DY
NAM
IC SECURE MOBIL
E AC
Introduction
The strong growth in the tablet and smartphone markets in both the consumer and corporate spheres makes it necessary to implement solutions able to offer enough flexibility and control to satisfy both users and administrators alike.
The trend towards BYOD (Bring Your Own Device) is becoming increasingly significant as it allows employees to come with their own equipment, reducing the costs of acquiring IT equipment for the company.
This approach does however give rise to an additional burden that needs to be taken into consideration.
First, users expect devices to work in exactly the same way as their in-house equipment (PC or telephone) at the company.
Second, security is a requirement when rolling out these new devices. They therefore need to be identified and offered controlled access to infrastructure and applications.
The DSMA “Dynamic Secure Mobile Access” solution from Enterasys and UCOPIA Communications enables these challenges to be met. It offers administrators tools to identify and trace all mobile resources that wish to connect to the corporate network. In addition, Enterasys’ wireless technology, brings flexibility and simpleconfiguration providing unprecedented ease of use for users.
The traditional approach
The implementation of a wireless network to connect mobile devices such as laptops or Wi-Fi telephones has traditionally been based on creating several SSIDs, each with a clearly delineated usage and its own security.
In terms of security, the market’s only response is often to implement the 802.1X protocol. Although complex to implement, this 802.1X protocol remains effective and appropriate for a corporate environment. Assuming, of course, that the mobile devices support it and that they belong to the company… Its limitations are therefore quickly reached once other devices wish to connect. It is advisable to create a new network for them, i.e. a new SSID, with all the associated configuration and administrative burden that comes along with this.
In order to cope with a deluge of in-house laptops, Wi-Fi telephones, tablets and smartphones, a vast array of configurations and networks, all needing to be managed, could soon result. Users are faced with a choice to make: which network should I connect to? The answer to this question would depend on where they are and the device they are using. Not easy for users and time-consuming for administrators.
The answer: The DSMA solution
The Enterasys/UCOPIA Communications solution provides a simple and effective answer. It comprises the following components:
• A virtual Wi-Fi controller (or appliance) • a/b/g/n access points
• A NAC (Network Access Control) controller to manage internal user profiles and their devices • A UCOPIA controller to manage guest access and session traceability.
All controller components can be deployed virtually to make implementation and service continuity even more straightforward. The implementation of the DSMA solution makes it possible to identify all mobile devices and users connecting to the infrastructure. NAC will perform the profiling operation.
Associated with Wi-Fi terminals, the NAC is able to: • identify each device dynamically by its MAC or IP address • position it on a terminal and SSID
• determine its hostname, OS and type.
Example: iOS (iPad, iPod, iPhone), Blackberry, Android, Windows, etc.
1. A single supervision and configuration tool
With the NMS tool, administrators are provided with a single platform for configuration and supervision of this environment. The integrated Wireless Manager is used to define SSIDs, topologies and security policies. The NAC Manager provides visibility into all connected devices. Based upon the device profile and user authentication, differentiated rules can be enforced based uponthe device type, OS type, the time the connection is made, location, etc. As an example, this makes it possible to to manage the same iPad differently depending on the time of day or connection location.
Ucopia
Guest portal
Session logs
NAC
Profiling
AAA
Wireless
Wi-Fi
controller
NMS
Console
Reporting
OS
Console
OS
OS
OS
OS
VMWARE - virtualisation layer (ESXi)
Intel Base x86 architecture
2. Simplified corporate wireless network access
A further advantage to the DSMA solution is simplified corporate wireless network access.A further advantage to the DSMA solution is simplified corporate wireless network access.
To achieve this, the DSMA solution sorts corporate devices from external devices (guests). The administrator is able to make use of an existing reference base, i.e. the corporate directory, whether opened with an LDAP connector or a Microsoft Active Directory. In this directory, all the company’s internal devices are listed in an OU (organisational unit) with their associated hostnames.
As NAC is able to identify devices by their hostname, it is easy to reference the directory based upona connection request, to see whether the mobile device attempting a connection is known and apply the appropriate configuration. It will therefore be straightforward to identify whether a resource is internal, and do so through an LDAP control without requiring 802.1X to be implemented. At the network level, simple authentication by MAC address is enough to trigger this control.
802.1X can of course be used to distribute encryption keys for the devices concerned.
With the DSMA solution, users see only an SSID. This step is therefore considerably simplified with the Enterasys wireless solution.
3. Traffic management by mobile device type
The Enterasys wireless solution is able to issue a role to each mobile device or user in the wireless network. Each role contains inbound and outbound filtering rules, along with QoS rules. All users or devices on the network can therefore receive the appropriate level of service for their needs, depending on their device or the application supported. This is necessary for ToIP, but proves just as useful for users and in particular for restricting the bandwidth used for online applications.
Since the anti-terrorist legislation n° 2006-64 of 23 January 2006, cafés, hotels, cybercafés, restaurants and airports, plus all individuals and organisations offering the public any connection of a kind enabling online communication by means of access to a network, including when this is free of charge, are obliged to store what is known as traffic data.
Corporate information system access security therefore requires two contrasting needs to be reconciled, one entailing offering a network that is open to subcontractors, partners and other guests, the other entailing providing system security while ensuring that only authorised users are able to access the right data at the right time from the right place. As the system is able to distinguish between connecting devices, guest devices will be associated with a “guest” profile and will be given appropriate access (security policy or filtering). For example, a guest accessing the network with an iPad will be associated with the guest network.The UCOPIA controller offers a captive portal to get Internet access.
4. Guest management by the UCOPIA controller
A single SSID contains several topologies and several security policies. Each security policy defines how communications are handled at the access point or controller level. Communications may be handled differently depending on whether the mobile device is identified or not. For example, traffic is escalated to the controller if the device is not authenticated, but may be handled locally by the access point once the device is authenticated. This is often impossible with competing solutions, which offer one global communication handling method for all access points. The flexibility that the DSMA solution offers makes it possible to limit the number of SSIDs visible to users. It is no longer necessary to find which SSID is able to host the device.
In summary, the DSMA solution makes it possible to define
a single SSID for a multitude of devices, while guaranteeing
DSMA therefore offers controlled, trackedaccess for guests and internal users alike, whether they are using mobile devices belonging to the company or their own equipment, while providing and maintaining network security.
The solution is easy to implement, easy to use and effective, all while keeping operational costs low.
Conclusion
Our joint references
Patented Innovation
The advantages of the DSMA (Dynamic Secure Mobile Access) solution
• Simple and intuitive solution
• Comprehensive solution for a company’s guests and internal users • Straightforward integration
• Dynamic recognition and management of mobile devices • SSID unification
• Device integrity checking
• Configurable and flexible captive portal
• Traceability and reporting on Internet sessions for guests
• Unified LAN, Wi-Fi and NAC administration including reporting and supervision • 802.1X and future Wireless Gigabit* compatible
• Compatible with existing PoE environments (11W max.)
• Multiple user profiles / custom security policies depending on user or device type • Support for QoS and rate limiting by user role
• Support for 802.1X plus dynamic control by MAC and LDAP control • Supports zero configuration for users
• Multiple account distribution options (delegation, SMS, email, etc.)
* with new access points
For more information about Wireless Enterasys solution:
Wireless Access Points
Wireless
controlers
Wireless
Management
About Enterasys Networks and Siemens Enterprise Communications Siemens Enterprise Communications is a premier provider of end-to-end enterprise communications, including voice, network infrastructure and security solutions that use open, standards-based unified communications and business applications for a seamless collaboration experience. This award-winning “Open Communications” approach enables organizations to improve productivity and reduce costs through easy-to-deploy solutions that work within existing IT environments, delivering
operational efficiencies. It is the foundation for the company’s OpenPath® commitment that enables customers to mitigate risk and cost-effectively
adopt unified communications. Jointly owned by The Gores Group and Siemens AG, Siemens Enterprise Communications includes Cycos and Enterasys Networks. For more information about Siemens
Enterprise Communications or Enterasys please visit www. siemens-enterprise.com or www.enterasys.com.
About
UCOPIA Communications
UCOPIA Communications is a French publisher of mobility management solutions for Wi-Fi networks. Formed in 2002 by network technology experts, UCOPIA offers administration and security solutions for wireless networks. UCOPIA is a solution certified by ANSSI, the French Network and Information Security Agency. These solutions, aimed particularly at companies, educational establishments and government departments, allow users to connect securely to the network and use intranet, extranet and internet applications simply and safely. UCOPIA Communications develops and markets its offer using a European network of hundreds of integrators, experts in the network,
IP convergence and security fields, but also specialising in specific sectors (hospitality, education, SMEs, etc.). Thanks to the expertise
of this partner network, UCOPIA can advise and support its clients in their plans, regardless of their size or business. For
more information on UCOPIA Communications, please visit www.ucopia.com
