Slutin Brief Aerhive and Impulse Pwerful Netwrk Security fr Educatin and Enterprise
Aerhive and Impulse Intrductin In tday s highly cnnected rganizatins, end users expect secure Wi-Fi access acrss the campus and frm any f their devices. While this requirement is essential fr tday s learning and crprate envirnments, it als pens up a secure netwrk t a multitude f ptential issues with Bring-Yur-Own-Devices (BYOD), rgue devices and pssible threats t secure data frm the Internet and unknwn applicatins. Prtecting the rganizatin s netwrks, data and end user privacy are essential business requirements, but their realizatin is mre challenging than ever. Highly distributed envirnments, the need t supprt BYOD and an ever-grwing number f device types and applicatins, as well as depth f cntent require pwerful netwrk security slutins. And while the demands n IT are increasing, bth the cmplexity f deplyments and the cst f wnership need t be reduced. In educatinal institutins like clleges and K-12 schls, IT resurces are ften much mre limited than in enterprises, which is a challenge in itself. A Netwrk Access Cntrl (NAC) slutin autmates and enfrces an rganizatin s Acceptable Use Plicies (AUP) fr enterprise-wned, BYOD, and guest devices. A cmprehensive ffering shuld: Identify and assign security and netwrk access plicies based n user identity/grup, device type, lcatin, time, and wnership. Prvide self-service tls t easily prvisin an end user device withut help desk invlvement. Deliver real-time device security assessment, enfrcement and user selfremediatin guidance. In additin, the ability t deply and supprt a NAC system with minimal technical resurces and netwrk changes while prviding a superir user experience are key factrs fr success. Cmbining Aerhive s and Impulse s slutins helps address the netwrk security challenges encuntered in tday s educatinal institutins and enterprises. It prvides 2 Cpyright 2015, Aerhive Netwrks, Inc.
Pwerful Netwrk Security fr Educatin and Enterprise enterprise-grade netwrk security in a highly ecnmical manner t ensure safe access t netwrks and resurces fr all. The Aerhive and Impulse Slutin Impulse delivers industry-leading netwrk access cntrl (NAC) with its SafeCnnect TM slutin. It reduces the risk and impact f security breaches by prviding secure nbarding f devices, and then by cnstantly mnitring devices t ensure they remain in cmpliance with IT-defined plicies. When integrated with Aerhive s cntrller-less netwrk architecture, the distributed intelligence in the access pints ensures that the security plicies are enfrced n all devices in the netwrk. In ther wrds, Aerhive access pints effectively becme enfrcement pints fr SafeCnnect s plicy definitins. The jint slutin supprts a multi-vendr netwrk envirnment fr all client devices, whether they are wireless, wired r VPN. It enables autmated 802.1X-WPA2 Enterprise (wireless data encryptin) prvisining and security cmpliance enfrcement befre and after admitting devices t the netwrk. Nn-cmpliant devices can be quarantined immediately and ffered remediatin guidance. Features like agentless device-prfiling, end-user authenticatin and real-time visibility int device and applicatin usage enable a superir level f netwrk security. At the same time, the user experience, installatin, and nging management f the slutin is greatly simplified, thereby reducing demands n IT. Cpyright 2015, Aerhive Netwrks, Inc. 3
Aerhive and Impulse The cmbined slutin has many benefits including: A cnsistent experience fr end users: SafeCnnect s device-centric apprach enables user identity persistence acrss netwrk segments and access pints. This feature eliminates the need t frequently reauthenticate. Other UX-enhancing features are autmated 802.1X/WPA2E prvisining, self-registratin fr guests and nn-brwser devices (e.g., gaming, media, etc.), and nging real-time device security assessment and enfrcement. There is n need t schedule peridic scans f the client ppulatin, r t ensure nging cmpliance by frcing clients t re-authenticate peridically. N need fr VLAN steering: SafeCnnect integrates directly with Aerhive cntrller-less access pints t assign access privileges like applicatin permissins and firewall rules dynamically by leveraging Aerhive s user prfile firewall-based technlgy. This remves the need t recnfigure a Layer2 switch prt t reassign devices between prductin and trusted VLANs. It als results in a better end user experience, since devices dn t need t be re-authenticated every time the IP address changes. SafeCnnect can als utilize Layer3 switches fr plicy enfrcement f wired devices, alleviating the burden f deplying and supprting Layer2 802.1X r SNMP-based alternatives. Simplified installatin and deplyment: Aerhive s HiveManager allws fr zer-tuch cnfiguratin f access pints and their assciated, unified user prfiles and plicies. Once the devices are installed, they will autmatically cntact their assigned HiveManager and will be aut-cnfigured. The result is a highly simplified installatin prcess that can be accmplished by technicians, withut invlvement frm IT. SafeCnnect has been designed fr remte custmer setup and deplyment. The system is pre-laded with the custmer s cnfiguratin infrmatin, and Impulse s custmer supprt center prvides remte guidance thrugh the installatin and deplyment prcess. Systems can usually be installed in hurs by leveraging the managed supprt services capability. Integratin with the custmer s existing netwrk infrastructure and directry services: SafeCnnect integrates seamlessly with Aerhive s Access Pints (AP), utilizing their distributed netwrk architecture. N additinal netwrking hardware r changes are needed. SafeCnnect als utilizes existing directry services infrastructure (LDAP, MS AD, RADIUS) t authenticate end user devices. Identity and rle-based prfiles are supprted, and enfrcement rules can be defined fr each prfile. Cntextual Intelligence: SafeCnnect fr Aerhive prvides real-time device-based infrmatin (i.e., user prfile, applicatin usage, lcatin and time f access, cmpliance status) t ther netwrk management and security systems like web cntent filters, bandwidth managers, firewalls r SIEMs. This translates t single-sign-n, ne-time authenticatin, 4 Cpyright 2015, Aerhive Netwrks, Inc.
Pwerful Netwrk Security fr Educatin and Enterprise granular plicy assignment and enhanced analytics that enable mre infrmed and timely security decisins. Clud-based, centralized management: The Aerhive HiveManager supprts clud-based management that allws administratrs easy access frm anywhere t remtely manage cnnected devices, clients and security plicies. SafeCnnect is supprted by a practive clud-based managed service that prvide cntinuus system mnitring, prblem determinatin/reslutin, daily system updates, and applicatin f future sftware upgrades which reduce the maintenance burden n the IT department. Hw It Wrks Cmbining the Aerhive and SafeCnnect slutins utilizes key advantages f bth architectures: Impulse s device-centric access cntrl apprach, cupled with the ability t leverage Aerhive s Layer7 applicatin and quality-f-service technlgies, enables enterprise-grade NAC, while ensuring the best pssible netwrk perfrmance and user experience. T achieve this, SafeCnnect integrates with Aerhive s access pints, s that they can act as enfrcement pints fr SafeCnnect s security plicies. Once a new device cnnects t an access pint, it is placed in an initial quarantine mde by the access pint s firewall plicy and assessed immediately fr plicy cmpliance by SafeCnnect. After examining the device s level f cmpliance and assciated plicy-driven netwrk access privileges, SafeCnnect returns a specific userprfile ID. Depending n the result, the access pint will authrize the device fr: Full access t the trusted netwrk. Limited access rights, as defined fr different user rles (e.g., guests, cntractrs and emplyee persnal devices). Guests and ther unknwn users will be re-directed t a self-registratin Web page t receive their access credentials. Each f these user rles can be supprted with different plicies and assciated netwrk privileges. Access rights fr each user rle can be defined by device type, wnership, applicatin usage, VLAN, access duratin and lcatin, security cmpliance and ther criteria. Quarantine, where it is blcked frm the trusted netwrk. T reduce helpdesk calls, user devices are guided thrugh self-remediatin ptins: Windws and Mac OS X devices may be re-directed t a remediatin Web page with the ptin t address AUP cmpliance (e.g., anti-virus sftware, OS patch plicy, encryptin sftware) r prvided directin t cease usage f nn-cmpliant applicatins like P2P file sharing, Skype, gaming, etc. Mbile devices may be re-directed t install the rganizatin s designated Mbile Device Management (MDM) sftware. They may als remain in a quarantined state if the device des nt fulfill ther cmpliance criteria, like being jail brken r missing passwrd r data encryptin prtectin. Cpyright 2015, Aerhive Netwrks, Inc. 5
Aerhive and Impulse Once the devices are authrized, they will be assigned applicable netwrk access privileges and mnitred cntinuusly in real-time t ensure nging cmpliance. The actual integratin f the tw slutins is a straightfrward prcess. In HiveManager, SafeCnnect is cnfigured as an Authenticatin and Accunting RADIUS Server. By creating Access-Lists and leveraging features available in the Aerhive envirnment, SafeCnnect will be enabled t dynamically blck, redirect r limit device access based n SafeCnnect Plicy Grup definitins. The steps f the cnfiguratin prcess are as fllws: 1. Add Safe Cnnect Enfrcer as a RADIUS Authenticatin Server. 2. Create IP bjects fr the SafeCnnect appliance and fr the landing page where users are sent after passing their cmpliance check. 3. Add firewall plicies fr the different device authrizatin ptins: Initial device quarantine Full access t the cmpany netwrk Limited access t the netwrk, differentiated by rle (e.g., guest, cntractr, BYOD) Quarantine, with remediatin ptins 6 Cpyright 2015, Aerhive Netwrks, Inc.
Pwerful Netwrk Security fr Educatin and Enterprise 4. In HiveManager, create user prfiles that reference the defined firewall plicies. 5. Create RADIUS lcal user grups fr each f the user prfiles s that the RADIUS server can send initial and new authrizatins. A detailed cnfiguratin guide is available. Summary Prviding high-perfrmance, enterprise grade netwrking and security in tday s mbile wrld is key t ensuring prductivity fr all users, regardless f whether their device is crprate-issued r persnal (BYOD). Aerhive and Impulse deliver a unique industry slutin t address the challenges f managing mbile devices in a highly simplified manner that minimizes the technical resurces required t deply and supprt a secure, high-perfrmance netwrk envirnment. By cmbining Aerhive s cntrller-less architecture with Impulse s simplified NAC and managed supprt service apprach t autmating device security plicy management, we created an unmatched ffering and value prpsitin. Cpyright 2015, Aerhive Netwrks, Inc. 7
Abut Aerhive Aerhive (NYSE: HIVE) unleashes the pwer f enterprise mbility. Aerhive s technlgy enables rganizatins f all sizes t use mbility t increase prductivity, engage custmers and grw their business. Deplyed in ver 16,000 custmers wrldwide, Aerhive's prprietary mbility platfrm takes advantage f the clud and a distributed architecture t deliver scalable, simplified, secure and csteffective netwrks. Aerhive was funded in 2006 and is headquartered in Sunnyvale, Calif. Fr mre infrmatin, please visit www.aerhive.cm, call us at 408-510-6100, fllw us n Twitter @Aerhive, subscribe t ur blg, jin ur cmmunity r becme a fan n ur Facebk page. Crprate Headquarters EMEA Headquarters Aerhive Netwrks, Inc. Aerhive Netwrks Eurpe LTD 330 Gibraltar Drive The Curtyard Sunnyvale, Califrnia 94089 USA 16-18 West Street Phne: 408.510.6100 Farnham Tll Free: 1.866.918.9918 Surrey, UK GU9 7DR Fax: 408.510.6199 +44 (0)1252 736590 inf@aerhive.cm FAX +44 (0) 1252 713094 www.aerhive.cm