1 Aerohive and Palo Alto Networks Partner Solution Brief
2 Introduction Now that connecting wirelessly is the norm and users have multiple devices they use for business critical and personal activities, having a solution that can identify and enforce network access based on identity, device type, location, and time of day is critical to support and maintain a mobility-optimized network. Aerohive and Palo Alto Networks have joined together to provide next-generation application visibility and control for the mobile-first community. Aerohive s application visibility and policy enforcement functionality provides an administrator with extremely detailed and granular information and controls to optimize user application experience at the edge of the network. Aerohive can customize how applications are prioritized, de-prioritized, or blocked based on all available context, including identity of the user, device type, location on the network, and the time of day. This is extremely useful for ensuring that traffic is appropriately categorized and potentially blocked before it ever even gets onto the network infrastructure, saving valuable resources and providing an extra layer of security. However, many networks require aggregated controls as well as edge-based enforcement, and when you combine the Aerohive mobility-optimized access layer with Palo Alto Network s next-generation firewall, administrators get a comprehensive solution that provides best-of-breed content security and application monitoring for all users and devices connected to the network. Aerohive has the advantage of knowing all the available user context because devices are connecting and users are authenticating to the access points and switches directly in order to gain access to the network. Palo Alto Networks firewalls, on the other hand, are generally installed at the gateway to the network, and have visibility into everything coming or going in aggregate, but the user context is often obscured due to all the network infrastructure between the gateway and the connected client. Together Aerohive and Palo Alto Networks solve the problems of the mobile first enterprise by combining information about user context with application visibility and controls. The Aerohive and Palo Alto Networks Solution Aerohive s Cooperative Control networking infrastructure equipment along with Palo Alto Networks next-generation firewalls provide a comprehensive and robust solution for optimizing the user experience on a mobile first network. Together the solution provides many benefits, including: Enhanced UserID Visibility and Enforcement Aerohive devices can provide user identity, device type, and IP address information to the Palo Alto Networks firewalls to enhance the UserID functionality that allows Palo Alto Networks firewalls to make policy decisions based on context Client-less Operation Aerohive learns the context based on existing interaction between the connected clients and the Aerohive devices, so no client or profile need be installed on the client devices. Comprehensive Application Visibility and Control Together, Aerohive and Palo Alto Networks allow administrators to enforce application controls at both the edge of the network and at the gateway, ensuring applications are identified and prioritized/de-prioritized/blocked based on context at the ideal enforcement point Zero-Cost Data Performance Because this integration relies on information already available to Aerohive devices as part of normal authentication, there is no in-line performance hit for using this integration to enhance application control on the network.
3 Aerohive and Palo Alto Networks Solution Brief How It Works The Aerohive and Palo Alto Networks solution works with Aerohive HiveOS 5.1r3 version or later and Palo Alto Networks PAN-OS version 4.0 or later. The solution requires the Aerohive administrator to set up syslog logging for Aerohive devices and point them at a syslog server that is capable of running scripts. The script then parses the necessary user details and sends it to a server running the PAN UID-API agent, which in turn updates the PAN firewall with the context-enhanced User ID information. Step-by-Step 1. Configure Authentication At the heart of this solution is the requirement for the Aerohive devices to know the identity of the user accessing the network. The three most common ways Aerohive can identify a specific user are A) 802.1X or WPA2-Enterprise; B) Private Pre-Shared Key; or, C) Captive Web Portal. Therefore, the first step is to configure the Aerohive devices with SSIDs or ports that require one of these types of authentication. Copyright 2013, Aerohive Networks, Inc. 3
4 2. Configure Syslog The second step is to configure the Aerohive devices to report the information they know to a syslog server. This can be configured per network policy in the Additional Settings Management Settings section. Once the policy is configured and pushed to the Aerohive devices, HiveOS will begin generating logs that include the user identity, IP address, and operating system and will send them to the configured syslog server. Sample logs look like the following: 802.1X: :06:05 info ah auth: Station 1cab:a7e6:cf7f ip username astrong hostname Strong-iPad3-6 OS Apple ios PPSK: :43:18 info ah_auth: Station 1cab:a7e6:cf7f ip username Buster Keaton hostname Strong-iPad3-6 OS Apple ios CWP: :50:46 info ah_auth: Station 1cab:a7e6:cf7f ip username hostname Strong-iPad3-6 OS Apple ios 3. Scripted info sent to UID-API Once the logs are collected in the syslog server, a script can parse the bolded information and collate it into a format the Palo Alto UID-API can deliver to the Palo Alto Networks firewall. There are 2 major parts to the script data extraction and push to agent. Within the data extraction portion, a regular expression is used to parse the username, IP address, and operating system of the connected client. One important note is that depending on how the network authentication is configured, it may be necessary to append the domain information to the username if it is not included in the log information. Sample script written for Kiwi Syslog Server: ' Copyright (c) 2013 Palo Alto Networks, Inc. ' ' Permission to use, copy, modify, and distribute this software for any 4 Copyright 2013, Aerohive Networks, Inc.
5 Aerohive and Palo Alto Networks Solution Brief ' purpose with or without fee is hereby granted, provided that the above ' copyright notice and this permission notice appear in all copies. ' ' THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ' WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ' MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ' ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ' WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ' ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ' OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ' 'Script takes syslog output sent from an Aerohive device to a Kiwi syslog server and updates user data 'log data is expected to look like: :06:05 info ah auth: Station 1cab:a7e6:cf7f ip username astrong hostname Strong-iPad3-6 OS Apple ios Function Main() 'Kiwi syslog requires the content of the script to be contained in a Main() function '----CHANGE THESE TO MATCH AGENT OR FIREWALL---- stragentserver=" " stragentport="5006" '----CHANGE THIS TO MATCH AD DOMAIN NAME!---- strdomain = "Corp" '-----ADD API KEY HERE FOR AGENTLESS OPERATION strkey="" set xmlhttp = CreateObject("Msxml2.ServerXMLHTTP") strlog = Fields.VarCleanMessageText 'This is a Kiwi variable for the content of the log message ptrn = "ip (\d+\.\d+\.\d+\.\d+).*username (\w+).*hostname (.*) OS (.*)" if InStr(strLog,"n/a")=0 then 'Will not run script if there is no username '// Create the regular expression. Set re = New RegExp re.pattern = ptrn re.ignorecase = False re.global = True '// Perform the search. Set Matches = re.execute(strlog) Copyright 2013, Aerohive Networks, Inc. 5
6 '// Collect matches and assign the user and address to variables set omatch = Matches(0) struser = omatch.submatches(1) straddress = omatch.submatches(0) strhost = omatch.submatches(2) stros = omatch.submatches(3) '// Build the XML message strxmlline = "<uid-message><version>1.0</version><type>update</type><payload><login>" strxmlline = strxmlline & "<entry name=""" & strdomain & "\" & struser & """ ip=""" & straddress & """/>" if strkey!="" then strxmlline = strxmlline & "<hip-report><md5-sum>ae413e22b34a76366a542a1dd9b1108a</md5-sum><user-name> " & struser & "</user-name><domain>" & strdomain & "</domain><host-name>"& strhost & "</host-name><ip-address>"& straddress & "</ip-address><generate-time>" & Now & "</generate-time><categories><entry name=""" & "host-info" & """><client-version></client-version><os>" & stros & "</os><os-vendor></os-vendor><domain></domain><host-name>android</host-name </entry></categories></hip-report> end if strxmlline = strxmlline & "</login></payload></uid-message>" '// '// Post to the UID agent '// Const SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS = If strkey="" then 'Posting to software agent '// Post data to Agent surl = "https://" & stragentserver & ":" & stragentport & "/" On Error Resume Next xmlhttp.open "put", surl, False xmlhttp.setrequestheader "Content-type", "text/xml" xmlhttp.setoption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS xmlhttp.send strxmlline 6 Copyright 2013, Aerohive Networks, Inc.
7 Aerohive and Palo Alto Networks Solution Brief xmlhttp.close else 'posting to firewall agent '//Post using REST API surl = "https://" & stragentserver & "/api/?type=user-id&action=set&key=" & strkey & "&cmd=" & strxmlline On Error Resume Next xmlhttp.open "put", surl, False xmlhttp.setrequestheader "Content-type", "text/xml" xmlhttp.setoption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS xmlhttp.send xmlhttp.close end if end if Main="OK" 'return value for Kiwi End Function 4. Create Rules in Palo Alto Networks firewall Once you have the additional UserID information, the Palo Alto Networks firewall can enforce policies based on available context, such as membership group, device type, or IP address. Summary Next-generation networking requires knowledge of user identity, device type, location, and time to enforce granular policies that allow users to access the network according to their context. By combining two best-of-breed solutions, Aerohive Networks and Palo Alto Networks allow customers to optimize mobility and ensure security with granular, context-based application visibility and policy enforcement both at the edge and at the gateway. Together the solution provides unprecedented visibility, monitoring, and policy controls for a mobile first enterprise. Copyright 2013, Aerohive Networks, Inc. 7
8 About Aerohive People want to work anywhere; on any device, and IT needs to enable them -- without drowning in complexity or compromising on security, performance, reliability or cost. Aerohive's mission is to Simpli-Fi these enterprise access networks with a cloud-enabled, self-organizing, service-aware, identity-based infrastructure that includes innovative Wi-Fi, VPN, branch routing and switching solutions. Aerohive was founded in 2006 and is headquartered in Sunnyvale, Calif. The company's investors include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light Venture Capital, New Enterprise Associates, Inc. (NEA) and Institutional Venture Partners (IVP). For more information, please visit call us at , follow us on subscribe to our blog, join our community or become a fan on our Facebook page.. About Palo Alto Networks Palo Alto NetworksTM next-generation firewalls enable unprecedented visibility and granular policy control of applications and content by user, not just IP address at 20 Gbps network throughput levels. Based on patent- pending App-IDTM technology, Palo Alto Networks firewalls accurately identify and control applications regardless of port, protocol, evasive tactic or SSL encryption and scan content to stop threats and prevent data leakage. Enterprises can, for the first time, embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation Corporate Headquarters International Headquarters Aerohive Networks, Inc. Aerohive Networks Europe LTD 330 Gibraltar Drive The Court Yard Sunnyvale, California USA West Street Phone: Farnham, Surrey, UK, GU9 7DR Toll Free: (0) Fax: Fax: + 44 (0)
Solution Brief Application Visibility and Control Context-based Visibility, Prioritization, and Enforcement Enhancing Cooperative Control Infrastructure with Application Awareness Modern IT administrators
MOBILE FIRST ENTERPRISE 1 White Paper Mobile-first Enterprise: Easing the IT Burden 10 Requirements for Optimizing Your Network for Mobility 2 MOBILE FIRST ENTERPRISE Table of Contents Executive Summary
Ubiquitous Wireless for Law Firms and Legal Offices white paper Ubiquitous Wireless Network for Law Firms and Legal Offices Empowering attorneys, legal agency workers and enforcement personnel with Simple,
THE BENEFITS OF CLOUD NETWORKING 1 White Paper The Benefits of Cloud Networking Enable cloud networking to lower IT costs & boost IT productivity 2 THE BENEFITS OF CLOUD NETWORKING Table of Contents Introduction
Mobile workforce management software solutions Empowering the evolving workforce with an end-to-end framework 2013 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected
Websense Web Security Gateway Anywhere Getting Started Guide v7.5 1996 2010, Websense Inc. All rights reserved. 10240 Sorrento Valley Rd., San Diego, CA 92121, USA Published September 8, 2010 Printed in
Secure Gateway for Windows Administrator s Guide Secure Gateway for Windows Copyright and Trademark Notice Use of the product documented in this guide is subject to your prior acceptance of the End User
Product Overview for Windows Small Business Server 2011 December 2010 Abstract Microsoft offers Windows Small Business Servers as a business solution for small businesses by providing a simplified setup,
Palo Alto Networks In The Data Center: Eliminating Compromise May 2011 Executive Summary In principle, data center network security is easy prevent threats, comply with regulations and enterprise policies,
10 Things Your Next Firewall Must Do Introduction Without question, your network is more complex than ever before. Your employees are accessing any application they want, using work or personal devices.
Mobile Device Manager v. 7.3 Admin Guide Document Revision Date: Oct. 14, 2014 MDM Admin Guide i Contents Introduction... 1 System Requirements... 1 Getting Started with AirWatch... 2 Environment Setup...
RSA Authentication Manager 8.1 Help Desk Administrator s Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm
Nine Essential Requirements for Web Security Enabling safe, productive access to social media and other web applications Table of Contents Executive Summary...3 Introduction...4 Web Security Concerns....4
Enabling Solutions in Cloud Infrastructure and for Network Functions Virtualization Gateway Use Cases for Virtual Networks with MX Series Routers 1 Table of Contents Executive Summary... 3 Introduction...4
Security and WAN optimization: Getting the best of both worlds E-Guide As the number of people working outside primary office locations increases, the challenges surrounding security and optimization are
Application Delivery Networks: The New Imperative for IT Visibility, Acceleration and Security > White Paper Application Delivery Networks: The New Imperative for IT Visibility, Acceleration and Security
Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...
It s Time to Fix The Firewall Re-Establishing the Firewall as The Cornerstone of Enterprise Network Security February, 2009 Palo Alto Networks 232 East Java Dr. Sunnyvale, CA 94089 Sales 866.207.0077 www.paloaltonetworks.com
.Trustwave.com Updated October 9, 2007 Secure Web Gateway Version 11.0 Amazon EC2 Platform Set-up Guide Legal Notice Copyright 2012 Trustwave Holdings, Inc. All rights reserved. This document is protected
Symantec Encryption Management Server Administrator's Guide 3.3 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Version 8.0 Author: Marc Rueter Senior Director, Strategic Solutions, Tableau Software June 2013 p2 Today s enterprise class systems need to provide robust security in order to meet the varied and dynamic