Extreme Networks NAC

EAST GRAND RAPIDS PUBLIC SCHOOLS
Jeﬀ Crawford
Manager of Networking and Security
East Grand Rapids Public Schools
Educating and inspiring each student to navigate successfully in a global community
The Problem
•  Adding a user centric security appliance to
support a BYOD environment while not adding
additional layers of authentication.
The Solution
Wired Infrastructure
•  Extreme Networks
Matrix N7 Core Switch
•  Extreme Networks
SecureStack C3 Series
Distribution Layer
•  Extreme Networks
SecureStack B3/D2 Edge
Layer
Wireless Infrastructure
•  Extreme Networks
Redundant C4110
controllers
•  274 x 3610 access points
–  AP in every “teaching
space”
–  30 dedicated sensors
Palo Alto NGFW
•  Palo Alto Networks nextgeneration firewalls oﬀer a
flexible security platform that
can be deployed to address your
unique business initiatives.
Whether your IT initiatives
range from addressing mobility
and BYOD issues, to enabling
security for your dynamic
virtualized datacenter, we can
help solve your needs. We
understand the challenges you
face, and can provide a security
oﬀering that empowers your
users and aligns with your core
business objectives.
Palo Alto User-ID Agent
• 
• 
User-ID seamlessly integrates Palo Alto
Networks next-generation firewalls with a
wide range of user repositories and terminal
services environments. Depending on your
network environment, there are a variety of
ways you can map a user's identity to an IP
address. Some of these include:
–  Authentication events
–  User authentication
–  Terminal services monitoring
–  Client probing
–  Directory services integration
–  Syslog Listener and a powerful XML
API
The user identity, when tied to the
application activity, provides you with more
complete visibility into usage patterns,
greater policy control, and more granular
logging, reporting and forensics capabilities.
NetSight Management Suite (NMS)
NetSight, Extreme Networks management application, provides
centralized visibility and granular control of enterprise network
resources. NetSight is distinctive for granularity that reaches
beyond ports and VLANs down to individual users, applications,
and protocols. NetSight increases eﬃciency, enabling IT staﬀ to
avoid time-consuming manual switch-by-switch configuration
tasks. NetSight fills the functionality gap between traditional
element managers that oﬀer limited vendor-specific device
control, and expensive, complex enterprise management
applications. NetSight is a key component of Extreme Networks
networking solutions and assures that network operations are
aligned with the business, operationally eﬃcient, and secure.
• 
Specialized identity and access management for visibility
and control of users' devices
• 
Unified LAN/WLAN management system automates
management tasks to significantly reduce IT administrative
eﬀort
• 
Provisions role-based access controls for wired and wireless
environments
• 
Simplifies configuration change and troubleshooting
procedures
• 
Anytime, anywhere management from popular mobile
devices for the fastest response times
• 
Enables easy policy deployment aligned with industryspecific best practices
Extreme Networks NAC
Extreme Networks Access Control (NAC) is a
complete standards-based, multi-vendor
interoperable pre-connect and post-connect
Network Access Control solution for wired and
wireless LAN and VPN users. Using Extreme
Networks NAC Gateway appliances and/or
NAC Gateway Virtual Appliance with NetSight
NAC management configuration and reporting
software, IT administrators can deploy a leadingedge NAC solution to ensure only the right users
have access to the right information from the
right place at the right time.
•  Pre-connect and post-connect Network
Access Control (NAC)
•  Solution for wired/wireless LAN and VPN
users
•  Managed guest access control with
sponsorship
•  Unified policy management
OneFabric Connect SDN (formerly
Fusion Module)
Extreme Networks OneFabric Connect is a proven SDN
solution that makes it easy for organizations to
programmatically integrate and control new apps and
services – with network wide visibility, flexibility,
simplicity and scaling. An open, bidirectional and
programmable solution, OneFabric Connect provides
intelligent, centralized management and control for both
wired and wireless networks. Currently available services
include Data Center Management, MDM, and other
network functions. An open, bidirectional and
programmable solution, OneFabric Connect Extreme
Networks has developed a number of predefined
integrations that allow programmatic control of VM,
MDM, web filtering and firewall systems, but additional
customer-defined integrations are always an option.
Customers can also develop their own integrations simply
and easily via the open, XML/SOAP-based API.
• 
Centralized Management & Control of both
network and third party systems with OneFabric
Control Center Advanced
• 
Programmability of virtualization and application
integration with OneFabric Connect
• 
Open via XML/SOAP-based API provided by
OneFabric Connect
OneFabric Solutions Architecture
PaloAlto Plugin v2.0.2 Requirements
•  Edge Switches must support RADIUS Accounting
and must be integrated within NAC.
•  Palo Alto NGFW version 5.0.2 or later installed
and running properly.
•  Extreme Networks NetSight 5.0 or later installed.
•  Extreme Networks NAC 5.0 or later is installed and
running properly with 802.1X or Web
Authentication / Registration where usernames are
populated into NAC Manager.
Overview of Integration
•  Configure separate or embedded User-ID Agent to accept User-IP
mappings over User-ID Agent XML API
•  Configure Palo Alto to send threat information to NetSight over Syslog
–  PaloAlto: -threatIpAddress $src -threatName "$threatid" -severity
$severity
•  Configure NetSight and NAC to show “Top Applications” for an EndSystem based on Syslog information from Palo Alto
•  Install OneFabric Connect module (formerly Fusion module) on
NetSight appliance or server
•  Configure OneFabric Connect to communicate with Palo Alto UserID Agent XML API
•  Create Extreme Networks Policies based on threat information from
Palo Alto
Solution Benefits
•  Integrating Palo Alto’s next generation firewall with Extreme Networks
Management Suite (NMS) addresses all four considerations for user
access.
–  This solution provides seamless application based policy enforcement at
the network edge (wireless and wired), data center edge and Internet edge.
–  Threats originating from internal users will be detected by the Palo Alto
firewall which will report the source IP address to Extreme Networks
NMS. The user will be located and quarantined, removing the threat and
preventing additional damage.
–  Extreme Networks NMS provides dynamic real time IP address to user
name / asset mapping for the Palo Alto firewall, eliminating complex
Active Directory integration.
–  State changes sent from Extreme Networks NMS when a user disconnects
from the network keep the firewall mapping tables current and eliminate
stale mappings.
User Connects
1. 
2. 
3. 
4. 
5. 
User authenticates using 802.1x
or captive portal
802.1x request sent from switch,
access point, or captive portal to
NAC
NAC approves authentication
and informs point of connection
NAC informs NetSight that user
is in CONNECT state
NetSight sends message based on
CONNECT state to Palo Alto
NGFW (Embedded User-ID
Agent or dedicated User-ID
Agent) that includes username
and IP address mapping
User Disconnects
1.  Point of connection informs
NAC that state is now
disconnected or NAC sends
disconnect to point of
connection
2.  NAC informs NetSight that
user is in DISCONNECT
state
3.  NetSight sends message based
on DISCONNECT state to
Palo Alto NGFW (Embedded
User-ID Agent or dedicated
User-ID Agent) and Palo Alto
removes entry from User-IP
Mapping
Application Visibility
1.  Palo Alto sends
application information
to NetSight via Syslog
2.  NetSight informs NAC to
adjust policy based on
application information
3.  NAC modifies policy on
switch via filter-id or
Extreme Networks
proprietary policy
4.  NetSight displays
application information
in OneView Reports
Disconnect based on threat
1.  Palo Alto sends threat
information to NetSight
via Syslog
2.  NetSight informs NAC to
reject based on threat
information
3.  NAC sends REJECT to
point of connection
4.  NetSight displays threat
information in OneView
Reports
OneView Reports
OneView Reports
Extreme Networks Purview
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
Pervasive – Visibility across the entire enterprise. Most other
solutions are placed at a choke point, limiting the view AND the
scale
Hardware Embedded, Scalable, No Network overlay – N-packet
mirror, CoreFlow2 enables millions of flows with deep packet
inspection (DPI) at Terabit speeds without impacting the
network
Massive and Open / Customizable Signature Set – Currently
supporting more than 6900 applications with over 12,500
signatures that are public and can be easily customized by the
customer, partner, or professional services
Intelligent Application Awareness – uses application layer
metadata: browser user-agent strings, cookie information, SSL
certificate common/organization names, HTTP request
methods, and more. Allows categorization of sub-applications (ie
Google Docs vs Gmail)
Application Health – compare application response with
network response
Contextual integration – use NAC for location, who what,
when, etc. within a single architecture and database. (Apps are
associated with users)
Security – Security teams are eager to have more insight into
application usage among users
Simplified Integration with OpenConnect SDN API – other
applications can be easily integrated. e.g. the Extreme Networks
SIEM product and Splunk software are already integrated
EAST GRAND RAPIDS PUBLIC SCHOOLS
Educating and inspiring each student to navigate successfully in a global community

Download Report