Authenticated Network Architecture Identity engines Unified Network access control for Wired, Wireless and Remote access. STANDARDS BASED (802.1x) VENDOR AGNOSTIC. No need to change the network. Based on the ANA concept Michael Knabb

Office Tools started here: Then came this! Device explosion: earlier, power pcs with huge screens. Apple introduced iPhone/iPad. IDE has Strong relevancy. Not only byod. Explain later. Misconception: many people think everyone is gonna bring their own device. But that is not going to happen. Corporate devices will stay. Only on a per need basis will people be allowed to acces corporate resources. In some countries doctors are really contractors and do as such not want corporate pcs. He has to work for multiple hospitals. VDI infra setup to give foreing devices access to VDI. Secure because it is remote desktop. You care less what is on the non managed device from a security perspective © 2009 Avaya Inc. All rights reserved.

The before is history… 100 000 Android apps 350 000 iPhone apps TIME’s Person of the Year: YOU Android apps iPhone apps Tablets in 2012 Smartphones Social Media Users 100 000 350 000 75 000 000 800 000 000 1 200 000 000 Tablet market $45B by 2014 – Yankee 2011 50% Enterprise users interested in or using consumer applications – Yankee 2011 Smartphone app revenue to triple by 2014 – Yankee 2011 Time is from 2006 already when facebook. Twitter (more on application side) still applies today © 2009 Avaya Inc. All rights reserved.

It is not About Saying No!! It is about saying YES! but…staying on control YES bring your own iPad YES you are welcome to do mobile collaboration YES you are welcome to use virtual desktop YES you are welcome to use Wifi VOIP NO you cannot bring your iPad NO you cannot connect outdoor NO you cannot bring your fancy laptop NO you cannot do video conferencing © 2009 Avaya Inc. All rights reserved.

Where is the market going? 70% of new enterprise users by 2013, will be wireless by default and wired by exception (Gartner) Average three to five devices per user each requiring capacity and contributing to the density By 2015, 80% of newly installed wireless networks will be obsolete because of a lack of proper planning (Gartner) New context-rich applications requiring more bandwidth iPad deployments could need 300% more Wi-Fi Everything is wireless (phone, ipad, etc) need contol on the wireless side Video, Web.Alive as virtual office. Check out the demo © 2009 Avaya Inc. All rights reserved.

Cost of Change - Operations Cost Reduction Enterprise Network IP Phone Visitor or Business Partner Personal Machine Corporate Desktop Network Printer Network Device Wireless Access Point Surveillance Camera Fax Machine Medical Device Local Server/App Like I pointed out earlier, this is Not only about byod, but ANYTHING that connects to the network, with IDE you can automate that. So really create a plug and play environments. This means you would have the same configuration anywhere on your edge switches. And depending on the device you would connect, the proper VLAN is assigned. Even you can automate how to connect an AP! ID it by th MAC and move it to the proper vLAN, so you can easily move it without changing the port config A customer even has FANS connected to ethernet with a sw to manage them! Fax machines etc Automate how you configure your edge, Not only about users, but also about IT operations! And if you have followed a session about SPB or VENA, (hard to avoid during this conference) you know where this is going! End to end automation of services based on NAC and SPB! Divide network in classes based on the device. Ipcams, pc, iphone, facility mgmt. fire Guests & Guest Devices Each wired or wireless access port is not assigned until a user/device attempts access. At that point it is given the appropriate level of access. Direct annual TCO savings just by avoiding simple VLAN changes. Indirect TCO saving just by avoiding network outages following manual configuration changes.

Identity Engines Authenticated Network Architecture NETWORK ABSTRACTION LAYER DIRECTORY ABSTRACTION LAYER Reporting & Analytics Posture Assessment Guest Access Mgmt Identity Engines Captive Portal (v8.0) CASE (v8.0) Policy Enforcement Point Policy Decision Point Policy Information Point ANA is a vendor-neutral framework that leverages industry standards for the design of an identity-centric security system. It gives us much more dynamic options to address the increased mobility and diversity of today’s network users. ANA is based on the notion of authentication of all users on a network and the association of each user with a particular set of network entitlements. For example, guests are granted access only to the Internet, contractors only to discrete network resources, employees only to the broader network as a whole, and privileged employees only to isolated enclaves of highly secured resources. At its core, ANA introduces a single new element to existing security designs: the authentication and authorization of all network users, regardless of their method of connection. PEP-PDP-PIP STANDARDS BASED (802.1x) VENDOR AGNOSTIC. No need to change the network Our directory integration is really simple compared to others. We also have directory federation to avoid double records of people. Reporting/analytics might be necessary for legal and auditing purposes. (not for techies) © 2009 Avaya Inc. All rights reserved.

Identity-based Access Control… with Identity Engines Authorization Request Check access device Check access medium Check identity stores Access Script Example 1 If device = “managed” If medium = “wired” If identity = “HR employee” then grant full network access Identity: Who are you, with what device and through what medium are you accessing my network? A directory is a huge dbase of people: name contact info, asset Called directory because of the technology, but really it is a database... Here is an example how it would work. With the access script. (not really same as in the product © 2009 Avaya Inc. All rights reserved.

Identity-based Access Control… with Identity Engines Authorization Request Check access device Check access medium Check identity stores Access Script Example 2 If device = “iPad” If medium = “wireless” If identity = “HR employee” then grant limited access Same person comes in with non managed device, i still want to give limited acces. And what that is, limited acces, depends on teh customer: internet acces, VDI access whatever © 2009 Avaya Inc. All rights reserved.

Identity Engines Flexible Policy Engines Extensive Logging for each access attempt Identity Engines through the policies, basically answers the question: Are you one of mine? Like a firewall, look for matching rule from top down The logging is very powerful and compelling against Cisco IAS or Steelbelt or Enterasys etc. We rule! Troubleshooting is perfect Configuration is perfect

Identity Engines Guest Manager Identity Engines Guest Manager is a web application that lets front desk staff create and manage temporary network accounts for visitors. Front Desk Console provides automated provisioning/de-provisioning in 30 sec. Allow Employees to create their own guest accounts. Activation options Immediate activation Future activation Account duration time Activate on first login Choose any access method to implement: Wireless, Wired, and VPN Track Users: Guests, Consultants, Contractors. Basic Identity Engines WLAN Guest Management Starter Kit (Includes 1 Ignition Server licensed for 5 authenticators and Guest Manager application) for only $1995 ~~1500 euro Good demo, our event ladies have generated all the guest passwords, without Markus help. He prestaged the GM fields so that these ladies could work with it easily.

Identity-based Access Control… with Identity Engines Unified wired and wireless Vendor agnostic Highly available virtual appliance Robust guest management Granular policy engine Intelligent federated directories Simple affordable licensing Userperspective: user get same experience if they go wired or wireless From it perspective: IT gets same approach No propiatary solution, works in any environment High Availability options Affordable licensing compared to competition. We had a customer that thought we had a crappy solution because the price was so low compared to the competion. Because we rely on MS NAP for system health, we do not need a client on the user device that needs huge maintenance for the latest security patches etc. MS is the dominant desk top OS, we bet on that for posture requirements Ignition server (option as HA bundle) Feature license (portal, case, guest mgmt) sit on top of HA © 2009 Avaya Inc. All rights reserved.

Identity Engines v8.0, What’s New Access Portal/Captive Portal Device Profiling CASE Client CASE Admin Console Radius Proxy Guest Manager Enhancement We have no Freeradius High performance Radius interface, one of the quickest in the world!!! Other vendors have heavy problems, that is why we have IDE even in Cisco accounts.

Avaya Identity Engines Access Portal Architecture Access & Core Layer Policy Decision Identity Routing 802.1X Authentication for Employees LDAP Wireless End-points Kerberos RADIUS Access Portal D E V I C E P R O F I L I N G HTTP Capturing for Guest IDE ADMIN RADIUS IN Active Directory Managerment and Session Provisioning Abstracted and Identity Routing OUT The Authenticated Network Architecture (ANA) Controls who can use the network to access which resources and when and where they may do so. Allow enterprises to implement network access policies. Network access is consistent and predictable. Enhances security. Supports compliance. Network security has been evolving since its inception, sometimes slowly, sometimes in larger increments. As technology has shifted, best practices have slowly matured. What was a good idea two years ago is still likely a good idea today, with minor variations based on the evolving threats and business requirements. However, we are currently at an inflection point in the use of network-based security controls. Whereas previous designs focused almost exclusively on static policies, filter rules, and enforcement controls, a newer approach has emerged that promises much more dynamic options to address the increased mobility and diversity of today’s network users. Wired Novell/Oracle Directory 802.1X Authentication for Employees Integration APIs Context Awareness Application Authentication Firewall Multi-factor Authentication Internet Consolidated LDAP & profile Reporting and Analytics 14 Page 14 Page 14

Identity Engines Release 8.0 Access Portal Access Portal that would facilitate network access to guest devices supporting a full BYOD based access Access Portal will serve as a Captive Portal for wired and wireless users and allow inline sessions for non 802.1x users Hosting place for CASE Client

Device Profiling What is it? Why do we need it? Idea A compact summary of software and hardware settings collected from a remote computing device. Passive Profiling Active Profiling Why do we need it? To support the “Smart Phone” revolution Facilitates “Bring Your Own Device” (BYOD) Policies in Enterprise Wireless LANs Idea A user trying to gain network access using personal or unmanaged devices will be transitioned to an Access Portal where the portal will learn the necessary device attributes using various profiling technologies and update the Ignition Server with the device information. Available ONLY on Identity Engines Access Portal With device profiling I can give an iPad user, that probably is running Flare, a bit more access than an iPhone user. That just gets internet. We can also do What is it? A compact summary of software and hardware settings collected from a remote computing device. Passive” (BYOD) Policies in Enterprise Wireless LANs IdeaProfiling - occurs without obvious querying of the client machine. These methods rely upon precise classification of such factors as the client's TCP/IP configuration, OS profile, IEEE 802.11 (wireless) settings, and hardware clock skew. Active Profiling - assumes the client will tolerate some degree of invasive querying. The most active method is installation of executable code directly on the client machine. Why do we need it? To support the “Smart Phone” revolution Instead of IT departments being able to force a particular set of mobile solutions on the workforce, employees now expect to be able to use personal devices such as smart-phones and tablets in the enterprise environment Facilitates “Bring Your Own Device A user trying to gain network access using personal or unmanaged devices will be transitioned to an Access Portal where the portal will learn the necessary device attributes using various profiling technologies and update the Ignition Server with the device information. Available ONLY on Identity Engines Access Portal

Identity Engines Release 8.0 Device Profiling Administrator will be able to set the Access Portal to perform device profiling of wired and wireless devices Device fingerprinting by extracting information from browser provided data during login Devices Type, Devices Sub-Type, Device OS, Devices OS Version Devices attributes are sent to the Ignition Server for device registration Device Auto-registration Auto-register of Guest Visitor and Employee Guest devices Device profiling of registering devices Auto-association of devices with guest / employee records in Ignition Server Populating device records in Ignition Server with device profile attributes:

CASE Client Client for Accessing the Secure Enterprise Automates client config for 802.1x and MS NAP posture Easy user adoption of 801.1x based NAC No footprint on the Client device Al major browsers All windows flavours ActiveX or Java delivery Requires Access Portal

Identity Engines Release 8.0 CASE Client for Accessing the Secure Enterprise Transient client to automate configuration of managed and un- managed endpoint devices to participate in Network Access Control: CASE auto-configuration of 802.1x on Windows devices CASE auto-configuration of MS-NAP on Windows devices Administrator will be able to create CASE packages to accommodate various deployment needs: Wired Wireless Wired and Wireless Administrator will be able to set the CASE Client to set configuration as revertible or not

What’s New in Guest Manager Export/Import Configuration GM Import / Export Configuration feature , enables user to port Guest Manager Configurations between multiple Guest Manager Instances. These configurations include Appliance Configurations. Radius configurations. User Certificates. Tomcat Configurations (HTTP,SSL etc). User Preferences. Previously we could not save the config. Now we can. This is good when you have multiple guest managers to be able to exchange (export/import) configs.

Identity Engines Release 8.0 1-2-3 Easy Configuration pre-provisioned configuration file include sample configuration an access policies RADIUS Proxy Facilitates easy integration with existing corporate RADIUS server using realm based lookup Supports proxy-failover model using intelligent Identity routing

Identity Engines 8.0 Live Demo

Demo Guest; Server & Logical View Wireless & Wired users Guest Manager & CASE Active Directory (PDC) Ignition Server Guest VRF Access Portal Intranet Firewall Internet

Demo Guest; Server & Segments View Wireless & Wired users Internet Ignition Server (IDE) Guest Manager & CASE Active Directory (PDC) Firewall Guest VRF Access Portal DMZ Intranet Out of Band Network

Logical: IP nets VLAN 5 Voice 10.0.5.0/24 VLAN 100 Guest 10.0.10.0/24 VSP9000-2 VSP9000-1 VLAN 200 Printer 10.0.20.0/24 VRF Voice VLAN 300 Branch10.0.30.0/24 VRF Guest VLAN 500 Data 10.0.50.0/24 VLAN 600 Server 10.0.60.0/24 GRT / VRF0 VLAN 1000 Mgmt 10.0.100.0/24

Identity Engines Resources Support from Product Management Michiel Noordermeer/Markus Nikulski Email mnoorder@avaya.com / nikulskimark@avaya.com 30-Days Free Trial www.avaya.com/identitytrial Long term lab licenses available from product management Collateral http://www.avaya.com/usa/product/identity-engines-portfolio Brochures Case Studies Technical Configuration Guides Trial option is really good, full license with all components for 30 days Customer sho uld apply for it, not the partner, so we know where it is going. 30 days is short, If partners are willing to drive this product, they can get a free one year license from Markus, and if it proves that they actually do somehting with it it can be extended for unlimited. Features are just licenses, no need to reboot the sw.

Identity Engines - 30-Days Free Trial IDEngines FULLY featured at URL: www.avaya.com/identitytrial Short registration form IDEngines licenses sent by email All modules are included Ignition Server SMALL MS-NAP TACACS+ Guest Manager Analytics Evaluation deployment can be upgraded to production deployment simply by applying purchased licenses Trial option is really good, full license with all components for 30 days Customer sho uld apply for it, not the partner, so we know where it is going. 30 days is short, If partners are willing to drive this product, they can get a free one year license from Markus, and if it proves that they actually do somehting with it it can be extended for unlimited. Features are just licenses, no need to reboot the sw.

Plan for Success…with Avaya’s BYOD Solution Identity-based Network Access Control Secure Network & Device security Box is the wlan controller, screens are the NAC product, it is a sw not a box! But Byod may not even be the reason why you’d want to deploy NAC. We will get back on that later V8.0 adds nice features for BYOD Scalable Future-proof Wireless Optimized For collaborative, real time applications © 2009 Avaya Inc. All rights reserved.