Aerohive and Palo Alto Networks. Partner Solution Brief

Transcription

1 Aerohive and Palo Alto Networks Partner Solution Brief

2 Introduction Now that connecting wirelessly is the norm and users have multiple devices they use for business critical and personal activities, having a solution that can identify and enforce network access based on identity, device type, location, and time of day is critical to support and maintain a mobility-optimized network. Aerohive and Palo Alto Networks have joined together to provide next-generation application visibility and control for the mobile-first community. Aerohive s application visibility and policy enforcement functionality provides an administrator with extremely detailed and granular information and controls to optimize user application experience at the edge of the network. Aerohive can customize how applications are prioritized, de-prioritized, or blocked based on all available context, including identity of the user, device type, location on the network, and the time of day. This is extremely useful for ensuring that traffic is appropriately categorized and potentially blocked before it ever even gets onto the network infrastructure, saving valuable resources and providing an extra layer of security. However, many networks require aggregated controls as well as edge-based enforcement, and when you combine the Aerohive mobility-optimized access layer with Palo Alto Network s next-generation firewall, administrators get a comprehensive solution that provides best-of-breed content security and application monitoring for all users and devices connected to the network. Aerohive has the advantage of knowing all the available user context because devices are connecting and users are authenticating to the access points and switches directly in order to gain access to the network. Palo Alto Networks firewalls, on the other hand, are generally installed at the gateway to the network, and have visibility into everything coming or going in aggregate, but the user context is often obscured due to all the network infrastructure between the gateway and the connected client. Together Aerohive and Palo Alto Networks solve the problems of the mobile first enterprise by combining information about user context with application visibility and controls. The Aerohive and Palo Alto Networks Solution Aerohive s Cooperative Control networking infrastructure equipment along with Palo Alto Networks next-generation firewalls provide a comprehensive and robust solution for optimizing the user experience on a mobile first network. Together the solution provides many benefits, including: Enhanced UserID Visibility and Enforcement Aerohive devices can provide user identity, device type, and IP address information to the Palo Alto Networks firewalls to enhance the UserID functionality that allows Palo Alto Networks firewalls to make policy decisions based on context Client-less Operation Aerohive learns the context based on existing interaction between the connected clients and the Aerohive devices, so no client or profile need be installed on the client devices. Comprehensive Application Visibility and Control Together, Aerohive and Palo Alto Networks allow administrators to enforce application controls at both the edge of the network and at the gateway, ensuring applications are identified and prioritized/de-prioritized/blocked based on context at the ideal enforcement point Zero-Cost Data Performance Because this integration relies on information already available to Aerohive devices as part of normal authentication, there is no in-line performance hit for using this integration to enhance application control on the network.

3 Aerohive and Palo Alto Networks Solution Brief How It Works The Aerohive and Palo Alto Networks solution works with Aerohive HiveOS 5.1r3 version or later and Palo Alto Networks PAN-OS version 4.0 or later. The solution requires the Aerohive administrator to set up syslog logging for Aerohive devices and point them at a syslog server that is capable of running scripts. The script then parses the necessary user details and sends it to a server running the PAN UID-API agent, which in turn updates the PAN firewall with the context-enhanced User ID information. Step-by-Step 1. Configure Authentication At the heart of this solution is the requirement for the Aerohive devices to know the identity of the user accessing the network. The three most common ways Aerohive can identify a specific user are A) 802.1X or WPA2-Enterprise; B) Private Pre-Shared Key; or, C) Captive Web Portal. Therefore, the first step is to configure the Aerohive devices with SSIDs or ports that require one of these types of authentication. Copyright 2013, Aerohive Networks, Inc. 3

4 2. Configure Syslog The second step is to configure the Aerohive devices to report the information they know to a syslog server. This can be configured per network policy in the Additional Settings Management Settings section. Once the policy is configured and pushed to the Aerohive devices, HiveOS will begin generating logs that include the user identity, IP address, and operating system and will send them to the configured syslog server. Sample logs look like the following: 802.1X: :06:05 info ah auth: Station 1cab:a7e6:cf7f ip username astrong hostname Strong-iPad3-6 OS Apple ios PPSK: :43:18 info ah_auth: Station 1cab:a7e6:cf7f ip username Buster Keaton hostname Strong-iPad3-6 OS Apple ios CWP: :50:46 info ah_auth: Station 1cab:a7e6:cf7f ip username [email protected] hostname Strong-iPad3-6 OS Apple ios 3. Scripted info sent to UID-API Once the logs are collected in the syslog server, a script can parse the bolded information and collate it into a format the Palo Alto UID-API can deliver to the Palo Alto Networks firewall. There are 2 major parts to the script data extraction and push to agent. Within the data extraction portion, a regular expression is used to parse the username, IP address, and operating system of the connected client. One important note is that depending on how the network authentication is configured, it may be necessary to append the domain information to the username if it is not included in the log information. Sample script written for Kiwi Syslog Server: ' Copyright (c) 2013 Palo Alto Networks, Inc. <[email protected]> ' ' Permission to use, copy, modify, and distribute this software for any 4 Copyright 2013, Aerohive Networks, Inc.

5 Aerohive and Palo Alto Networks Solution Brief ' purpose with or without fee is hereby granted, provided that the above ' copyright notice and this permission notice appear in all copies. ' ' THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ' WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ' MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ' ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ' WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ' ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ' OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ' 'Script takes syslog output sent from an Aerohive device to a Kiwi syslog server and updates user data 'log data is expected to look like: :06:05 info ah auth: Station 1cab:a7e6:cf7f ip username astrong hostname Strong-iPad3-6 OS Apple ios Function Main() 'Kiwi syslog requires the content of the script to be contained in a Main() function '----CHANGE THESE TO MATCH AGENT OR FIREWALL---- stragentserver=" " stragentport="5006" '----CHANGE THIS TO MATCH AD DOMAIN NAME!---- strdomain = "Corp" '-----ADD API KEY HERE FOR AGENTLESS OPERATION strkey="" set xmlhttp = CreateObject("Msxml2.ServerXMLHTTP") strlog = Fields.VarCleanMessageText 'This is a Kiwi variable for the content of the log message ptrn = "ip (\d+\.\d+\.\d+\.\d+).*username (\w+).*hostname (.*) OS (.*)" if InStr(strLog,"n/a")=0 then 'Will not run script if there is no username '// Create the regular expression. Set re = New RegExp re.pattern = ptrn re.ignorecase = False re.global = True '// Perform the search. Set Matches = re.execute(strlog) Copyright 2013, Aerohive Networks, Inc. 5

6 '// Collect matches and assign the user and address to variables set omatch = Matches(0) struser = omatch.submatches(1) straddress = omatch.submatches(0) strhost = omatch.submatches(2) stros = omatch.submatches(3) '// Build the XML message strxmlline = "<uid-message><version>1.0</version><type>update</type><payload><login>" strxmlline = strxmlline & "<entry name=""" & strdomain & "\" & struser & """ ip=""" & straddress & """/>" if strkey!="" then strxmlline = strxmlline & "<hip-report><md5-sum>ae413e22b34a76366a542a1dd9b1108a</md5-sum><user-name> " & struser & "</user-name><domain>" & strdomain & "</domain><host-name>"& strhost & "</host-name><ip-address>"& straddress & "</ip-address><generate-time>" & Now & "</generate-time><categories><entry name=""" & "host-info" & """><client-version></client-version><os>" & stros & "</os><os-vendor></os-vendor><domain></domain><host-name>android</host-name </entry></categories></hip-report> end if strxmlline = strxmlline & "</login></payload></uid-message>" '// '// Post to the UID agent '// Const SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS = If strkey="" then 'Posting to software agent '// Post data to Agent surl = " & stragentserver & ":" & stragentport & "/" On Error Resume Next xmlhttp.open "put", surl, False xmlhttp.setrequestheader "Content-type", "text/xml" xmlhttp.setoption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS xmlhttp.send strxmlline 6 Copyright 2013, Aerohive Networks, Inc.

7 Aerohive and Palo Alto Networks Solution Brief xmlhttp.close else 'posting to firewall agent '//Post using REST API surl = " & stragentserver & "/api/?type=user-id&action=set&key=" & strkey & "&cmd=" & strxmlline On Error Resume Next xmlhttp.open "put", surl, False xmlhttp.setrequestheader "Content-type", "text/xml" xmlhttp.setoption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS xmlhttp.send xmlhttp.close end if end if Main="OK" 'return value for Kiwi End Function 4. Create Rules in Palo Alto Networks firewall Once you have the additional UserID information, the Palo Alto Networks firewall can enforce policies based on available context, such as membership group, device type, or IP address. Summary Next-generation networking requires knowledge of user identity, device type, location, and time to enforce granular policies that allow users to access the network according to their context. By combining two best-of-breed solutions, Aerohive Networks and Palo Alto Networks allow customers to optimize mobility and ensure security with granular, context-based application visibility and policy enforcement both at the edge and at the gateway. Together the solution provides unprecedented visibility, monitoring, and policy controls for a mobile first enterprise. Copyright 2013, Aerohive Networks, Inc. 7

8 About Aerohive People want to work anywhere; on any device, and IT needs to enable them -- without drowning in complexity or compromising on security, performance, reliability or cost. Aerohive's mission is to Simpli-Fi these enterprise access networks with a cloud-enabled, self-organizing, service-aware, identity-based infrastructure that includes innovative Wi-Fi, VPN, branch routing and switching solutions. Aerohive was founded in 2006 and is headquartered in Sunnyvale, Calif. The company's investors include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light Venture Capital, New Enterprise Associates, Inc. (NEA) and Institutional Venture Partners (IVP). For more information, please visit call us at , follow us on subscribe to our blog, join our community or become a fan on our Facebook page.. About Palo Alto Networks Palo Alto NetworksTM next-generation firewalls enable unprecedented visibility and granular policy control of applications and content by user, not just IP address at 20 Gbps network throughput levels. Based on patent- pending App-IDTM technology, Palo Alto Networks firewalls accurately identify and control applications regardless of port, protocol, evasive tactic or SSL encryption and scan content to stop threats and prevent data leakage. Enterprises can, for the first time, embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation Corporate Headquarters International Headquarters Aerohive Networks, Inc. Aerohive Networks Europe LTD 330 Gibraltar Drive The Court Yard Sunnyvale, California USA West Street Phone: Farnham, Surrey, UK, GU9 7DR Toll Free: (0) Fax: Fax: + 44 (0) [email protected]