Bring Your Own Device Putting Context into Wireless Security Glen Stacey Networking Systems Engineer Glen_stacey@dell.com
ipad in the News More and more ipads will find their way into the workplace in 2011, but the vast majority won t (60 to 70%) be purchased by IT departments. Financial Services will lead the way in ipad adoption. ipad poised to revolutionize retail industry. Math that moves: Schools embrace the ipad. Restaurants uploading menus to ipad for diners. With the ipad, Apple may just revolutionize medicine.
Consumerization of IT: A Perfect Storm Multimedia Mobile Devices Custom enterprise multimedia apps > 50% of employees adopting video Collaboration Fortune 100 >80% deploying ipad & iphone Smartphones 289M in 2010 1B in 2013* Tablets 54.8M in 2011 300M in 2013* 10x growth by 2013! Social Business: Jive, Chatter, Yammer Connections: Lync, Telepresence, Facetime Virtual Desktops Virtual Desktops:45M installations by 2013 Citrix XenDesktop, VMware View (*) Source: Gartner
Dramatic Shift in Device Mix For the first time in ~30yrs: Less than 50% of devices are now Windows/Intelbased! 100% of the Fortune 500 have ratified ios ipad Sales: 111% increase YoY(15.4M units last Q) *Apple Q1 Results
CIO Concerns Secure Access Reliable Service Minimal Cost
How Do You Make BYOD Work in Your Environment? BYOD 2012+ ios Android Ultrabooks We need to keep my network and my users protected VPN ANY NETWORK ANY USER We need to provide a reliable & intuitive experience to our employees & guest We need to minimize impact to our IT and helpdesk staff
Device Fingerprinting Key Innovation Identify Device types with Model and OS as they connect e.g. ios, Android, Windows, RIM Distinguish user on IT issued laptop vs. same user on personal device Apply per User and per Device Access Control User & Device Aware Architecture
Device Context for Role Based Access
How it Works? Applications Zero IT touch, Apple Facetime (QoS level 7) context Virtual Desktop aware (QoS access level 4) Internet (QoS level 1) Auto-identification of user, device, application 2. Device Fingerprintin 6. 9. Adaptive VLAN Radio g Pooling Management 5. Application Fingerprintin 4. 8. Context AAA Aware g FastConnect Access Control 10. Bandwidth contracts Monitoring, reporting per user and per device 3. ipad Self Registration Context User: Joe Smith Dept: Finance Device: Apple ipad Date: M-F, 8am-5pm Location: Campus 802.11n AP 1. User Fingerprintin g Active Directory Mobility Controller Policy Manager 7. User and Device Visibility Management
Enabling BYOD Wireless Network Parts Management Mobility Access Complete Controller Policy Management Access Onramps WLAN LAN Remote Office On the Road Outdoor Indoor
BYOD Steps To Enable Secure Network Access for Mobile Devices 1 Onboard Device 2 Invoke a Policy 3 Enforce Policy
Automate Employee Onboarding 1 Access Network 1. Connects to web portal Policy Manager 2. VPN Configures 802.1x, VPN & e-mail and provisions device credentials 3. Application installer
Control Compromised Devices Access Network Policy Manager Detect unsecure devices Minimal Risk to Network Block access to network resources across wireless & remote Auto-Remediate the device
Invoke an Access Policy 2 BYOD Policy Allow personal devices into a limited access zone (LAZ) Executive Class Policy Deliver executive traffic with higher priority Multimedia Policy Optimize delivery of Lync traffic over the air Policy Unauthorized Use Policy Disable Rogue AP, Blacklist User Device Revocation Policy Disable device access, not user access, if stolen/lost VPN Device Quarantine Policy Quarantine unhealthy devices for remediation
Automate Guest OnBoarding New Visitor Access Network Policy Manager 1. Collect visitor information 2. Sponsor 3. Sponsor prompted to confirm that guest is valid Account enabled, visitor notified via screen, SMS, or email
USER ACCURACY Corporate Policy Device Detection: 5-Tier Profiling ipad 1 ios 5.0.1 Profile Confidence: ~100% DEVICE PROVISIONING IDENTITY CENTRIC PROFILING What would you rather have as the basis for: Network security? User experience? NETWORK HEURISTICS PROFILING Profile Confidence:?? EVENTS-CENTRIC FINGERPRINTING BASELINE FINGERPRINTING
Enforce a Policy Across Any Network 3 POLICY DECISION POLICY ENFORCEMENT: Any Network Policy Enforcement Optimized for Mobility
What About MDM? Network Infrastructure Manage Device Access Desktop Management Manage the Device Protect the network Identify the user Restrict usage & bandwidth Devicelevel visibility Configure network settings Provision & revoke device credentials Push & provision apps MDM Remote wipe & control Firmware & patch management Early Feature Sets Industry Specialist
Is This How You Think About Wireless? The truth: Wireless is MORE secure than wired (if you do it right)
Wired Network Security Questions On your wired network... Do you authenticate all users and devices? Do you encrypt all traffic? Do you control access to network resources based on user identity and/or Device? Wireless lets you do all of this by design
Thank You