Le soluzioni tecnologiche per il nuovo ecosistema Mobile:Aerohive Networks e ZScaler

Martedì, 28 Maggio 2013

Miriade Spa, società di consulenza informatica con sede a Thiene

(VI), pone al centro della propria attività il patrimonio informativo

delle imprese, fornendo soluzioni per la protezione, l'integrazione e

l'analisi dei dati aziendali. L'azienda fondata nel 2000 ha un organico

di 35 dipendenti.

La geometria aziendale è articolata in 6 aree tecniche:

Architecture, Intelligence +, Database, Development, Cloud,

Mobility. Tra le diverse realtà con le quali collaboriamo segnaliamo:

Diesel, Benetton, Calzedonia, Tecnica, Lotto.

Simpli-Fi Enterprise Networking

© 2012 Aerohive Networks CONFIDENTIAL

Introduction to Aerohive:

4

• Visionary Network Infrastructure Company› Cloud-enabled, Controller-less Wi-Fi,

Routing, VPN, Switching› 5000+ Customers› 350+ Employees› Most Visionary Vendor - Gartner MQ

for Wired & Wireless LAN 2012

Branch & Teleworker Routers

Enterprise Wi-Fi

Cloud Services Platform

Public Partner Private (on-premise)

EducationEnterpriseHealthcare Retail Logistics

Switches

© 2012 Aerohive Networks CONFIDENTIAL

New Requirements of the Network Edge

5

Users want to work anywhere, on any device

You need to enable them, without drowning in complexity

$XYesterday Today

• Corp deployed enterprise devices

• WLAN overlay

• Network centric

• Monolithic

• Corp / BYOD enterprise / consumer devices

• Ubiquitous Wi-Fi Access

• User Centric

• Elastic

Cloud-enabled, self organizing, service aware, identity-based infrastructure

Aerohive Networks - Simpli-fi Enterprise Networking

© 2012 Aerohive Networks CONFIDENTIAL

Enterprise Deployments

6

HQ Retail

Edu

iPad1:1

Faculty, Guests

Apple TVs

Branch

Unified Wired, Wi-Fi, VPN, FW

Virtualized Mgmt & VPN

TerminationWi-Fi Primary AccessGuest, Corp, BYOD Guest,

Corp, BYOD

Teleworker

Work, Home, 4G, Cloud Security

Credit Cards. PCI, Inventory, Voice, Kiosks

Logistics

Coverage, Reliability, Voice Picking,

Outdoor

Healthcare

EMR, eMAR, Asset Tracking, Voice

MessagingHigh Density, AD integration, Bonjour, Ease of Use

Cloud-enabled

Data Center

Performance, Receive Sensitivity, MDM enrollment

© 2012 Aerohive Networks CONFIDENTIAL

No data bottlenecks

Service Level Agreements

QoS & Spectrum analysis included

Distributed (Controller-less) Wi-Fi Architecture Delivering simplicity, reliability and affordability

7

Management

Redundancy

Scalability and future proofing

Performance

Centralized cloud-based or

Local management

Management within the network only

No single point of failure

Self healing mesh architecture

No controller tax

Requires multiple controllers

Local data forwarding..what do you lose?

No feature licensing

Start small and grow

Distributed intelligence

Controller capacity?

Feature licenses?

Data bottlenecks

QoS, Spectrum analysis..$$$

(FW, RADIUS, CWP, BYOD, Bonjour GW)

How does it work? Architectural Alternatives Central Vs. Distrib. Control

© 2012 Aerohive Networks CONFIDENTIAL

How does it work?

8

A single HiveAP by itself acts as a full-featured enterprise

class access pointIdentity-based security, including stateful

inspection FW, rogue detection & mitigation

Airtime Scheduling, SLA compliance and local forwarding implemented at the edge

HiveAPs are discovered, policy is pushed and the

WLAN is operationalHiveManager is a single mgmt interface

for configuration, OS updates & monitoring of thousands of devices

With a second HiveAP, fast stateful roaming,

cooperative RF, station load balancing and

seamless resiliency are enabled

Mesh networking and best path forwarding can

be used for extra resiliency and

reachability Dynamically reroutes around

failures

As more HiveAPs are added, coverage,

reliability and backhaul bandwidth increases

Cooperative RF power levels minimize

co-channel interference

With Cooperative Control, clients can securely

and seamlessly roam across the WLAN

Dynamic best path forwarding and stateful

roaming provides resiliency without a

single point of failure

With Cooperative Control, clients can securely

and seamlessly roam across the WLAN

Wireless Network

Wired Network

HiveManager NMS

Reporting Heat Maps

SLA Compliance

Policy Configuration

© 2012 Aerohive Networks CONFIDENTIAL

Load Balancing

Layer 3 Roaming

5 GHz

Resilient Mesh

Layer 2 Roaming

BandSteering

2.4 GHz

54Mbps

450Mbps

11Mbps

SLA, QoS & Dynamic Airtime Scheduling

High Powered Radios, Receive Sensitivity &

RRM

Enterprise Wi-Fi Features

Optimization Mobility

9

Distribution

Receive SensitivityLayer 2/3 Roaming

© 2012 Aerohive Networks CONFIDENTIAL

BYO and Corp Deployed Devices

Access defined by ID & Device

RADIUS

PPSKCWP

L2-4 Firewall

Corp userCorp user - BYODGuest user

CORP Policy

Corp VLAN

LAN & Web FW

10Mbps per user

24HR Access

BYOD Policy

Restricted VLAN

Email & Web FW

5Mbps per user

M-F 8am-9pm

GUEST Policy

DMZ

Web Only FW

1Mbps per user

M-F 9am-5pm

User Profiles

10

OS Detection

MDM Enrollment

Bonjour Gateway

www Corp

Guest, BYOD

AppleTV(AirPlay)

Printer(AirPrint)

Bonjour

wwwCorp

MDM

QuarantineEnroll

BYOD & MDM Bonjour GW

© 2012 Aerohive Networks CONFIDENTIAL

Security and Authentication Features

Captive Web Portal

11

Wireless Intrusion Prevention

Remote Site Content Security

WIPS

Directory Integration

Private PSK

Multiple CWPs able to serve scalably

from every AP

Multiple users, same SSID - easy but

unique revocable keys

• Authentication support for common directory servers

• Eliminates standalone RADIUS server

• Credential caching for remote/branch survivability

Stateful Inspection FW• MAC (L2) based firewall

• Stateful TCP/IP firewall (L3/L4)

• ALGs for DNS/FTP/SIP

• Policy Based Client Isolation

© 2012 Aerohive Networks CONFIDENTIAL

Cloud-enabled Networking

Routing, VPN and Wired features

12

PoE PoE

• SIP/SCCP/Spectralnk support

• Auto-sensing of IP phones

• 802.1X/Access control

• Dynamic QoS for voice traffic

3G/4G

Unified Wired & Wireless Mgmt

Wi-Fi

Wired

Routing / FW

VPN

Same Policy and Network

Address/L3 Service PoE-PSE, 3G/4G USB

L3 IPSec VPN Robust Voice Support

Branch on Demand

© 2012 Aerohive Networks CONFIDENTIAL

Support

Manage

Monitoring and Reporting Features

13

Cloud Management

Spectrum Analysis

Client Monitor & Packet Capture

Simple GUI

Topology & Location Tracking

PCI Compliance

Monitor

Management Views

© 2012 Aerohive Networks CONFIDENTIAL

Less Operational Costs

Less Infrastructure Costs

Reduced Capex and Opex

14

Client Health Score 

 

Good connection

High data rates & high successful transmission rates

Marginal connection

Lower data rates / lower successful transmission rates

Poor connection

Low data rates / low successful transmission rates

Cloud Management

Zero Touch Provisioning Self Healing

Client Health Score

© 2012 Aerohive Networks CONFIDENTIAL

MANAGEMENT PLAN

• ON PREMISE

• L’azienda cliente acquista gli apparati Aerohive (siano essi Ap e/o branch router) e contestualmente l’Hive Manager Appliance per la gestione degli apparati, che può essere fisica o virtuale.

• Gli apparati sono forniti con un supporto erogato da Aerohive (obbligatorio il primo anno) che garantisce assistenza 8x5 telefonica e tramite mail e sostituzione dell’hardware return to factory.

• Gli apparati sono di proprietà del cliente.

• CO-SOURCING (Gestito Miriade)

• L’azienda cliente acquista il servizio wi-fi Aerohive da Miriade per tre anni, che fornisce al cliente gli apparati e gestisce quest’ultimi tramite la propria Hivemanager Appliance sulla base delle indicazioni, regole e policy fornite dal cliente.

• Mensilmente Miriade fornirà al cliente una accurata reportistica delle attività intervenute tramite la rete wifi Aerohive.

• Miriade fornirà il supporto al cliente in modalità 8x5 e la sostituzione dell’hardware return to factory. Gli apparati rimangono di proprietà di Miriade.

15

Per maggiori info: commerciale@miriade.it

© 2012 Aerohive Networks CONFIDENTIAL

Q & A

16

Domande ?

Enabling Business Beyond the Corporate Network.Secure solutions for mobility, cloud and social media.

The Cloud Security Company

3 Trends Transforming IT

90% - Users work from home or on-the-go50% - Users who BYOD

Smartphones are now the world's dominant computing device.

74% of companies are using cloud apps1 in 5 execs have purchased cloud apps without IT’s knowledge

SaaS applications growing 5x faster than software

75% employees use Facebook at work178: average # of social accounts in the enterprise 30 billion pieces of content shared each month on Facebook.

New IT world requires cloud-based protection

Mobility Cloud Apps Social Media & streaming

IT transformation has turned traditional security (appliances) upside down.Mobile users bypasses appliances to access cloud apps and create policy issues.

The Cloud Security Company

Current Approaches: Lots of Appliances or Backhaul Traffic

©2012 Zscaler, Inc. All rights reserved.

Anti-spamEncryption Directory

HQMobile devices and

users are usually unprotected

To save cost of appliances, customers backhaul traffic to HQ BW cost on MPLS; Latency

• Lots of point products at DMZ• Cost, IT overhead

To get same protection, need to replicate same

appliances at each office gateway

Cost & Complexity

Regional Office

On-the-goHome or Hotel

URL

AV

Zero-day Web 2.0

ReportingData Loss

Too Costly: Acquiring, deploying, managing appliances

Regional Office

Internet

The Cloud Security Company

Zscaler: Secure Internet Gateway

©2012 Zscaler, Inc. All rights reserved.

One Gateway to protect all of your users - on any device, anywhere

Regional Office

Home or Hotspot

World’s largest cloud. Integrated security for Web, Mobile & Email

Business enabler of mobility, cloud and social media safely

HardwareSoftware

HQ

On-the-go

Global Security Check PostEnforce business policy

Nothing good leaks out, nothing bad comes inWeb

SaaS Services

Email Services

Mobile Apps

Internet ServicesMobile & Distributed Workforce

The Cloud Security Company

How it works

©2012 Zscaler, Inc. All rights reserved.

Regional Office

HQ

Internet

Easy to deploy and manage. Enables IT to focus on strategic/architectural issues

MOBILE EMAIL

WEB

Define Policy at a central portal Admin

Forward traffic(Configure FW or router)

Enforce policy bi-directionally

Home or Hotel

Same policy for mobile users

Real-time Visibility

Admin

We provide global infrastructure. You retain full control

The Cloud Security Company

Global Protection by World’s Largest Security CloudPurpose-Built Architecture - Multi-tenant, Distributed

Brain/Nervous system, Policy, Real-time threat updates 1

Onramp to Internet, Executes policy2

Logs consolidated & correlated in real-time4

Policy follows the user to the nearest ZEN3

NanoLog Clusters

ZEN (N)ZEN2Zscaler

Enforcement NodeZEN1

Central Authority

Same policy & protection, near-zero latency for a user anywhere

Multi-tenantUse any Data Center

ShadowPolicyTM

Policy follows the userUltra-fast

Little processing latencyHigh Availability

Failover across DCs

The Cloud Security Company

No HW, no SW, no client-side agent Traffic forwarding

– from the infrastructure – GRE Tunnels, PBR, Proxy chaining– from the workstations – explicit proxy or PAC file (hosted in cloud)– Various ways to enforce Cloud usage

Authentication– Users & groups have to be known by Zscaler for policies & reporting– Hosted User Database or Sync. With AD / LDAP– Registration phase usually requires username & password – only once

» Authentication then is transparent

– SAML / ADFS as an elegant SSO solution for transparent auth.

Deployment considerations

The Cloud Security Company

Why Global 2000 Trust Zscaler Security Cloud

Unparalleled Privacy Guaranteed regional log storage

to meet country or region’s privacy requirements

Data Obfuscation SAS 70 II certified DCs

Secure By Design 100% secure and encrypted

communication cloud-wide 55+ Patents Governing Zscaler’s

Developed Cloud Architecture

Data Privacy & Security

Complete Visibility into Cloud Operations Public dashboard of real-time status

– trust.zscaler.com 300+ Monitors, Every Node, Every

Second

Service Excellence Commitments Real-time Logging, Latency,

Availability Service Level Agreements

Visibility & Transparency

Redundancy at Every Layer Within Datacenter: Clustered

Between Datacenters: 90+ Datacenters Globally with Automatic Traffic Re-Routing

Cloud Wide: Multiple World Class Datacenter and Internet Service Providers

Massive Scale: 150 billion transactions per month

Availability & Scale

Purpose-built architecture for 100% Availability, backed by strong SLAs

The Cloud Security Company

Most Visionary & Market Leader

©2012 Zscaler, Inc. All rights reserved.

…the fastest-growing vendor…

…earned the strongest score in Completeness of Vision…

…cloud has the largest global footprint…

…Zscaler is a very good candidate for most enterprises…

“Zscaler exhibits the qualities of a market penetration leader.”

The Cloud Security Company

Pricing Overview: Web Suites

Zscaler Platform

DLP

BWWeb 2.0URL Filtering

Browser Policy

Adv Threats

AV/AS

Zscaler Platform

URL Filtering

AV/ASPolicy and Reporting

Anti-Virus and Anti-Spyware• Inline ultra-low latency Virus/Spyware

protection• Any file size including multilevel archivesURL Filtering• User, Group or Location level granularity for

Policy• 6 Classes, 30 Super Categories and 90

Categories• Dynamic Content Classification of Unknown

Sites• Ability to modify categories or add new

categories

Package Features

Advanced

Premium

Benefits Cost

Standard Benefits• Complete Inbound/Outbound protection • Enforce Acceptable Usage Policy • Minimize Productivity and Bandwidth

Loss• Real-Time Reporting of Internet Usage by Users, Departments or Locations• Protect all users in office or on the road

Standard Bundle +:Advanced Threats• Zero Day Attacks, Browser Vulnerabilities and

Bots• Web 2.0 threats: XSS, Cookie Stealing, Phishing• Block Anonymizers, P2P, Skype, BitTorrents Web 2.0 Control• Granular control of 100 popular Web2.0 apps:

• Facebook, Gmail, YouTube, etc

Benefits• Protect against latest Web 2.0 threats • Protect employees’ personal information• Detect and block proxy-avoidance tools• Minimize Risk by blocking uncontrolled

apps• Minimize Risk of Infection by enforcing safe browsers and plugins.• Limit risk without affecting productivity:

• Allow only HR to post on LinkedIn• Allow Gmail, but block attachment

Advanced Bundle +:Data Leakage Prevention• Scan all web traffic leaving the organization • Log or Block transactions with confidential data• Scan Microsoft documents, PDFs and Zipped

files• Predefined dictionaries for: Credit Cards, SSN, Source Code, Financial or Medical Statements, Salesforce docs etc.• Predefined Engines for HIPPA, PCI, etc.Bandwidth optimization for specific web appsWeb Access Control• Warn against use of vulnerable browsers/

plugins

Benefits• Minimize risk due to new Web 2.0 apps• Scan all webmails, IM attachments, blog

posts• Add another layer towards compliance to industry or government regulation• DLP policy at user, department, location

level• Real-Time transaction level reports• Ensure Webex is not affected by Youtube

Policy and Reporting

Policy and Reporting

Zscaler Platform

Web 2.0URL Filtering

Adv Threats

AV/AS

The Cloud Security Company

Q&A

Domande ?

Vi ringraziamo per l’attenzione!

Per domande o informazioni:

commerciale@miriade.it

www.miriade.it