governance defines how you want to run your business
and includes many facets over and above regulatory obligations
such as overall information protection, business continuity, guest
access policies, employee access policies … IDE allows you to
enforce the corporate governance policies you define.
Regulatory Compliance
Do you have a legal/regulatory obligation to uphold (ex. HIPAA,
SOX, PCI)?
– NAC allows you to enforce regulatory policies as part of
compliance.
Operations Cost Reduction

Network Access Control is not necessarily always about security – it

can be used to improve operational effectiveness.
If you have more than 1 VLAN you have probably had to respond to
change requests to move a device from port to port or VLAN to VLAN.
Identity Engines can do that for you!
base rate/hour= $30.00 per hour
overhead multiplier = 135% overhead + 100% = 235% = 2.35
profit multiplier = 10% profit + 100% = 110% = 1.1
"loaded" rate/hour = $30.00 X 2.35 X 1.1

Staff Category base overhead profit "loaded"

rate/hour multiplier multiplier rate/hour
LAN Administrator $ 30.00 2.35 1.10 $ 77.55

Time per change* (hrs) 0.25

Changes per day 7
Cost per change $ 19.39
Cost per day $ 135.71
Cost per week $ 668.11 Avg of 4.923 business days per week
Cost per month $ 2,895.20 Avg of 21.3 business days per month
Cost per year $ 34,742.40 Avg of 256 business days per year

*Accounts for reviewing request, accessing device, making change, validating

change, closing request, notification of change complete and change control process
 NAC Maximizing Operations

WITHOUT NAC
Administrator
Each port is pre-assigned
speed, VLAN, filters, etc…

Need Changes?

Admin makes Wireless Local

changes manually = cost $$ IP Phone Visitor
Personal Corporate Network Network
Access
Surveillan Fax Medical
Server/A
Machine Desktop Printer Device ce Camera Machine Device
Point pp

WITH NAC
Each port is locked down
by default

Port is dynamically
configured at access time

Wireless Local
Personal Corporate Network Network Surveillan Fax Medical
No administrator IP Phone Visitor Access Server/A
Machine Desktop Printer Device ce Camera Machine Device
intervention Point pp

(auto
THE BYOD REVOLUTION
 It started
Then
The came
rest here…
this…
is history…

700 000 Android apps

700 000 iPhone apps
75 000 000 Tablets in 2012
800 000 000 Smartphones
1 200 000 000 Social Media Users
 Tablet market $45B by 2014
– Yankee 2011

 50% Enterprise users interested in or

using consumer applications
– Yankee 2011

 Smartphone app revenue to triple by 2014

– Yankee 2011
TIME’s Person of the Year: YOU
 It It
isis
not about
about saying
saying NO!
YES!

NO
YESyou cannot
bring your bring your iPad
own iPad
NO
YESyou
youcannot connecttooutdoor
are welcome do mobile collaboration
NO
YESyou
youcannot bring your
are welcome fancy
to use laptop
virtual desktop
NO
YESyou
youcannot do video
are welcome toconferencing
use Wifi VOIP
What is BYOD?

BYOD – Bring Your

Own Device

Means using privately

owned wireless and/or
portable electronic piece of
equipment that includes
laptops, netbooks, iPads,
tablets, iPod Touches, cell
and smart phones to
support employees work.
 BYOD

Is Your
Company
Network Ready
for BYOD?
BYOD Challenges

IT Compliance Network Capacity

Who gets on? To do Can I handle multiple
what? To go where? devices per user & high
bandwidth applications?

Security Quality of Service

How can I address? How can I ensure
business critical
applications get priority?
NAC Common Use Case Scenarios &
Myths

14
Guest Access Use Case Scenario

Secure the network while allowing authorized guests limited access

to resources for specified durations
Allow non-technical staff (e.g., security, reception) to create guest
accounts in real-time or in advance of arrival
Let security/reception create accounts but have IT pre-define
restrictions

 Guest arrives
 Security/reception checks identification
and creates a guest access account in
real-time
 Guest is given temporary and restricted
access to the network
 Guest account is automatically deleted
after authorized duration

15
Conference Room Access Use Case
Scenario
Grant varying levels of network authorization to different user types
using the same resources
Give employees unrestricted network access within a conference
room while giving restricted access to guests in the same room

 Public areas are locked down by default

 While in the conference room
– Employees are given unrestricted network
access (Wired or Wireless)
– Guests are given restricted network access
(Wired or Wireless)
 No need for the Enterprise to define & manage
some ports as open/some as restricted
 Since all ports are policy enabled, the real-time
policy engine automatically grants appropriate
access

16
Validated Remote Access Use Case
Scenario

Validate end users’ non corporate assets (e.g., home PC) prior to
allowing them remote access to the network
Prevent high-risk or infected assets from accessing the network
and risking greater infection

 Completes posture assessment of end

user’s device to ensure that PC is
compliant
 Checks for valid anti-virus software,
updates, personal firewall, etc. as part of
authorization
 Compliance can be done via clientless
captive portal for unmanaged devices
 Enterprise can provide different level of
access if Employee is at home during off
hours versus in the office
17
Authorized Fixed Assets Use Case
Scenario
Conduct MAC level authentication to ensure that only authorized fixed
assets (e.g., IP phones, printers, fax machines) connect to the network
and behave how they’re expected to behave

 Allows enterprises to define authorized

non-interactive devices (e.g., IP phones,
printers, fax machines) that can access the
network
 Prevents intruders from simply unplugging
a printer and accessing the network.
 Prevents employees from bringing in their
own wireless access points and sharing
network services thereby compromising
network security

18
Healthcare Use Case Scenario

Authorize network access for IP-enabled medical devices

(e.g., health monitors, ventilators, IV pumps) in a dynamic,
automatic, secure and efficient manner
 With large healthcare facilities having
>100K medical devices on the network,
manually provisioning network access is
unfeasible & cost prohibitive
 Due to security issues, leaving the
network wide open for access is not an
option
 Identity Engines identifies critical medical
devices and grants them access to the
appropriate network segments
 All ports (wired and wireless) remain
secured so guests/visitors can only
access the network when/where
appropriate
19
Summary

Network Access Control Provides:

– Separates “Policy” from “Technology”
– A Flexible and Powerful Policy Expression Engine
– Network based Identity and Access Control
– Offers a Standards Based, Open, Vendor Agnostic
Solution
– Scales & is Cost Effective NAC (both OPEX and
CAPEX)
Questions?
Thanks!!!

GUILLERMO ARROYAVE
CSE NETWORKING
Email: garroyaveper@avaya.com

22