TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents



Similar documents
R4: Configuring Windows Server 2008 Network Infrastructure

APPENDIX 3 LOT 3: WIRELESS NETWORK

VMware vcloud Air Networking Guide

RAP Installation - Updated

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Creating your fi rst CloudTrax network

Internet Filtering Appliance. User s Guide VERSION 1.2

VLANs. Application Note

About the VM-Series Firewall

Using Cisco UC320W with Windows Small Business Server

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Cisco RV 120W Wireless-N VPN Firewall

Chapter 6 Using Network Monitoring Tools

Installing and Configuring vcloud Connector

UAG Series. Application Note. Unified Access Gateway. Version 4.00 Edition 1, 04/2014. Copyright 2014 ZyXEL Communications Corporation

Chapter 8 Router and Network Management

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Configuring Windows Server 2008 Network Infrastructure

Aerohive Networks Inc. Free Bonjour Gateway FAQ

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Palo Alto Networks User-ID Services. Unified Visitor Management

SonicWALL PCI 1.1 Implementation Guide

Cisco RV110W Wireless-N VPN Firewall

Cisco RV110W Wireless-N VPN Firewall

Monitoring & Measuring: Wi-Fi as a Service

Public Internet Access Done the Right Way

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

MN-700 Base Station Configuration Guide

Design and Implementation Guide. Apple iphone Compatibility

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

StoneGate Installation Guide

How To Use A Cisco Wvvvdns4400N Wireless-N Gigabit Security Router For Small Businesses

Installing and Using the vnios Trial

V310 Support Note Version 1.0 November, 2011

The Bomgar Appliance in the Network

Cisco RV215W Wireless-N VPN Router

How To Set Up A Cisco Rv110W Wireless N Vpn Network Device With A Wireless Network (Wired) And A Wireless Nvv (Wireless) Network (Wireline) For A Small Business (Small Business) Or Remote Worker

Barracuda Link Balancer

Chapter 6 Using Network Monitoring Tools

Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security

Cisco RV220W Network Security Firewall

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

The All-in-one Guest Access Solution of

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

D-Link Central WiFiManager Configuration Guide

Systems Manager Cloud Based Mobile Device Management

Network Virtualization Network Admission Control Deployment Guide

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

BYOD Networks for Kommuner

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

Pronto Cloud Controller The Next Generation Control

Meraki Wireless Solution Comparison

VPN Configuration Guide. Linksys (Belkin) LRT214 / LRT224 Gigabit VPN Router

vcloud Director User's Guide

Enterprise Wireless LAN. Key Features. Benefits. Hotspot/Service Gateway Series

A Guide to New Features in Propalms OneGate 4.0

Configuring PA Firewalls for a Layer 3 Deployment

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

FAQs: MATRIX NAVAN CNX200. Q: How to configure port triggering?

UAG4100 Support Notes

ADDING STRONGER AUTHENTICATION for VPN Access Control

VMware vcloud Air. Enterprise IT Hybrid Data Center TECHNICAL MARKETING DOCUMENTATION

Extending the range of a wireless network by using mesh topology

How To Check If Your Router Is Working Properly On A Nr854T Router (Wnr854) On A Pc Or Mac) On Your Computer Or Ipad (Netbook) On An Ipad Or Ipa (Networking

DIGIPASS Authentication for SonicWALL SSL-VPN

Meraki MX50 Hardware Installation Guide

IP Address Management: Smoothing the Way to Cloud-Based Services

Simple security is better security Or: How complexity became the biggest security threat

Seagate NAS OS 4 Reviewers Guide: NAS / NAS Pro / Business Storage Rackmounts

SSL-VPN 200 Getting Started Guide

Wireless Services. The Top Questions to Help You Choose the Right Wireless Solution for Your Business.

Custom Integration Solutions

How To Check If Your Router Is Working Properly

University of Hawaii at Manoa Professor: Kazuo Sugihara

Kerio Control. Administrator s Guide. Kerio Technologies

Recommended IP Telephony Architecture

GregSowell.com. Mikrotik Basics

Virtual Data Centre. User Guide

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Lab Organizing CCENT Objectives by OSI Layer

Configuring Global Protect SSL VPN with a user-defined port

10/ English Edition 1. Quick Start Guide. NWA1100N-CE CloudEnabled Business N Wireless Access Point

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

December P Xerox App Studio 3.0 Information Assurance Disclosure

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Dramatically simplifying voice and data networking HOW-TO GUIDE. Bundle Quick Start Guide

Cisco RV220W Network Security Firewall

How to configure your Thomson SpeedTouch 780WL for ADSL2+

Building Your Complete Remote Access Infrastructure on Windows Server 2012

Emerson Smart Firewall

Networking Devices. Lesson 6

Cisco AnyConnect Secure Mobility Solution Guide

Frequently Asked Questions Aerohive ID Manager

Cloud Services for Backup Exec. Planning and Deployment Guide

Who s Endian?

CounterACT 7.0 Single CounterACT Appliance

Next Generation Network Firewall

Transcription:

TECHNICAL WHITEPAPER Author: Tom Kistner, Chief Software Architect Last update: 18. Dez 2014 Table of Contents Introduction... 2 Terminology... 2 Basic Concepts... 2 Appliances... 3 Hardware...3 Software...3 Shadow Appliances...4 Layer 2 (LAN) functions... 4 Zone management...4 Port management...4 xlan...4 SwitchVPN...4 Layer 3 (IP) functions... 4 IP Network management...4 IPv4 / IPv6 Dual-Stack...5 Gateway functions...5 Uplink handling...5 RouteVPN...5 WiFi... 5 SSIDs and authentication...5 Broadcasts...5 WiFi planner...5 Enterprise integration... 6 Directory Services...6 DNS routing...6 Dynamic Zone assignment...6 Device Management... 6 Device registration...6 Employee Portal...6 Device visibility...6 Applications... 7 Application catalog...7 Custom Applications...7 Web categories...7 Application Groups...7 Policy controls... 7 Outbound/Internal rules...7 Inbound (NAT) rules...8 Guest access...8 Visibility and reporting... 8 Events and Alerts...8 Traffic reporting...8

Introduction The Ocedo System enables central, cloud-based network management for organizations of all sizes, across multiple physical locations. It consists of: Ocedo Connect, a controller service hosted by Ocedo in Germany, a local partner, or the end customer. Ocedo Appliances, including Access Points, Switches, and Gateways, deployed on-premise or in virtualized environments. Terminology The Ocedo System defines some keywords for certain objects or concepts. For easier recognition, these are usually printed capitalized and in italic in this document. Here s a short list of the keywords and what they mean: CC Realm Admin Org Site Zone Uplink Device Device Group User User Group Application Application Group Rule SSID Broadcast Appliance Port - Ocedo Connect Controller. - The sum of all Orgs managed on the CC. - Administrator with rights to certain Orgs or the whole Realm. - Managed organization, usually a company. - Networked site, like an office or a datacenter rack. - Network zone (L2 segment or VLAN). - An internet connection in a Site. - Networked device, anything with a MAC address - Group of Devices - Person accessing the network with Devices. - Group of Users - Networked service that users are accessing. - Group of Applications (and optional web categories) - Policy rule, usually combination of users and applications. - WiFi SSID definition, with authentication options. - A WiFi broadcast of an SSID in a Site. - An Ocedo Appliance, hardware or software. - Ethernet connection of an appliance, WAN or LAN. Basic Concepts The Ocedo Connect controller (CC) is multi-tenant capable, so it manages a Realm consisting 2

of many organizations (Orgs). Every Org represents an end customer (typically a company). Is is possible to assign administrative rights to individual Admin accounts per-org. Appliances and licensing are also managed on a per-org basis. The Org contains one or more Sites. A Site is a location like an office building, a hosting center or cloud location. Every Site has at least one internet Uplink and one local network Zone. Appliances Ocedo Appliances come in three main function classes: Gateways Provide basic network services to Zones. Handle one or more Uplinks. Enable policy enforcement. Enable extended reporting. Enable AutoVPN in SwitchVPN and RouteVPN flavors. Access Points Provide network access to WiFi Clients. Switches Enable plug-and-play multi-zone L2 connectivity. Provide POE to POE-enabled appliances (including 3rd party devices) All Ocedo Appliances are managed from the CC, including all firmware upgrades. Hardware Ocedo hardware appliances come with a serial number that is used to activate the appliance in the Realm or Org. Check the Ocedo Website for a list of available appliance models. Software Ocedo Gateways are available as software Appliances, in two flavors: Gateway VM A virtual gateway running in any virtualizer like VMware, Hyper-V, KVM, Xen Gateway JumpStart A software gateway image that runs off any USB stick on any Intel-x86 compatible hardware. Software gateways can be freely created in CC, downloaded and deployed instantly. 3

Shadow Appliances Shadow Appliances are placeholders for hardware appliances. They can be used and configured just like regular Appliances, and can later be backed by real hardware. Any number of Shadow Appliances can be added to an Org. This facilitates planning and configuration before rolling out a solution. Layer 2 (LAN) functions Zone management Zones are L2 segments that contain one or more L3 (IPv4/6) networks. In the Ocedo System, every Zone has a VLAN tag assigned which is unique across the Org. If no specific VLAN tag is required, the system will pick one from a pool. The GUI offers a unified view of all Zones/VLANs used in the Org. VLANs do not have to be used on the wire, but they re always built-in so a possible future upgrade to a VLAN-capable environment is seamless. Port management Switched and discrete ports of switch and gateway appliances can be managed from a single view across the entire Org, including Zone assignments and information about attached Devices. When connecting Ocedo appliances (gateways, switches, access points), they will automatically set the connecting Ports to carry all required Zones, so manual VLAN transfer assignments are not needed. xlan In smaller Sites, VLAN is often not available, either because unmanaged 3rd-party switches are used, or there s simply no switch at all. For such cases, the Ocedo system offers xlan, a local L2 tunneling technology that allows to layer additional Zones onto a single-segment LAN. This is mainly useful to offer secure guest access. SwitchVPN SwitchVPN is Ocedo s L2 VPN, based on IPsec. It automatically makes a Zone available in a remote Site if it is required there. Two examples of typical use-cases of SwitchVPN are: Broadcast Zone by WiFi in remote sites (full-backhaul remote access parallel to existing private network). Seamlessly connect cloud locations to on-premise equipment (ideal for moving services to the cloud). Layer 3 (IP) functions IP Network management The Ocedo System allows for fully automatic IP numbering, meaning that IPv4 and IPv6 networks are automatically assigned to Zones, drawn from a per-organization pool. Several IP (L3) 4

networks can co-exist in a Zone, for example to enable parallel usage of private and public IPs. In order to integrate into existing networks, it is possible to manually specify IP networks. IPv4 / IPv6 Dual-Stack The Ocedo System is dual-stack by default. Even if IPv6 is not required or currently deployed in an Org, all Zones reserve an IPv6 prefix from a pool, so IPv6 can be rolled out with minimal overhead. IPv6 is automatically included in all L3 functions, without extra configuration or management overhead. Gateway functions When an Ocedo Gateway is handling gateway functionality for a Zone, it will provide DHCP, NTP and DNS services automatically. Gateways provide security and reporting functionality for connected Zones (see further below). Routing Gateways will automatically route into connected Zones, either themselves being the gateway for a Zone, or just being a member device in a Zone. It is also possible to set up static routes to 3rd party equipment. Uplink handling An Ocedo Gateway can handle several internet Uplinks, either by concurrent usage or as backup. Some gateway models offer built-in 3G support. Uplinks are monitored by the gateway and fallback/fall-forward operation is fully automatic. RouteVPN RouteVPN is Ocedo s L3 VPN, based on IPSec. It automatically builds required tunnels between Sites if Zones have been flagged as being reachable from other Sites in the same Org. VPN links are constantly monitored, and traffic is included in policy controls (see further below). WiFi SSIDs and authentication The Ocedo System supports defining WPA SSIDs with password as well as enterprise authentication against RADIUS/NPS servers (see Enterprise integration below). Open SSIDs can also be configured to accommodate guest zones. Broadcasts SSIDs can be flexibly broadcasted by-site. Every Broadcast can set additional, advanced WiFi options as well as the captive portal (see further below). Channel selection and transmit power selection can be fully automatic or manually set per-ap. Broadcasting remote Zones is made simple by SwitchVPN (see above). WiFi planner Ocedo s integrated WiFi planner lets you easily visualize WiFi coverage in all Sites. Upload floor plans and place AP placeholders as required. Different coverage-type presets can be selected. Placeholders can automatically be turned in real hardware deployments later. 5

Enterprise integration Directory Services The Ocedo System allows syncing Users and selected User Groups from Active Directory and Google Apps directory services. User credentials are not queried by or stored in the CC. In case of an on-premise Active Directory installation, the connection to the domain controller can be securely made through any deployed Ocedo appliance, without the need for firewall rules or exposing the AD to the internet. DNS routing In order to integrate internal DNS zones, Ocedo appliances can use internal third-party DNS servers for specific domains. These DNS routes will also be used by end-user clients. Dynamic Zone assignment It is possible to assign accessing clients to different network zones. This can either be done with AD through the RADIUS/NPS server, or by setting tags on Zones and User Groups or Users. Device Management The Ocedo System allows (but not forces) fleet management of network Devices. A Device is anything that has a MAC address. New Devices are automatically detected and can be registered by the admin or the User owning the Device. Device registration Devices can be registered to a User account (in case responsibility is assignable to a single user), or be assigned to Device Groups (in case it is a shared device, like a printer or a server). Once registered, Devices are recognized throughout the entire Org. Device management is the foundation for policy controls, since it enables applying policy rules to devices (or abstractions like users or groups) instead of IP networks or Zones. Employee Portal The employee portal offloads the task of registering bulk devices onto the end users. It can be activated per-broadcast (wireless) or per-portgroup (wired). Unregistered Devices will then be redirected to the portal, where users can register their Device to their user account by loopback email (by specifying email address) or by SMS text message (by specifying their mobile number). Both options verify the contact details with the user account. Device visibility Unknown detected devices are shown with available OS, vendor and owner information, if available. The Ocedo System keeps track of IP addresses used by devices. Current device location and connection information is also shown. Device traffic activity can be tracked in Traffic reporting (see further below). 6

Applications Applications are networked services that run in the internal network or on the Internet (external Applications). Access to Applications can be regulated by policy. Application catalog Ocedo provides a constantly updated catalog of public applications that are available on the Internet (for example Facebook or Salesforce ). Every catalog application is assigned to a default predefined Application Group (see below). Custom Applications Custom Applications can be defined to enable setting up access policies for internal services, or specific internet-based services. Internal Applications are usually defined on top of a registered server Device or Device Group. It is also possible to define Applications based on IPs, ports or host/domain names. Web categories In addition to the application catalog, a web category catalog is available. Web Categories can be added to Application Groups (see below) in order to include sites that aren t covered by a specific application. Application Groups For convenient basic policy creation, Ocedo predefines a number of Application Groups. These predefined groups contain both catalog Applications and Web Categories to form a consistent match for specific areas (for example Social Networks or Business ). Policy controls Policy controls are built on Rules. There are two types of Rules: Outbound/Internal rules: These rules define the policy for internal Users and Devices accessing internal or external Applications. Inbound (NAT) rules: These rules defined the policy for external (Internet) access to internal Applications. They offer optional support for NAT, port translations and an external host whitelist. Outbound/Internal rules Outbound/Internal Rules specify a source, a target and an action. The action can be either Allow or Deny. The source can be either a special catch-all selection like All registered users, or a custom selection of: User Groups Device Groups 7

Individual Users Individual Devices Policy tags The target is either: The special selector Any, matching any target. A selection of Zones. A selection of Application Groups and Applications. A typical structure for a ruleset is to base the Outbound/Internal Rules on User Groups and Device Groups, and make exceptions with tags. Inbound (NAT) rules Internal Applications based on Devices can be made available to the Internet by creating an inbound Rule. This Rule can use DNAT or Full NAT, and also apply a port offset. To limit access to the exposed application to specific external hosts, a host-based whitelist can be specified. Guest access To offer secure access for guests, a specific Zone can be declared as being a guest zone. When using the Captive Portal on the Zone, it can register guests using email address, mobile number (via SMS) or Facebook, Twitter or Google social logins. Guest devices are managed separately from employee devices, and guests can be used as a distinct group in Outbound/Internal Rules, so it is possible to have a policy specific to guest users. Visibility and reporting Next to device visibility (see above), the Ocedo System offers continuous automatic monitoring and alerting/notification on network events. Events and Alerts The event log offers live updates on changes in the network status, as well as an ongoing audit trail for configuration changes. Traffic reporting Traffic reporting enables a full view on all generated internal and external traffic, filtered by user, site and date/time. Reporting uses the same Application Groups, Applications and web categories as the policy engine, so the reported results can directly be converted to policy rules if needed. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information