La mobilité en milieu académique et la sécurisation des applications sans fil
Agenda Réseaux académiques : état des lieux Défis des Hautes Ecoles Maturité des réseaux mobiles Pourquoi Aruba? Intégration des solutions de sécurité Valeurs ajoutées de Juniper Exemple d un Campus numérique «on line»
Institution publique Les réseaux aujourd hui en milieu académique Espace public Intérieur & Extérieur Administrative University Hospital Library, Classrooms Cafeteria Student Housing Stadium Faculty Housing Satellite Campus Haute densité Connexions concurrentes public averti Extensions du réseau limitées Accès Guest, Points d accès publics Couverture de réseau difficile Points d accès FAT gestion difficile sécurité limitée Besoins : - Rester compétitif car les accès aux TIC sont un MUST pour les étudiants - ROI et maintenance réduits - Systèmes de formations en ligne
Les défis des Hautes Ecoles Personnel IT qualifié réduit Budgets IT en baisse Méthodologies de gestion de projets ITIL Public averti, habitué aux nouvelles TIC Appareils portables = facilité Explosion des PC incontrôlables Sécurité de l information = Souci n 1 Accès au réseau sur tout le campus Applications e-learning Accès sécurisé pour les utilisateurs incontrôlables Déploiement de systèmes d informations pour les étudiants Convergence du réseau IP : data + voice + video Source: Gartner Group
Maturité des réseaux mobiles 1 ère Génération 2 ème Génération State of the Art Points d accès autonomes et distribués Pas de gestion des fréquences des émissions radio Niveau de sécurité faible Points d accès légers et centralisés Gestion active des fréquences radio Déploiements denses avec haute performance Haut niveau de sécurité et support de clients multiples Géolocalisation des clients WiFi Réseau basé sur l identité et sécurité «end-to-end» avec une encryption centralisée Mobilité à travers les réseaux LAN, WAN et Internet Facilité de déploiement des clients avec outils de géolocalisation Réseaux d envergure à travers une meilleure gestion des VLANs Haute qualité de service en fonction des clients: PC, tablet, GSM, PDA, etc. Meilleure performance basée sur les standards de gestion des fréquences radio
Pourquoi les solutions d Aruba? 1) Complex become simple 2) Règles de sécurité sans frontières res 3) Start small and go big
1 La complexité devient une simplicité Portail captif Couverture extérieure Gestion Radio Adaptative Sécurité 802.11i Shaping du trafic Serveur AAA Mobilité Tactique Stratégique Dominante Mobilité Remote AP Convergence des Applications Polices de sécurité Connexions VPN point-à-point Détection IDP Wireless
2 Règles de sécurité sans frontières La sécurité suit l utilisateur partout Pas de reconfiguration 1 seul SSID pour tout le réseau Configuration AAA 1 et 1 seule fois Sciences appliquées Bibliothèque Arts
3 Commencez petit et devenez GRAND Complexité des applications Convergence Mobilité globale Hotspots Nbre d utilisateurs concurrents Software + Hardware + Management = 1 seule plate-forme
Une vue de la Mobilité dans l Education selon Aruba Des possibilités illimitées d extension protègent vos investissements à très long terme Affiliated schools Libraries Remote AP-70 Student Housing Distance Learning AP-60 AP-61 ARUBA 2400 LAN AP-70 WAN Internet Partners & consultants ARUBA 6000 Satellite Campus AP-80 ARUBA 800 AP-2E Labs Remote AP-70 Teacher Access
PHL un campus numérique «on line» Réseau Gigabit GRID de Belnet 4000 étudiants 500 collaborateurs 160 points d accès Firewall Anti-virus, spam In & Out Authentification forte (802.1X) Financement de 1500 portables (800 euros) E-learning Blackboard Academic Suite Plus de 1200 connexions concurrentes
Revolving to the Real Time Network Unified Access Control Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12
AAA Servers Identity Stores Resources WL AP Wireless Agent Wired Agent Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13
Issues No server access control Access to the network = access to everything Application authentication is the only security barrier Server vulnerabilities exposed Servers, services and applications vulnerable to DoS Any unmanaged device can connect to the network and comprise server security Unmanaged devices might compromise your trusted devices Proliferation of malware, spyware, backdoors Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14
Network Segmentation Juniper FW/VPN Introducing network segmentation Add firewall device to protect resources Create segments on switches (VLAN) Static firewall security policy to allow access to resources Advanced security Deep Inspection (full IDP on ISG firewall) Anti-virus, Anti-Spyware, Anti-Spam, URL filtering Traffic shaping and prioritization with QoS, DSCP Firewall user authentication allow more granular access control first step to dynamic policies Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15
AAA AAA Servers Identity Stores Firewall User access to protected resources WL AP Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16
Issues Static firewall access policy Access policy not related to user profiles Lots of exceptions Hard to manage Only servers are protected Clients are completely exposed Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17
Introducing UAC User authentication against central Infranet Controller appliance (integration with Windows logon) Dynamic access control policies on firewall(s) Policy rules linked to user profile User disconnected policies removed End-point assessment to ensure client device security Integrates with existing user directories Re-use of group membership to create access control policies (much the same way as managing file access on windows file shares) Firewall policies can include AV, DI and URL filtering profiles Unmanaged and unauthenticated devices get restricted access to protected resources Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18
AAA AAA Servers Identity Stores Central Policy Manager Dynamic Role Provisioning with SBR Dynamic Role Provisioning Endpoint profiling, user auth, endpoint policy Firewall Enforcers User access to protected resources WL AP Wireless Agent Wired Agent Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19
Issues Every client is still on the same network Security enforced only at the resources When host assessment fails or unauthorized user device has no access to protected resources, but can still access the local network Not hack-proof: Can compromise other client devices Not infection-proof: Can infect other client devices Confidentiality: monitor traffic between authenticated devices and protected server resources Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20
Introducing 802.1x Dynamically assign VLAN based on user authentication Unsuccessful authentication and/or host assessment results in a default GUEST VLAN Requires 802.1x supplicant and Radius server Both are included in the UAC solution and are part of the Infranet Controller appliance Automatic, central distribution of supplicant from IC Open Standards based Integrate with any 802.1x standards based switch or access point Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 21
AAA AAA Servers Identity Stores Central Policy Manager Dynamic Role Provisioning with SBR Dynamic Role Provisioning Endpoint profiling, user auth, endpoint policy 802.1x 802.1x Firewall Enforcers User access to protected resources WL AP Wireless Agent with OAC Wired Agent with OAC Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 22
Juniper UAC Solution Does what you need it to do Pre AND post authentication security checks Network admission AND network access controls Easy, self-service remediation For all use cases guests, contractors and employees Cross platform Managed, unmanaged and unmanageable devices Ideal for a phased deployment L3-L7 overlay satisfies the immediate need Roll 802.1X-based infrastructure (from any vendor) when you choose Both solutions in one appliance Standards-based 802.1X & TNC All elements are field tested Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23
Aruba and Juniper to deliver secure mobility solutions The Aruba mobility controller and thin Access Point infrastructure integrates seamlessly with Juniper s UAC solution Enterprise-Wide 802.11i Mobility for All User Types Improved Security for Unmanaged Clients No access to protected resources (UAC) Isolated from managed clients (802.1x) Attack protection through Deep Inspection Gateway Anti-virus protection Web filtering Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 24
Central Policy Manager AAA AAA Servers Identity Stores Dynamic Role Provisioning with SBR Dynamic Role Provisioning Endpoint profiling, user auth, endpoint policy EAP/802.1x EAP/802.1x Firewall Enforcers User access to protected resources Thin AP Encrypted TLS Tunnel Mobility Controller Wireless Agent with OAC Wired Agent with OAC Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 25
Why Juniper A Decade of Innovation 2006 M-Series 2005 #789 2004 1996 1998 1999 2000 2001 2002 Acorn UAC Incorporated Revenue Employees T-Series $500M $1B $2B $2.3B 1000 1500 2500 3500 SSG 4800+ Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 26
A Recognized Leader in Secure Networking Solutions in the Enterprise Addressing the challenges of enterprises that require strategic value from their networks A no-compromise, systems-based approach to high performance with security at scale Best-in-class products, solutions, and services for enterprises and public sector organizations Proven record of meeting challenging and dynamic application environments #1 In Secure Access #1 High End Routing 20,000+ Customers 92 of Fortune 100 Top 30 Service Providers 8 of top 10 commercial banks 47 of 50 US State Govts NASDAQ 100 Company 9,600 Global Partners Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 27
Serving 20,000+ Customers Globally U.S. Dept of Labor Copyright 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 28
Merci de votre attention