Aerohive and Palo Alto Networks. Partner Solution Brief



Similar documents
Seven Guidelines to Support Standardized Testing

Aerohive Client Management

HiveManager Client Management

Smart Mobility Platform for Retailers

Aerohive and JAMF Software

solution brief ID Manager Leverage the Cloud to Simplify and Automate Enterprise Guest Management

Wi-Fi Security. More Control, Less Complexity. Private Pre-Shared Key

Aerohive Private PSK. solution brief

Trends in Wireless Networking for Healthcare Organizations

White Paper. Retail Made Personal. Make the shopping experience personal, relevant, and profitable

Cloud Services Platform. Security and Availability Controls Overview

Radio Resource Management in HiveOS. solution brief

Rethink Your Branch Network Strategy

Solution Brief. Aerohive and OpenDNS. Advanced Network Security for Retail Stores

How To Build A Network From Scratch

How To Make A Network Reliable

Connected Store & Restaurant in a Box

Palo Alto Networks User-ID Services. Unified Visitor Management

About the VM-Series Firewall

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

Radius Integration Guide Version 9

How To Bring In Palo Alonnetworks

Configuring User Identification via Active Directory

Building Secure Wireless LAN. white paper

GlobalProtect Overview

High Availability Configuration Guide Version 9

Optimizing Network and Client Performance Through Dynamic Airtime Scheduling. white paper

BR100 Router Branch Router with built-in n

The Benefits of Cloud Networking Enable cloud networking to lower IT costs & boost IT productivity

What s Next for the Next Generation Firewall Vendor Palo Alto Networks Overview. October 2010 Matias Cuba - Regional Sales Manager Northern Europe

Architecting User Identification (User-ID) Deployments

May Palo Alto Networks 232 E. Java Drive Sunnyvale, CA

Placing the BlackBerry Enterprise Server for Microsoft Exchange in a demilitarized zone

Using Palo Alto Networks to Protect the Datacenter

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Fortigate Features & Demo

Palo Alto Networks Gets Top Marks for Solving Bandwidth and Security Issues for School District

ADS Integration Guide

Installation Guides - Information required for connection to the Goldfields Institute s (GIT) Wireless Network

Getting Started with Apple Pay on the Authorize.Net Platform

Decommissioning the original Microsoft Exchange

User-ID. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Secure Cloud-Ready Data Centers Juniper Networks

WildFire. Preparing for Modern Network Attacks

Network Virtualization Solutions - A Practical Solution

Design and Implementation Guide. Apple iphone Compatibility

User-ID Best Practices

Log Insight Manager. Deployment Guide

Case Study - Configuration between NXC2500 and LDAP Server

How to Configure Captive Portal

Microsoft SharePoint

User Identification (User-ID) Tips and Best Practices

Firewall Feature Overview

SDN for Wi-Fi OpenFlow-enabling the wireless LAN can bring new levels of agility

White Paper: Managing Security on Mobile Phones

tech note Palo Alto Networks Next- Generation Firewall and

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Virtual LAN Configuration Guide Version 9

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

Connectivity to Polycom RealPresence Platform Source Data

REPORT & ENFORCE POLICY

Preventing Data Leaks At The Firewall A Simple, Cost-Effective Way To Stop Social Security and Credit Card Numbers From Leaving Your Network

Eliminating the cost and complexity of hardware controllers with cloud-based centralized management

SSL VPN Client Installation Guide Version 9

IMX Mobile Proxy Administration

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Accessing BlackBerry Data Services Using Wi-Fi Networks

Dell One Identity Cloud Access Manager How to Configure for High Availability

PAN-OS Syslog Integration

Palo Alto Networks Next-Generation Firewall Overview

Reinventing Network Security, One Firewall at a Time. Chris King Director, Product Marketing

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Using Microsoft Active Directory Server and IAS Authentication

The Benefits of SSL Content Inspection ABSTRACT

June Palo Alto Networks 3300 Olcott Street Santa Clara, CA

Healthcare Reference Architecture to Support Mobile Access for Point-of-care and Other Critical Applications

Cisco AnyConnect Secure Mobility Solution Guide

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Streamlining Web and Security

Cisco Virtual Office Express

RSA Two Factor Authentication. Feature Description

Mobile-first Enterprise: Easing the IT Burden

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Azure Multi-Factor Authentication. KEMP LoadMaster and Azure Multi- Factor Authentication. Technical Note

Manage Firewalls. Palo Alto Networks. Panorama Administrator s Guide Version 6.1. Copyright Palo Alto Networks

Transcription:

Aerohive and Palo Alto Networks Partner Solution Brief

Introduction Now that connecting wirelessly is the norm and users have multiple devices they use for business critical and personal activities, having a solution that can identify and enforce network access based on identity, device type, location, and time of day is critical to support and maintain a mobility-optimized network. Aerohive and Palo Alto Networks have joined together to provide next-generation application visibility and control for the mobile-first community. Aerohive s application visibility and policy enforcement functionality provides an administrator with extremely detailed and granular information and controls to optimize user application experience at the edge of the network. Aerohive can customize how applications are prioritized, de-prioritized, or blocked based on all available context, including identity of the user, device type, location on the network, and the time of day. This is extremely useful for ensuring that traffic is appropriately categorized and potentially blocked before it ever even gets onto the network infrastructure, saving valuable resources and providing an extra layer of security. However, many networks require aggregated controls as well as edge-based enforcement, and when you combine the Aerohive mobility-optimized access layer with Palo Alto Network s next-generation firewall, administrators get a comprehensive solution that provides best-of-breed content security and application monitoring for all users and devices connected to the network. Aerohive has the advantage of knowing all the available user context because devices are connecting and users are authenticating to the access points and switches directly in order to gain access to the network. Palo Alto Networks firewalls, on the other hand, are generally installed at the gateway to the network, and have visibility into everything coming or going in aggregate, but the user context is often obscured due to all the network infrastructure between the gateway and the connected client. Together Aerohive and Palo Alto Networks solve the problems of the mobile first enterprise by combining information about user context with application visibility and controls. The Aerohive and Palo Alto Networks Solution Aerohive s Cooperative Control networking infrastructure equipment along with Palo Alto Networks next-generation firewalls provide a comprehensive and robust solution for optimizing the user experience on a mobile first network. Together the solution provides many benefits, including: Enhanced UserID Visibility and Enforcement Aerohive devices can provide user identity, device type, and IP address information to the Palo Alto Networks firewalls to enhance the UserID functionality that allows Palo Alto Networks firewalls to make policy decisions based on context Client-less Operation Aerohive learns the context based on existing interaction between the connected clients and the Aerohive devices, so no client or profile need be installed on the client devices. Comprehensive Application Visibility and Control Together, Aerohive and Palo Alto Networks allow administrators to enforce application controls at both the edge of the network and at the gateway, ensuring applications are identified and prioritized/de-prioritized/blocked based on context at the ideal enforcement point Zero-Cost Data Performance Because this integration relies on information already available to Aerohive devices as part of normal authentication, there is no in-line performance hit for using this integration to enhance application control on the network.

Aerohive and Palo Alto Networks Solution Brief How It Works The Aerohive and Palo Alto Networks solution works with Aerohive HiveOS 5.1r3 version or later and Palo Alto Networks PAN-OS version 4.0 or later. The solution requires the Aerohive administrator to set up syslog logging for Aerohive devices and point them at a syslog server that is capable of running scripts. The script then parses the necessary user details and sends it to a server running the PAN UID-API agent, which in turn updates the PAN firewall with the context-enhanced User ID information. Step-by-Step 1. Configure Authentication At the heart of this solution is the requirement for the Aerohive devices to know the identity of the user accessing the network. The three most common ways Aerohive can identify a specific user are A) 802.1X or WPA2-Enterprise; B) Private Pre-Shared Key; or, C) Captive Web Portal. Therefore, the first step is to configure the Aerohive devices with SSIDs or ports that require one of these types of authentication. Copyright 2013, Aerohive Networks, Inc. 3

2. Configure Syslog The second step is to configure the Aerohive devices to report the information they know to a syslog server. This can be configured per network policy in the Additional Settings Management Settings section. Once the policy is configured and pushed to the Aerohive devices, HiveOS will begin generating logs that include the user identity, IP address, and operating system and will send them to the configured syslog server. Sample logs look like the following: 802.1X: 2013-04-01 14:06:05 info ah auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username astrong hostname Strong-iPad3-6 OS Apple ios PPSK: 2013-04-01 14:43:18 info ah_auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username Buster Keaton hostname Strong-iPad3-6 OS Apple ios CWP: 2013-04-01 14:50:46 info ah_auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username abby@ahdemo.local hostname Strong-iPad3-6 OS Apple ios 3. Scripted info sent to UID-API Once the logs are collected in the syslog server, a script can parse the bolded information and collate it into a format the Palo Alto UID-API can deliver to the Palo Alto Networks firewall. There are 2 major parts to the script data extraction and push to agent. Within the data extraction portion, a regular expression is used to parse the username, IP address, and operating system of the connected client. One important note is that depending on how the network authentication is configured, it may be necessary to append the domain information to the username if it is not included in the log information. Sample script written for Kiwi Syslog Server: ' Copyright (c) 2013 Palo Alto Networks, Inc. <info@paloaltonetworks.com> ' ' Permission to use, copy, modify, and distribute this software for any 4 Copyright 2013, Aerohive Networks, Inc.

Aerohive and Palo Alto Networks Solution Brief ' purpose with or without fee is hereby granted, provided that the above ' copyright notice and this permission notice appear in all copies. ' ' THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ' WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ' MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ' ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ' WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ' ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ' OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ' 'Script takes syslog output sent from an Aerohive device to a Kiwi syslog server and updates user data 'log data is expected to look like: 2013-04-01 14:06:05 info ah auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username astrong hostname Strong-iPad3-6 OS Apple ios Function Main() 'Kiwi syslog requires the content of the script to be contained in a Main() function '----CHANGE THESE TO MATCH AGENT OR FIREWALL---- stragentserver="10.3.3.16" stragentport="5006" '----CHANGE THIS TO MATCH AD DOMAIN NAME!---- strdomain = "Corp" '-----ADD API KEY HERE FOR AGENTLESS OPERATION strkey="" set xmlhttp = CreateObject("Msxml2.ServerXMLHTTP") strlog = Fields.VarCleanMessageText 'This is a Kiwi variable for the content of the log message ptrn = "ip (\d+\.\d+\.\d+\.\d+).*username (\w+).*hostname (.*) OS (.*)" if InStr(strLog,"n/a")=0 then 'Will not run script if there is no username '// Create the regular expression. Set re = New RegExp re.pattern = ptrn re.ignorecase = False re.global = True '// Perform the search. Set Matches = re.execute(strlog) Copyright 2013, Aerohive Networks, Inc. 5

'// Collect matches and assign the user and address to variables set omatch = Matches(0) struser = omatch.submatches(1) straddress = omatch.submatches(0) strhost = omatch.submatches(2) stros = omatch.submatches(3) '// Build the XML message strxmlline = "<uid-message><version>1.0</version><type>update</type><payload><login>" strxmlline = strxmlline & "<entry name=""" & strdomain & "\" & struser & """ ip=""" & straddress & """/>" if strkey!="" then strxmlline = strxmlline & "<hip-report><md5-sum>ae413e22b34a76366a542a1dd9b1108a</md5-sum><user-name> " & struser & "</user-name><domain>" & strdomain & "</domain><host-name>"& strhost & "</host-name><ip-address>"& straddress & "</ip-address><generate-time>" & Now & "</generate-time><categories><entry name=""" & "host-info" & """><client-version></client-version><os>" & stros & "</os><os-vendor></os-vendor><domain></domain><host-name>android</host-name </entry></categories></hip-report> end if strxmlline = strxmlline & "</login></payload></uid-message>" '// '// Post to the UID agent '// Const SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS = 13056 If strkey="" then 'Posting to software agent '// Post data to Agent surl = "https://" & stragentserver & ":" & stragentport & "/" On Error Resume Next xmlhttp.open "put", surl, False xmlhttp.setrequestheader "Content-type", "text/xml" xmlhttp.setoption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS xmlhttp.send strxmlline 6 Copyright 2013, Aerohive Networks, Inc.

Aerohive and Palo Alto Networks Solution Brief xmlhttp.close else 'posting to firewall agent '//Post using REST API surl = "https://" & stragentserver & "/api/?type=user-id&action=set&key=" & strkey & "&cmd=" & strxmlline On Error Resume Next xmlhttp.open "put", surl, False xmlhttp.setrequestheader "Content-type", "text/xml" xmlhttp.setoption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS xmlhttp.send xmlhttp.close end if end if Main="OK" 'return value for Kiwi End Function 4. Create Rules in Palo Alto Networks firewall Once you have the additional UserID information, the Palo Alto Networks firewall can enforce policies based on available context, such as membership group, device type, or IP address. Summary Next-generation networking requires knowledge of user identity, device type, location, and time to enforce granular policies that allow users to access the network according to their context. By combining two best-of-breed solutions, Aerohive Networks and Palo Alto Networks allow customers to optimize mobility and ensure security with granular, context-based application visibility and policy enforcement both at the edge and at the gateway. Together the solution provides unprecedented visibility, monitoring, and policy controls for a mobile first enterprise. Copyright 2013, Aerohive Networks, Inc. 7

About Aerohive People want to work anywhere; on any device, and IT needs to enable them -- without drowning in complexity or compromising on security, performance, reliability or cost. Aerohive's mission is to Simpli-Fi these enterprise access networks with a cloud-enabled, self-organizing, service-aware, identity-based infrastructure that includes innovative Wi-Fi, VPN, branch routing and switching solutions. Aerohive was founded in 2006 and is headquartered in Sunnyvale, Calif. The company's investors include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light Venture Capital, New Enterprise Associates, Inc. (NEA) and Institutional Venture Partners (IVP). For more information, please visit www.aerohive.com, call us at 408-510-6100, follow us on Twitter @Aerohive, subscribe to our blog, join our community or become a fan on our Facebook page.. About Palo Alto Networks Palo Alto NetworksTM next-generation firewalls enable unprecedented visibility and granular policy control of applications and content by user, not just IP address at 20 Gbps network throughput levels. Based on patent- pending App-IDTM technology, Palo Alto Networks firewalls accurately identify and control applications regardless of port, protocol, evasive tactic or SSL encryption and scan content to stop threats and prevent data leakage. Enterprises can, for the first time, embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation Corporate Headquarters International Headquarters Aerohive Networks, Inc. Aerohive Networks Europe LTD 330 Gibraltar Drive The Court Yard Sunnyvale, California 94089 USA 16-18 West Street Phone: 408.510.6100 Farnham, Surrey, UK, GU9 7DR Toll Free: 1.866.918.9918 + 44 (0) 1252 736590 Fax: 408.510.6199 Fax: + 44 (0) 1252 711901 info@aerohive.com www.aerohive.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information