CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Building a BYOD network

Carlos Gómez Gallego

Director Product Management carlos@arubanetworks.com

January 2012

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 2

What is BYOD?

•  The buzz is uncontrollable –  Any device, any user, any time

•  What have we learnt from the originators of BYOD…? •  Education has been doing BYOD for years –  Lots of diverse devices to manage = lots of helpdesk calls –  Securing the network and the application is key –  Expand cloud applications or leverage VDI –  End users demand simplicity

•  So from a security perspective –  Is the BYOD craze, just masking weaknesses in your existing

network?

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 3

BYOD Provisioning Use Cases

1.  Guest Access with Sponsor Approval –  Self Registration with SMS delivery à Guest Role

2.  Corporate Issued Laptop –  Machine + User Authentication à Employee Role

3.  Executive BYOD iPad –  Unique Device Credential 802.1x authentication à BYOD Exec

4.  Employee/Student BYOD Windows Laptop –  Unique Device Credential 802.1x authentication à BYOD LAZ

5.  Executive/Student BYOD MacBook –  Unique Device Credential 802.1x authentication à BYOD Exec

6.  Employee/Student BYOD Android Smartphone –  Unique Device Credential 802.1x authentication à BYOD LAZ

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 4

Network Policy Examples

WIRELESS WIRED VPN REMOTE OFFICE OUTDOOR

Context-based Policies User, Device, Location and Application Aware

Allow personal devices into a limited access zone (LAZ)

BYOD Policy

Deliver executive traffic with higher priority

Executive Class Policy

Optimize delivery of Lync traffic over the air

Multimedia Policy

Disable Rogue AP, Blacklist User

Unauthorized Use Policy

Disable device access, not user access, if stolen/lost

Device Revocation Policy

Quarantine unhealthy devices for remediation

Device Quarantine Policy

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 5

The right way, not just for BYOD

•  Supplicant Config •  Push Trusted Cert •  Enable Posture •  Set Auth type

•  Enrolment workflow •  Authorize User to provision device •  Device credential push •  Link User to Device

•  Complete view device & network •  Command & Control •  Inventory •  Diagnostics

•  Revoke Device Access •  Device Profiling •  Role Derivation •  Corp vs Employee Liable

Device Access Controls

AAA

Visibility & Reporting

Onboard Device

1

2

3

4

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 6

Apple ‘over the air’ Profile Delivery

Phase 1: Authentication - Ensures enrollment request from authorized users - Capture device information for enrollment process

Phase 2: Certificate enrollment (X.509 and SCEP) - Obtain signed X.509 certificate

Phase 3: Device Configuration and Encrypted Profiles - Delivery of iOS configuration profile

After Enrollment: - Device installs profile

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 7

iOS User Scenario

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 8

Challenges with MDM for BYOD

•  Diversity –  Multiple manufacturers, multiple operating systems, multiple

ecosystems –  New devices, software revisions every day

•  Feature parity across BYOD devices –  How do I enforce common policies across mobile and traditional

laptop devices? –  Do I have remote wipe for a BYOD windows laptop?

•  Integration with Infrastructure Another piece of the puzzle

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 9

Secure the Network or the Device •  Network Approach: –  Enrollment workflow, simple, intuitive –  Per device credential that can be revoked –  Strong application and firewall security, web based apps –  VDI from Citrix or other

•  Device Approach: –  Enrollment workflow, simple, intuitive –  Install persistent sw client –  Issue per device credential –  Manage mobile with point solution but full control

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved 10

NAS Policy

A Mobility-Centric Access Network

Policy Definition and Control

•  AAA services •  Policy Management •  NAC •  BYOD •  Guest

Policy Enforcement

• Security Policies • L4-7 Application Delivery Policies

• WLAN, Wired, Remote • Role based access

Visibility and Management

• Network Management • Security Management • Device Management • Application Visibility • Location Services

Mobility Access Network Architecture

Monitoring

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Thank You