1 TECHNICAL WHITEPAPER Author: Tom Kistner, Chief Software Architect Last update: 18. Dez 2014 Table of Contents Introduction... 2 Terminology... 2 Basic Concepts... 2 Appliances... 3 Hardware...3 Software...3 Shadow Appliances...4 Layer 2 (LAN) functions... 4 Zone management...4 Port management...4 xlan...4 SwitchVPN...4 Layer 3 (IP) functions... 4 IP Network management...4 IPv4 / IPv6 Dual-Stack...5 Gateway functions...5 Uplink handling...5 RouteVPN...5 WiFi... 5 SSIDs and authentication...5 Broadcasts...5 WiFi planner...5 Enterprise integration... 6 Directory Services...6 DNS routing...6 Dynamic Zone assignment...6 Device Management... 6 Device registration...6 Employee Portal...6 Device visibility...6 Applications... 7 Application catalog...7 Custom Applications...7 Web categories...7 Application Groups...7 Policy controls... 7 Outbound/Internal rules...7 Inbound (NAT) rules...8 Guest access...8 Visibility and reporting... 8 Events and Alerts...8 Traffic reporting...8
2 Introduction The Ocedo System enables central, cloud-based network management for organizations of all sizes, across multiple physical locations. It consists of: Ocedo Connect, a controller service hosted by Ocedo in Germany, a local partner, or the end customer. Ocedo Appliances, including Access Points, Switches, and Gateways, deployed on-premise or in virtualized environments. Terminology The Ocedo System defines some keywords for certain objects or concepts. For easier recognition, these are usually printed capitalized and in italic in this document. Here s a short list of the keywords and what they mean: CC Realm Admin Org Site Zone Uplink Device Device Group User User Group Application Application Group Rule SSID Broadcast Appliance Port - Ocedo Connect Controller. - The sum of all Orgs managed on the CC. - Administrator with rights to certain Orgs or the whole Realm. - Managed organization, usually a company. - Networked site, like an office or a datacenter rack. - Network zone (L2 segment or VLAN). - An internet connection in a Site. - Networked device, anything with a MAC address - Group of Devices - Person accessing the network with Devices. - Group of Users - Networked service that users are accessing. - Group of Applications (and optional web categories) - Policy rule, usually combination of users and applications. - WiFi SSID definition, with authentication options. - A WiFi broadcast of an SSID in a Site. - An Ocedo Appliance, hardware or software. - Ethernet connection of an appliance, WAN or LAN. Basic Concepts The Ocedo Connect controller (CC) is multi-tenant capable, so it manages a Realm consisting 2
3 of many organizations (Orgs). Every Org represents an end customer (typically a company). Is is possible to assign administrative rights to individual Admin accounts per-org. Appliances and licensing are also managed on a per-org basis. The Org contains one or more Sites. A Site is a location like an office building, a hosting center or cloud location. Every Site has at least one internet Uplink and one local network Zone. Appliances Ocedo Appliances come in three main function classes: Gateways Provide basic network services to Zones. Handle one or more Uplinks. Enable policy enforcement. Enable extended reporting. Enable AutoVPN in SwitchVPN and RouteVPN flavors. Access Points Provide network access to WiFi Clients. Switches Enable plug-and-play multi-zone L2 connectivity. Provide POE to POE-enabled appliances (including 3rd party devices) All Ocedo Appliances are managed from the CC, including all firmware upgrades. Hardware Ocedo hardware appliances come with a serial number that is used to activate the appliance in the Realm or Org. Check the Ocedo Website for a list of available appliance models. Software Ocedo Gateways are available as software Appliances, in two flavors: Gateway VM A virtual gateway running in any virtualizer like VMware, Hyper-V, KVM, Xen Gateway JumpStart A software gateway image that runs off any USB stick on any Intel-x86 compatible hardware. Software gateways can be freely created in CC, downloaded and deployed instantly. 3
4 Shadow Appliances Shadow Appliances are placeholders for hardware appliances. They can be used and configured just like regular Appliances, and can later be backed by real hardware. Any number of Shadow Appliances can be added to an Org. This facilitates planning and configuration before rolling out a solution. Layer 2 (LAN) functions Zone management Zones are L2 segments that contain one or more L3 (IPv4/6) networks. In the Ocedo System, every Zone has a VLAN tag assigned which is unique across the Org. If no specific VLAN tag is required, the system will pick one from a pool. The GUI offers a unified view of all Zones/VLANs used in the Org. VLANs do not have to be used on the wire, but they re always built-in so a possible future upgrade to a VLAN-capable environment is seamless. Port management Switched and discrete ports of switch and gateway appliances can be managed from a single view across the entire Org, including Zone assignments and information about attached Devices. When connecting Ocedo appliances (gateways, switches, access points), they will automatically set the connecting Ports to carry all required Zones, so manual VLAN transfer assignments are not needed. xlan In smaller Sites, VLAN is often not available, either because unmanaged 3rd-party switches are used, or there s simply no switch at all. For such cases, the Ocedo system offers xlan, a local L2 tunneling technology that allows to layer additional Zones onto a single-segment LAN. This is mainly useful to offer secure guest access. SwitchVPN SwitchVPN is Ocedo s L2 VPN, based on IPsec. It automatically makes a Zone available in a remote Site if it is required there. Two examples of typical use-cases of SwitchVPN are: Broadcast Zone by WiFi in remote sites (full-backhaul remote access parallel to existing private network). Seamlessly connect cloud locations to on-premise equipment (ideal for moving services to the cloud). Layer 3 (IP) functions IP Network management The Ocedo System allows for fully automatic IP numbering, meaning that IPv4 and IPv6 networks are automatically assigned to Zones, drawn from a per-organization pool. Several IP (L3) 4
5 networks can co-exist in a Zone, for example to enable parallel usage of private and public IPs. In order to integrate into existing networks, it is possible to manually specify IP networks. IPv4 / IPv6 Dual-Stack The Ocedo System is dual-stack by default. Even if IPv6 is not required or currently deployed in an Org, all Zones reserve an IPv6 prefix from a pool, so IPv6 can be rolled out with minimal overhead. IPv6 is automatically included in all L3 functions, without extra configuration or management overhead. Gateway functions When an Ocedo Gateway is handling gateway functionality for a Zone, it will provide DHCP, NTP and DNS services automatically. Gateways provide security and reporting functionality for connected Zones (see further below). Routing Gateways will automatically route into connected Zones, either themselves being the gateway for a Zone, or just being a member device in a Zone. It is also possible to set up static routes to 3rd party equipment. Uplink handling An Ocedo Gateway can handle several internet Uplinks, either by concurrent usage or as backup. Some gateway models offer built-in 3G support. Uplinks are monitored by the gateway and fallback/fall-forward operation is fully automatic. RouteVPN RouteVPN is Ocedo s L3 VPN, based on IPSec. It automatically builds required tunnels between Sites if Zones have been flagged as being reachable from other Sites in the same Org. VPN links are constantly monitored, and traffic is included in policy controls (see further below). WiFi SSIDs and authentication The Ocedo System supports defining WPA SSIDs with password as well as enterprise authentication against RADIUS/NPS servers (see Enterprise integration below). Open SSIDs can also be configured to accommodate guest zones. Broadcasts SSIDs can be flexibly broadcasted by-site. Every Broadcast can set additional, advanced WiFi options as well as the captive portal (see further below). Channel selection and transmit power selection can be fully automatic or manually set per-ap. Broadcasting remote Zones is made simple by SwitchVPN (see above). WiFi planner Ocedo s integrated WiFi planner lets you easily visualize WiFi coverage in all Sites. Upload floor plans and place AP placeholders as required. Different coverage-type presets can be selected. Placeholders can automatically be turned in real hardware deployments later. 5
6 Enterprise integration Directory Services The Ocedo System allows syncing Users and selected User Groups from Active Directory and Google Apps directory services. User credentials are not queried by or stored in the CC. In case of an on-premise Active Directory installation, the connection to the domain controller can be securely made through any deployed Ocedo appliance, without the need for firewall rules or exposing the AD to the internet. DNS routing In order to integrate internal DNS zones, Ocedo appliances can use internal third-party DNS servers for specific domains. These DNS routes will also be used by end-user clients. Dynamic Zone assignment It is possible to assign accessing clients to different network zones. This can either be done with AD through the RADIUS/NPS server, or by setting tags on Zones and User Groups or Users. Device Management The Ocedo System allows (but not forces) fleet management of network Devices. A Device is anything that has a MAC address. New Devices are automatically detected and can be registered by the admin or the User owning the Device. Device registration Devices can be registered to a User account (in case responsibility is assignable to a single user), or be assigned to Device Groups (in case it is a shared device, like a printer or a server). Once registered, Devices are recognized throughout the entire Org. Device management is the foundation for policy controls, since it enables applying policy rules to devices (or abstractions like users or groups) instead of IP networks or Zones. Employee Portal The employee portal offloads the task of registering bulk devices onto the end users. It can be activated per-broadcast (wireless) or per-portgroup (wired). Unregistered Devices will then be redirected to the portal, where users can register their Device to their user account by loopback (by specifying address) or by SMS text message (by specifying their mobile number). Both options verify the contact details with the user account. Device visibility Unknown detected devices are shown with available OS, vendor and owner information, if available. The Ocedo System keeps track of IP addresses used by devices. Current device location and connection information is also shown. Device traffic activity can be tracked in Traffic reporting (see further below). 6
7 Applications Applications are networked services that run in the internal network or on the Internet (external Applications). Access to Applications can be regulated by policy. Application catalog Ocedo provides a constantly updated catalog of public applications that are available on the Internet (for example Facebook or Salesforce ). Every catalog application is assigned to a default predefined Application Group (see below). Custom Applications Custom Applications can be defined to enable setting up access policies for internal services, or specific internet-based services. Internal Applications are usually defined on top of a registered server Device or Device Group. It is also possible to define Applications based on IPs, ports or host/domain names. Web categories In addition to the application catalog, a web category catalog is available. Web Categories can be added to Application Groups (see below) in order to include sites that aren t covered by a specific application. Application Groups For convenient basic policy creation, Ocedo predefines a number of Application Groups. These predefined groups contain both catalog Applications and Web Categories to form a consistent match for specific areas (for example Social Networks or Business ). Policy controls Policy controls are built on Rules. There are two types of Rules: Outbound/Internal rules: These rules define the policy for internal Users and Devices accessing internal or external Applications. Inbound (NAT) rules: These rules defined the policy for external (Internet) access to internal Applications. They offer optional support for NAT, port translations and an external host whitelist. Outbound/Internal rules Outbound/Internal Rules specify a source, a target and an action. The action can be either Allow or Deny. The source can be either a special catch-all selection like All registered users, or a custom selection of: User Groups Device Groups 7
8 Individual Users Individual Devices Policy tags The target is either: The special selector Any, matching any target. A selection of Zones. A selection of Application Groups and Applications. A typical structure for a ruleset is to base the Outbound/Internal Rules on User Groups and Device Groups, and make exceptions with tags. Inbound (NAT) rules Internal Applications based on Devices can be made available to the Internet by creating an inbound Rule. This Rule can use DNAT or Full NAT, and also apply a port offset. To limit access to the exposed application to specific external hosts, a host-based whitelist can be specified. Guest access To offer secure access for guests, a specific Zone can be declared as being a guest zone. When using the Captive Portal on the Zone, it can register guests using address, mobile number (via SMS) or Facebook, Twitter or Google social logins. Guest devices are managed separately from employee devices, and guests can be used as a distinct group in Outbound/Internal Rules, so it is possible to have a policy specific to guest users. Visibility and reporting Next to device visibility (see above), the Ocedo System offers continuous automatic monitoring and alerting/notification on network events. Events and Alerts The event log offers live updates on changes in the network status, as well as an ongoing audit trail for configuration changes. Traffic reporting Traffic reporting enables a full view on all generated internal and external traffic, filtered by user, site and date/time. Reporting uses the same Application Groups, Applications and web categories as the policy engine, so the reported results can directly be converted to policy rules if needed. 8
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
VMware Horizon 6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this
Version 1.00 08/28/2012 User Manual Wireless N 300 Cloud Router Preface D-Link reserves the right to revise this publication and to make changes in the content hereof without obligation to notify any person
Copyright 2006-2013, 3CX Ltd. http://www.3cx.com E-mail: email@example.com Information in this document is subject to change without notice. Companies names and data used in examples herein are fictitious unless
vshield Manager 5.0.1 vshield App 5.0.1 vshield Edge 5.0.1 vshield Endpoint 5.0.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
Server Management with Lenovo ThinkServer System Manager For next-generation Lenovo ThinkServer systems Lenovo Enterprise Product Group Version 1.0 September 2014 2014 Lenovo. All rights reserved. LENOVO
Based on Synology DSM 5.0 Document ID 910-11569-00 REV01 USER GUIDE, NAS, ENG, DSM5_0 Table of Contents Chapter 1: Introduction Chapter 2: Get Started with Synology DiskStation Manager (DSM) Install iosafe
WHITE PAPER Mobility Services Platform (MSP) Using MSP in Wide Area Networks (Carriers) Table of Contents About This Document... 1 Chapter 1 Wireless Data Technologies... 2 Wireless Data Technology Overview...
UPnP CERTIFIED TECHNOLOGY YOUR SIMPLE SOLUTION FOR HOME, OFFICE AND SMALL BUSINESS INTEROPERABILITY September 2010 INTRODUCTION Not long ago, consumers and small business owners were reasonably satisfied
ADMINISTRATION GUIDE Cisco Small Business WAP4410N Wireless-N Access Point with Power Over Ethernet Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Siebel Security Guide Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013 Copyright 2005, 2013 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
Iomega EZ Media and Backup Center User Guide Table of Contents Setting up Your Device... 1 Setup Overview... 1 Set up My Iomega StorCenter If It's Not Discovered... 2 Discovering with Iomega Storage Manager...
VMG1312-B Series Support Notes Jun2012 Edition 1.0 Index General Application Notes... 6 Why use VMG1312-B Series?...6 Application Scenario...8 Prologue... 10 Access Application Notes...12 Web GUI... 12
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
MOBILE FIRST ENTERPRISE 1 White Paper Mobile-first Enterprise: Easing the IT Burden 10 Requirements for Optimizing Your Network for Mobility 2 MOBILE FIRST ENTERPRISE Table of Contents Executive Summary
ProfileUnity with FlexApp Technology Help Manual Introduction This guide has been authored by experts at Liquidware Labs in order to provide information and guidance concerning ProfileUnity with FlexApp.
Synology NAS User's Guide Document ID Syno_UsersGuide_NAS_20140226 Table of Contents Chapter 1: Introduction Chapter 2: Get Started with Synology DiskStation Manager Install Synology NAS and DSM... 7 Sign
IceWarp Unified Communications Reference Version 11.1 Published on 11/4/2014 Contents... 4 About... 5 The Big Picture... 7 Reference... 8 General... 8 Dial Plan... 9 Dial Plan Examples... 12 Devices...
Synology NAS User's Guide Document ID Syno_UsersGuide_NAS_20141024 Table of Contents Chapter 1: Introduction Chapter 2: Get Started with Synology DiskStation Manager Install Synology NAS and DSM... 7 Sign