DATA SHEET OneFabric Connect Extend the OneFabric architecture to 3rd party applications BUSINESS ALIGNMENT Embrace BYOD by mixing and matching managed and unmanaged devices on the same infrastructure with a singular visibility and control architecture Quickly deploy new applications, devices, users and services LOWER COSTS THROUGH MGMT AUTOMATION Automated provisioning of network services controlled by IT systems inside as well as outside of the network management domain Real-Time asset discovery, tracking and documentation Automated onboarding and provisioning of network services also for any device. IMPROVED VISIBILITY AND CONTROL, THREAT MITIGATION Context based enforcement of policies at the network layer provides better control Application usage and threat detection information from security products like SIEM, IPS and NG-FW can be leveraged to quarantine users and devices Additional asset information provides better visibility as well as search and locate capabilities for any user and device on the network Mobile device compliance is included in the policy enforcement decision at the network layer Automated onboarding and separation of managed mobile devices from other managed IT assets, unmanaged BYOD devices and guests Automated context based policy provisioning of network services for any device Comprehensive visibility into all devices and applications on the infrastructure augment asset data with non-network related data like phone numbers, asset owner, asset contact details, asset usage etc. as well as visibility into all managed mobile devices on the infrastructure devices Vendor agnostic integration architecture that can support a variety of IT systems and platforms Simplified compliance enforcement for managed mobile devices Overview Networks are built using switches, routers, and other devices in a distributed fashion to scale and provide reliability. In this distributed environment, it has become more complex to provide new end-to-end services and applications in a seamless and cost effective manner. As the business demands more agile and flexible IT services this has become a focal point for innovation and also for differentiation by vendors that have solved that challenge. To address the simultaneous needs for security, virtualization, manageability, mobility and agility in today s networks the concept of SDNs Software Defined Networks - are gaining attention as a viable solution. The provisioning of new services and the reliable application delivery in a dynamic IT infrastructure can be achieved with such an architecture. The value of SDN in the enterprise lies specifically in the ability to provide network virtualization and automation of configuration across the entire network/fabric so new services and endsystems can be deployed rapidly and operational cost can be minimized. As enterprises embrace the new world of consumer tablets, smartphones and laptops, a Bring Your Own Device policy (BYOD) enables employees and guests OneFabric Connect Data Sheet 1
to be more mobile and productive while the enterprise is secure and compliant. This trend is rapidly growing in the carpeted enterprise and a recent IDC survey shows that over 40% of employees will utilize their own devices at the workplace in 2012 alone. With the rapid growth of new and powerful smartphones and tablets, largely spurred on by Apple s iphone and ipad devices, and the use of multiple devices by the same user at any given time, the challenges presented to IT have exploded. Now the entire process of automating discovery, profiling, onboarding, securing, managing, and troubleshooting has become one of the single largest issues facing the enterprise today. What then are the real technical challenges and costs to your network deployment brought on by BYOD? A sudden influx of new and ever growing types and numbers of devices, a mix of operating systems, the immediate demand of personal and enterprise apps, and the increase usage of video, voice and data over the air and on the wire will have a dramatic impact on the security, bandwidth, access control and end user experience for all of your trusted users and guests. The Extreme Networks Mobile Identity and Access Management (Mobile IAM) solution delivers a uniquely comprehensive approach for deploying and managing the world of BYOD and the mobile Enterprise with this SDN integration, the solution can be extended to include an ecosystem of systems to provide granular visibility and enforcement of network policies as it is done for unmanaged devices (and any other device and user on the network) in a BYOD environment as well. The OneFabric Connect Integration Service It is a professional service delivered through a combination of middleware and integration services that interact with the OneFabric Control Center (leveraging the Netsight Management Suite) from Extreme Networks. It provides APIs to integrate OneFabric Control Center (Netsight, Mobile IAM and NAC) with other IT solutions, management systems and databases (CMDB s, etc.), MDM solutions, NG Firewalls, Web Filtering solutions etc. It enhances the value of OneFabric Control Center with deeper visibility into device data augmented with asset info, contact info, device details, phone number etc. It provides Automation and Control: device identification and location tracking, reporting back to other ITsystems and automatically assign policies managed by IT systems inside or outside the network management domain. It provides deep integration with the customers existing IT and management systems and leads to improved processes, decreased troubleshooting times, and lower OPEX. The Service is the next logical step in the evolution for OneFabric Control Center: Data Center Manager manages virtual data centers; OneFabric Connect manages devices and users at the access layer. Integrations available today The following integrations are available today and can be deployed without any due diligence upfront of the project: Palo Alto NG-FW IF-MAP OS LIA Polycom Avaya MS SCCM MS System Center Configuration Manager OneFabric Connect Data Sheet 2
Custom Integration Example (CMDB) iboss MobileIron Airwatch JAMF/Casper New Generation Firewalls, Content Filters and Security Appliances The security appliance market has evolved rapidly in the last years developing new solutions that integrate the user identity in the security decisions. The new security appliances usually provide features like: User-based content security rules Application level visibility into the traffic. Advanced filtering engines up to layer 7 These features may become important for enterprises in specific verticals like government or healthcare that require a more strict management of their security and fine grained security rules that better adapt to the ever changing BYOD environment. Sitting at the core of the BYOD environment, Mobile IAM can provide unvaluable information to these appliances and allow the full development of their capabilities by adding user and location information. In exchange the network management system can integrate visibility from the new security appliances like visibility into application use per user. Palo Alto NGFW The NGFW can have firewall policies created based on username information to provide enhanced security at the WAN while NAC provides additional security at the LAN/Campus Edge It allows the NGFW to both build a mapping as well as tear down the mappings so that stale entries are avoided If threats are detected by the NGFW, users at the LAN/Campus Edge or in the data center can be automatically quarantined to contain threats Application usage information provided by the NGFW is used to provide a quick insight into what types of applications are being utilized by a device and user Ability to share user information between the NGFW and OneFabric Control Center Using the built-in notification engine of Extreme Networks NAC, user information can be transmitted to the Palo Alto User-ID agent which updates username / IP Address mappings within the NGFW The information collected will provide the ability to determine when a user connects to the network as well as when a user disconnects The integration of top application information that is provided from the Palo Alto Next-Gen Firewall (NGFW. The results of the report will then be pushed into a custom field in Netsight/NAC for further visibility OneFabric Connect Data Sheet 3
A Linux-based NetSight 4.1 or later installed as a NetSight Appliance (Virtual or Physical appliance) NAC 4.1 or later is installed and running properly with 802.1X or Web Authentication / Registration where usernames are populated into NAC Manager Edge Switches must support RADIUS Accounting and must be integrated within NAC Palo Alto NGFW version 4.0.3 or later installed and running properly iboss iboss is an Internet filtering appliance manufactured by Phantom Technologies and used by customers across multiple verticals to provide filtering up through layer 7. The iboss appliance provides differentiated Internet filter sets to end systems based on a number of criteria such as user Active Directory group membership, IP source ranges, and other criteria. This document describes the integration process between the iboss Internet filter appliance, Active Directory (AD), and the Extreme Networks Mobile IAM solution. Integrating iboss with Mobile IAM provides the ability to define various locations within the network and then assign different access profiles and Internet filter sets to end systems based on those locations. This integration also permits iboss to assign Internet filters to devices based on AD group membership that do not traditionally authenticate into AD (ios devices, Android devices, etc.). While tested only with Active Directory, iboss supports other directory services and should configure and function similarly. Ability to share user information between the iboss and OneFabric Control Center User information can be transmitted to iboss appliance which updates username / IP Address mappings within its rules The information collected will provide the ability to determine when a user connects to the network as well as when a user disconnects Location information is also shared with the iboss appliance allowing for the creation of location-based rules Extreme Networks NetSight version 4.3 or later Extreme Networks NAC version 4.3 or later installed and running properly with 802.1X or Web Authentication / Registration where usernames are populated into NetSight iboss Security appliance version 6.0.13.7 or later integrated with Active Directory or another LDAP server Edge Switches must support RADIUS Accounting and must be integrated within NAC Convergence Converged VoIP applications can greatly benefit from data usually residing in the network. The network has real life data about user to device mapping and user OneFabric Connect Data Sheet 4
location that is key to enhance the user s experience in converged environments with features like: Device auto configuration User-based configuration Location-based configuration Location-based reporting and auditing of calls Integrated with Converged solutions NetSight NMS enhances it reporting capabilities including VoIP data in its device database. Data like phone number, phone OS version, phone model are available for use by the Network administrator to find a device or diagnose any issue in the network. OS LIA OpenScape Location and Identity Assurance Automatically detect Siemens VoIP phones and assign corresponding connectivity and security profiles Provide the VoIP administrator with location and network information on all phones which is updated automatically when phones move Location based configuration assignment for phones Receive data on phone number, firmware version and type from DLS Send data for switch IP, switch port, NAC profile, NAC policy to DLS DLS can automatically assign phone configuration based on location data received from OS LIA OneView integration for centralized analysis and reporting Extreme Networks NetSight version 4.3.0.XX or higher, including NAC Manager Minimum OpenScape Deployment Service DLS version: V2R4 Polycom Automatically detect Polycom devices and assign corresponding connectivity and security profiles Polycom administrator can get access to NAC web dashboard to get detailed network information on all Polycom devices OneFabric Connect Data Sheet 5
Receive data on device type and status from Polycom s CMA management server = device based policy Minimum required version: Polcycom CMA 5.0 Avaya Automatically detect Avaya VoIP phones and assign corresponding connectivity and security profiles Avaya administrator can get access to OneView to get detailed network information on all Avaya phones Receive data on phone number, device hardware, software and gatekeeper from Avaya VoIP manager Extreme Networks NetSight version 4.3.0.XX or higher, including NAC Manager AeM (Avaya easy Management): 6.0.6 VoIP Manager Version: 2.1.12 Configuration management systems In the last years the systems to manage the configuration of heterogeneous systems have developed as the availability of standards allowed the exchange of information between the systems providing information and the systems storing that information and making it available to others.extreme s network management solutions aim to participate in these environments, providing the information to create smarter configurations. As a consumer of the information, Extreme Networks s NetSight can use information from device and configuration manager in order to enhance the network management and reporting experience. MS SCCM Automatically detect SCCM managed devices and assign corresponding connectivity and security profiles System Center administrator can get access to OneView to get detailed network information on all System Center managed devices Receive data on Netbios name, user, operating system, service pack, hardware manufacturer and model from SCCM OneFabric Connect Data Sheet 6
Extreme Networks NetSight version 4.3.0.XX or higher, including NAC Manager Microsoft System Center Configuration Manager 2007 R2 IF-MAP IF-MAP is an open standard published by the Trusted Computing Group. It defines a protocol and associated database for aggregating and distributing metadata across infrastructure, application and management systems. Initially developed in the context of network security and access control (NAC), IF-MAP is being applied/ used in many other areas that require end system information sharing including Overview of Trusted Network connect (TNC) IF-MAP,TCG, April 2009 Configuration Management database (CMDB), SCADA, and cloud computing. IF- MAP s MAP Server and MAP clients extend the architecture for communication with other systems. The MAP Server stores state information about devices, users, and traffic flows in a network. MAP Clients publish information to the server, search the information in the server, and subscribe to notifications from the server when stored information changes. USE CASE: COMBINING PHYSICAL ACCESS CONTROLS AND NETWORK AUTHENTICATION This solution uses IF-MAP with the Infoblox IF-MAP Server. This integration allows Extreme Networks infrastructure and security products to share information with physical access control systems, firewalls and the Configuration Management Database (CMDB). This sharing of information improves the security, manageability and performance of networked resources, end systems and applications. Integrating Extreme Networks NetSight location information with the Infoblox IF-MAP Server and the Hirsch physical access control card readers or keypads provides an elegantly simple solution that combines physical access controls and network authentication. OneFabric Connect Data Sheet 7
USE CASE: AUTOMATING THE CMDB Extreme Networks NetSight integrated with InfoBlox IF-MAP server efficiently automates the CMDB updating process. When a new device is attached to the network Extreme Networks NetSight detects and authenticates it and automatically updates the Infoblox IF-MAP Server with the end system information. The Infoblox sever will then update the CMDB. This guarantees that all applications using the IF-MAP server are getting the most current and complete information and that the CMDB will always contain accurate and up to date information. Extreme Networks NetSight can supply to the Infoblox IF-MAP Server a diverse set of end system information, including MAC address, IP address, hostname and operating system, among several other criteria. Having this granular set of information enables an IT administrator to better manage and secure the network. The physical location of the end system (building / room) can also be supplied to the IF-MAP server. Location information is important for many types of end systems. If the end system is an IP Phone, knowing the location can be critical for emergency response. Adding location information for medical devices allows an administrator in a hospital to keep track of the locations of the all of the devices connected to the network. MDM INTEGRATIONS Mobile Device Management MDM is a quickly evolving and changing market. An MDM solution typically provides features like: Mobile Application Management (deployment, update, blocking) Inventory Management (hardare and software) Security and Policy Management (corporate policies, authentication, encryption, connection to known and unknown networks) Service Management (telecom services) These features may become important for enterprises in specific verticals like government or healthcare require a more strict management of their mobile devices but in general they are not mandatory for a BYOD deployment like in other verticals such as Higher Education, K-12 and others. Even when a MDM solution is deployed there is a need for network level policy enforcement, onboarding of un-managed devices, guest access management, dynamic threat detection and mitigation and the protection against other un-managed devices that get connected to the infrastructure. That is why Mobile IAM is the core of any BYOD deployment and MDM augments that solution. MobileIron Provides additional onboarding methods in BYOD environments Enhances network security by adding MDM data to the network admission rules Provides fine grained network policy selection depending on MDM security posture of the devices Provides additional user notification of network status, e.g. quarantine Provides detailed device info to NetSight OneFabric Connect Data Sheet 8
Receive inventory data on device ownership, phone number, jailbroken status, IMEI, MDM security posture, etc NetSight Provides assessment data about MDM security posture, risky device configuration options Notifies user of network status (quarantine) Remote wipe of the device initiated from NAC manager Extreme Networks NetSight version 4.3.0.XX or higher, including NAC Manager Access to MobileIron s SaaS services with an API access user Airwatch Provides additional onboarding methods in BYOD environments Enhances Network security by adding MDM data to the network admission rules Provides fine grained network policy selection depending on MDM security posture of the devices Provides additional user notification of network status, e.g. quarantine Provides detailed device info to NetSight Receive inventory data on device ownership, phone number, jailbroken status, IMEI, MDM security posture, etc NetSight Provides assessment data about MDM security posture, risky device configuration options Notifies user of network status (quarantine) Remote wipe of the device initiated from NAC manage Extreme Networks NetSight version 4.3.0.XX or higher, including NAC Manager Access to Airwatch s SaaS services with an API access user OneFabric Connect Data Sheet 9
JAMF Casper Provides additional onboarding methods in BYOD environments Enhances Network security by adding MDM data to the network admission rules Provides fine grained network policy selection depending on MDM security posture of the devices Provides detailed device info to NetSight Receive inventory data on device ownership, phone number, jailbroken status, IMEI, MDM security posture, etc NetSight Provides assessment data about MDM security posture, risky device configuration options Extreme Networks NetSight version 4.3.0.XX or higher, including NAC Manager Operational JAMF Casper server Service Overview The Integration Service is delivered through a combination of middleware and integration services that interact with the Netsight Management Suite from Extreme Networks. This offering also contains planning, product specific configuration, integration, and end-to-end testing of network communications. The Extreme Networks Professional Services organization provides the following services: Due diligence to determine the feasibility of the integration between the external IT solution and the Extreme Networks solution depending on the functionality offered by the external system, the integration might not be possible and Extreme Networks reserves the right to withdraw from the order Implementation of software that integrates with the Extreme Networks Netsight API as well as with the system API Configuration of the Extreme Networks NetSight components MDM, Mobile IAM infrastructure integration via Extreme Networks NetSight The integration leverages an Extreme Networks Mobile IAM implementation or a traditional NetSight/NAC deployment and requires the following hardware and software elements to be implemented prior to the arrival of the Extreme Networks Professional Services Engineer: Fully functional Mobile IAM or NetSight, NAC solution with access to a functional system environment OneFabric Connect Data Sheet 10
The solution to integrate shall provide a Web services API (XML/SOAP) that allows Extreme Networks to query the device details based on the (Wi-Fi) MAC address of the mobile device or the query must allow to discover all devices based on a unique identifier like a local device ID, IMSI, IMEI etc but must also return the Wi-Fi MAC address in case of a MDM solution. If this is not provided then the due diligence needs to be done by Extreme Networks PS personell to determine the feasibility of the integration Exclusions The service to be delivered will be limited to the functions and scale as stated herein. The following activities are not part of the scope of work. If needed, these items can be ordered and purchased separately. Mobile IAM implementation Auto Discovery, Profiling, Onboarding, Context based Policy Management NAC implementation - with Authentication, Authorization or/and with Assessment and Remediation The definition of policies and access controls as well as network segmentation and design Integration of all network components into Extreme Networks NetSight including topology and alarm/event configuration Network Maintenance Configuration of the peer systems beyond the needs of their connectivity to OneFabric Control Center OneFabric Connect Integration Terms and Conditions If the peer solution does not provide the appropriate functional set of API calls then Extreme Networks owns the right to withdraw from the implementation after the initial due diligence. Professional Services Terms and Conditions Extreme Networks Professional Services Terms and Conditions are located on the Extreme Networks website at: http://www.extremenetworks.com/products/terms/professional_services_terms_ and_conditions.pdf These terms shall govern all services provided pursuant to this Proposal/Statement of Work. Ordering Information PART NUMBER PS-OF-Connect-ESU PSOFCONNECT-REMOTE DESCRIPTION On-Site installation of the Extreme Networks OneFabric Connect Remote installation of the Extreme Networks OneFabric Connect using the Predefined Integration options http://www.extremenetworks.com/contact Phone +1-408-579-2800 2014 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/about-extreme/trademarks.aspx. Specifications and product availability are subject to change without notice. 7567-0214 WWW.EXTREMENETWORKS.COM OneFabric Connect Data Sheet 11