Secure network guest access with the Avaya Identity Engines portfolio

Transcription

1 Secure network guest access with the Avaya Identity Engines portfolio Table of Contents Executive summary... 1 Overview... 1 The solution... 2 Key solution features... 2 Guest Access Administration... 3 Compliance Portal... 4 Conclusion... 5 Executive summary Guest users on the network are a reality for today s companies and their IT staffs. Collaboration with visiting customers, partners and contractors requires that these outsiders have some degree of network access while they are visiting. To give these guests the access they need, many organizations are turning to authenticated networks. While authenticated networks allow guests to use the network in a controlled fashion, in practice, the management of guest users is time-consuming and leads to potential auditability difficulties. In order to address these difficulties, the Avaya Identity Engines portfolio works to streamline management of guest users through the Identity Engines Ignition Guest Manager tool, and delivers network auditability through the Ignition Server s logging features. Overview Organizations welcome a steady stream of vendors, partners, training class attendees and other visitors who arrive with immediate needs for network access. IT staff must deliver network services for all types of users while at the same time supporting greater requirements for security, management and control. To maintain compliance and prevent misuse, a growing number of organizations are deploying authenticated networks. At this time, guests and other short-term users must be provisioned by the IT staff, often using a manual, time-consuming process that does not meet just in time business requirements or provide an adequate record for auditing and regulatory compliance. At the same time, heightened concerns around privacy, as well as legal and human resource considerations, are impacting IT organizations. In addition, many attempts to violate network security controls are actually performed by people who once had legitimate network access but whose relationship with the WHITE PAPER 1

2 enterprise has ended. In order to prevent misuse of the network, enterprises need to track the identities of their guests when they arrive, when they leave and who creates the account on their behalf. Dormant user accounts can be costly to manage and are a source of potential security vulnerabilities. Some network administrators use calendar notes as a reminder to disable user accounts at some future date and time. This approach is not reliable since user accounts can remain active long after the guest user s legitimate need has ended. To address these shortcomings and compliance issues, IT managers must guarantee that user accounts automatically expire at the appropriate time. The solution The Avaya Identity Engines portfolio provides a complete and integrated solution for managing network guest user access. This guest management solution consists of the following integrated components: The Identity Engines Ignition Server a centralized network access control solution The Identity Engines Ignition Guest Manager an administrative application for guest user management The Identity Engines Ignition Compliance Portal Web authentication and compliance portal for handling non 802.1X clients Key solution features Manages access to the network from conference rooms, training areas, labs, lobbies and other public areas Controls network access centrally across different access methods wired, wireless and VPN Provisions guest user access to particular subnets, VLANs or outbound web access Supports authenticated network access for guest users with and without 802.1X-enabled devices Provides centralized auditing and logging for all network access Delegates administration to front desk, administrative staff or security personnel Maintains complete traceability by identity for both guest provisioners and guests from account creation to network access Helps to detect and identify excessive account generation or inappropriate accounts Figure 1. Guest Manager allows front desk staff to manage access for guests 2

3 Provides an integrated rules engine for automatic account termination at a scheduled time and date Provides an embedded database for guest user accounts independent of the enterprise directory infrastructure Supports easy customization of the administration console Allows network access to be a revenue generating service Guest Access Administration Guest Manager is an administrative application for centrally managing the network privileges of temporary users such as contractors, visitors and guests. Guest users are managed using an intuitive Web-based interface that can be customized to meet the needs of each enterprise customer. The Web interface may either be hosted on a Web server that is part of the existing enterprise infrastructure or on a dedicated Web server. THE EMERGENCE OF NETWORK IDENTITY Corporations have traditionally focused on the concept of identity at the application level, with many established vendors such as Computer Associates, IBM/Tivoli, Oracle, Sun and HP rolling out single sign-on, user provisioning and other identity management suites. However, with increased need for fine grained access control at the network level, corporations face a new mandate to manage identity at the network level a new class of challenges that many identity management vendors do not address in their application focused solutions. The Guest Manager Web interface allows a receptionist to create a user account for each guest or visitor. A unique account is created in the embedded database on the Avaya Identity Engines Ignition Server (with username, password and other information) so guest users are not added to the enterprise s directory. The Guest Manager allows the administrator to create the guest user s password or specify an automatically generated strong password. Login credentials can be printed and issued with the visitor badge or ed to the guest user. The guest user s network access may be configured to start immediately or scheduled to begin at a future date and continue for the length of time specified by the administrator. Restrictions can be placed on the type of access technology. For example, the Guest Manager Web GUI allows the administrator to control whether the guest user may gain access over wireless, wired or VPN. Auditing and logging is consistent across all user types. Each guest uses a unique guest-account name, allowing the system to maintain an accurate audit trail of network access for each user. This guest management solution provides the ability to track who creates guest accounts as well as each guest network session. As a result, enterprises can easily track network access and provide a mechanism for quick response should misuse be detected. 3

4 Lobby receptionist Avaya Identity Engines Ignition Server Built-in local store for Guest IDs Internet Guest (wired or wireless) Figure 2. Deploy guest services in your executive briefing center Compliance Portal Compliance Portal provides a Web browser-based authentication mechanism that can be used to support devices either not compatible or not configured to use the 802.1X protocol. This allows companies to seamlessly support the diverse number and types of devices that end users have for accessing the network. The optional ability to perform health scans and posture assessments via this Compliance Portal provides another layer of network protection and helps ensure adherence to the organization s chosen security policy, should it require a minimum health standard for unmanaged devices. OVERCOMING THE LIMITS OF ENTERPRISE DATA STORES In many enterprises, the network team depends on the enterprise s centrally managed directory stores to authenticate employees (and often contractors) and grant them network access. Often, the network security and directory are managed by different teams within IT. This lack of control over the directory by the network security staff can affect the implementation of network access policies and may pose a problem when setting up temporary guest access. Without write-access to corporate directory stores, network teams have found it difficult and time consuming to provision temporary guest users. The Avaya Identity Engines portfolio helps solve this problem by creating guest user accounts in the Identity Engines Ignition Server database, allowing enterprises to virtually eliminate the cost and effort associated with adding temporary users to the enterprise directory. 4

5 Conclusion Access to network services has become an essential part of the business environment. The Avaya Identity Engines portfolio provides secure network access to guests and visitors without compromising the overall security of the enterprise network. When visitors arrive, front desk receptionists can create a user account and password that can be used to connect to the wired or wireless network. This guest management solution provides a positive experience for visitors and helps reduce the IT cost for managing access at the same time. For more information on the Avaya Identity Engines solution, contact your Avaya Account Manager or Avaya Authorized Partner. Or, visit us online at avaya.com. About Avaya Avaya is a global provider of business collaboration and communications solutions, providing unified communications, contact centers, data solutions and related services to companies of all sizes around the world. For more information please visit Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries. All trademarks identified by, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. Avaya may also have trademark rights in other terms used herein. References to Avaya include the Nortel Enterprise business, which was acquired as of December 18, /11 DN avaya.com