Professional Documents
Culture Documents
Table of Contents
A framework for deploying successful BYOD initiatives Shortcomings of current solutions The vision for BYOD access management Differentiated, secure access for all users and devices Identify and remediate compromised devices Organization-wide policy management The Aruba ClearPass BYOD solution ClearPass Policy Manager ClearPass QuickConnect Meeting the BYOD challenge with Aruba About Aruba Networks, Inc. 3 4 5 6 8 9 10 10 11 11 12
Any Device
iPhone
iPad
Droid
Any Network
VPN
To address these challenges, Aruba developed the ClearPass Access Management System. A key part of the Aruba Mobile Virtual Enterprise (MOVE) architecture, ClearPass provides a user- and device-independent framework that tackles any BYOD initiative, large or small, by providing: Consistent policy enforcement across multivendor wired, wireless and virtual private network (VPN). Device identification as a basis for grooming traffic and improving network security. Self-service provisioning for all major mobile devices. Controlled access and remediation for compromised devices. Secure guest network access with simplified workflows. Enhanced security, reporting and regulatory compliance.
While BYOD initiatives can encompass many aspects, organizations should look for BYOD solutions with the following characteristics: 1. An open architecture that can be deployed on any vendors wireless, wired and remote infrastructure and support a broad array of fixed and mobile devices. 2. Device provisioning capabilities that automate the configuration of security and productivity settings on the device and provide easy-to-use revocation services. 3. A policy system that ensures consistent enforcement of access privileges based on trust, user roles and device types, while providing continuous device risk assessment and remediation.
A solution with these characteristics will provide the flexibility to address a range of BYOD use cases. For instance, a university can centrally manage access privileges for students, faculty and guests across a geographically dispersed campus network, regardless of device type and operating system. In the aforementioned example, policies can be enforced across any network wireless, wired and VPN identity stores, user-roles, and authentication methods, and updated as the policy system receives real-time profiling and visibility information. Similarly, enterprise finance and human resources staffs can be given differentiated access based on their roles, the specific devices theyre using, and where, how, and when they connect to the network in the office via wireless or remotely through a VPN connection, during normal business hours working hours or on the weekend.
Dynamically capturing device information also provides comprehensive device attributes that can be used to create more granular policies than what is possible using MAC addresses alone. Methods should include baseline dynamic host-configuration protocol (DHCP) fingerprinting and browser detection, as well as collecting detailed information from sources such as agents, RADIUS authentication servers, and Active Directory data.
~100% Accuracy
iPad iOS 5.0.1
Provisioning Plus
Identity-based Proling
(AD, ActiveSync)
Events Fingerprinting
BaselineFingerprinting
By grooming traffic and implementing unique security parameters that are tailored to specific devices, an enterprise has far greater control of the network. Likewise, the ability to instantly profile devices can be a boon to the IT helpdesk. This includes the ability to tell if a device is an iPhone, Windows laptop or Kindle Fire and whether the operating system is iOS, Mac OS X, Windows 7 or Android. Guest Wi-Fi access. The definition of guest user is much more complex now and could mean anything from a temporary contract employee to a shopper in a retail environment. As a result, the network demands of guests have changed, and a BYOD access management solution must provide the same capabilities for guests as for employees, including dynamic provisioning, profiling and role differentiation, which are needed to ensure that compliance requirements are met. Many organizations restrict guests to an isolated network segment, such as using a separate SSID from the corporate SSID, and provide Internet access only. However, the BYOD access solution should give IT the flexibility to create different access rules for different types of visitors. In addition, a BYOD access solution must be easy to use, support multi-tiered administration and sponsor capabilities, and automate the ability to include contextual elements within policies that take into account time-ofday and day-of-week privileges. For example, when a guest enters information requesting access, the BYOD access solution must have the ability to create an account that sits in a disabled state until an approved sponsor has verified and approved the request. Automated methods must exist that deliver access credentials once the approval has been received by the system. Aruba Networks, Inc. 7
Successful Authentication
Failed Policy
The ability to push a full-featured supplicant or agent to the device is also important during provisioning of endpoints for BYOD because native supplicants only allow for basic antivirus, antispyware and firewall software checks. The ability to perform posture assessments in a BYOD environment using permanent and dissolvable agents is important as many of these devices will be administratively managed by the user. Dissolvable agents for BYOD reduce administrative overhead as they are downloaded during a captive portal login and removed once the web page is closed. In addition, enterprise-class posture assessment solutions typically compare the posture/health information against policies defined in a centralized policy decision point (PDP). For a BYOD access management solution to be effective, the PDP must have the ability to automatically quarantine non-compliant BYOD and IT-issued devices using role-based mechanisms or VLAN steering methods. As part of a total posture assessment, a BYOD access solution should: Perform automated checks via persistent and dissolvable agents. Check for up-to-date antivirus, antispyware, and firewall software. Check for USB storage and peer-to-peer applications and services, such as Skype and BitTorrent. Provide control options, including protected network access, manual and auto-remediation via directed URLs, and denial of service. Finally, tying posture information with identity-related and other contextual data allows organizations to enforce differentiated policies as business needs dictate.
10
Additional features include the ability to push required applications, and configuration settings for mobile email with Exchange ActiveSync and VPN clients for some device types. ClearPass Profile. The device profiling software module for ClearPass Policy Manager uses a five-tiered system that includes DHCP and other advanced methods as well as end-user and device fingerprinting and profile information. Device-level information includes details such as operating system version, manufacturer and device category. This contextual information is then stored and used to enhance policy decisions and to identify changes in a devices profile to dynamically change authorization privileges. For example, policies can be used to differentiate access for an employees company-issued device versus the same employees personally-owned device. ClearPass Guest. The ClearPass Guest software module for ClearPass Policy Manager enables IT and nontechnical personnel to manage guest Wi-Fi accounts and onboarding tasks related to network access requirements for visitors in large and small environments. In addition to allowing employees and guests to self-register their own devices, ClearPass Guest supports rolebased access controls, activity tracking for compliance and auditing, and unique features such as advertising and commercial-grade hotspot services. ClearPass OnGuard. The ClearPass OnGuard software module for ClearPass Policy Manager enables comprehensive posture assessments that minimize the risk of viruses and the misuse of applications and services before devices connect to the network. Supporting persistent and dissolvable agents, including vendor-specific agents such as Microsoft Windows native supplicants, ClearPass OnGuard performs posture assessments on devices running Windows, Mac OS X and Linux operating systems, checking for the presence of anti-virus, anti-spyware, and firewall software from more than 80 vendors. In addition, ClearPass OnGuard checks for allowable services, processes, peer-to-peer applications like Skype, USB storage devices, VM clients, and hot spots, and provides auto-remediation or quarantine as organization policies require.
ClearPass QuickConnect
ClearPass QuickConnect is a cloud-based service that provides simple self-service 802.1X configuration for Windows, Mac OS X, iOS and Android devices, reducing the burden on IT. IT configures endpoint variables to create network authentication packages, while users are presented with a configuration wizard via a captive web portal, Active Directory group policy object (GPO), USB device or CD. Users simply start the wizard, enter their credentials and connect to the network in just a few minutes.
11
From automating device onboarding and enforcing device posture checks to applying differentiated access policies and generating audit-ready reports, Arubas ClearPass provides a simple, cost-effective approach to connecting and securing BYOD and IT-managed users and devices. Features such as self-registration reduce the burden on IT, empower users and accelerate the consumerization of IT in support of BYOD. Organizations benefit from the ability to leverage their existing infrastructure, as well as the flexibility to implement BYOD strategies in a phased approach, based on their business needs and use case requirements.
www.arubanetworks.com 1344 Crossman Avenue. Sunnyvale, CA 94089 1-866-55-ARUBA | Tel. +1 408.227.4500 | Fax. +1 408.227.4550 | info@arubanetworks.com
2012 Aruba Networks, Inc. Aruba Networks trademarks include AirWave, Aruba Networks, Aruba Wireless Networks, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System, Mobile Edge Architecture, People Move. Networks Must Follow, RFProtect, and Green Island. All rights reserved. All other trademarks are the property of their respective owners. WP_BYOD_120210