Aerohive and Palo Alto Networks

Aerohive and Palo Alto Networks
Aerohive and Palo Alto Networks
Partner Solution Brief
Introduction
Now that connecting wirelessly is the norm and users have multiple devices they use for business critical
and personal activities, having a solution that can identify and enforce network access based on
identity, device type, location, and time of day is critical to support and maintain a mobility-optimized
network. Aerohive and Palo Alto Networks have joined together to provide next-generation application
visibility and control for the mobile-first community.
Aerohive’s application visibility and policy enforcement functionality provides an administrator with
extremely detailed and granular information and controls to optimize user application experience at
the edge of the network. Aerohive can customize how applications are prioritized, de-prioritized, or
blocked based on all available context, including identity of the user, device type, location on the
network, and the time of day. This is extremely useful for ensuring that traffic is appropriately categorized
and potentially blocked before it ever even gets onto the network infrastructure, saving valuable
resources and providing an extra layer of security. However, many networks require aggregated
controls as well as edge-based enforcement, and when you combine the Aerohive mobility-optimized
access layer with Palo Alto Network’s next-generation firewall, administrators get a comprehensive
solution that provides best-of-breed content security and application monitoring for all users and
devices connected to the network.
Aerohive has the advantage of knowing all the available user context because devices are connecting
and users are authenticating to the access points and switches directly in order to gain access to the
network. Palo Alto Networks firewalls, on the other hand, are generally installed at the gateway to the
network, and have visibility into everything coming or going in aggregate, but the user context is often
obscured due to all the network infrastructure between the gateway and the connected client.
Together Aerohive and Palo Alto Networks solve the problems of the mobile first enterprise by
combining information about user context with application visibility and controls.
The Aerohive and Palo Alto Networks Solution
Aerohive’s Cooperative Control networking infrastructure equipment along with Palo Alto Networks
next-generation firewalls provide a comprehensive and robust solution for optimizing the user
experience on a mobile first network. Together the solution provides many benefits, including:
•
Enhanced UserID Visibility and Enforcement – Aerohive devices can provide user identity, device
type, and IP address information to the Palo Alto Networks firewalls to enhance the UserID
functionality that allows Palo Alto Networks’ firewalls to make policy decisions based on context
•
Client-less Operation – Aerohive learns the context based on existing interaction between the
connected clients and the Aerohive devices, so no client or profile need be installed on the
client devices.
•
Comprehensive Application Visibility and Control – Together, Aerohive and Palo Alto Networks
allow administrators to enforce application controls at both the edge of the network and at the
gateway, ensuring applications are identified and prioritized/de-prioritized/blocked based on
context at the ideal enforcement point
•
Zero-Cost Data Performance – Because this integration relies on information already available to
Aerohive devices as part of normal authentication, there is no in-line performance hit for using
this integration to enhance application control on the network.
Aerohive and Palo Alto Networks Solution Brief
How It Works
The Aerohive and Palo Alto Networks solution works with Aerohive HiveOS 5.1r3 version or later and Palo
Alto Networks PAN-OS version 4.0 or later. The solution requires the Aerohive administrator to set up
syslog logging for Aerohive devices and point them at a syslog server that is capable of running scripts.
The script then parses the necessary user details and sends it to a server running the PAN UID-API agent,
which in turn updates the PAN firewall with the context-enhanced User ID information.
Step-by-Step
1. Configure Authentication
At the heart of this solution is the requirement for the Aerohive devices to know the identity of
the user accessing the network. The three most common ways Aerohive can identify a specific
user are A) 802.1X or WPA2-Enterprise; B) Private Pre-Shared Key; or, C) Captive Web Portal.
Therefore, the first step is to configure the Aerohive devices with SSIDs or ports that require one of
these types of authentication.
Copyright ©2013, Aerohive Networks, Inc.
3
2. Configure Syslog
The second step is to configure the Aerohive devices to report the information they know to a
syslog server. This can be configured per network policy in the Additional Settings –
Management Settings section.
Once the policy is configured and pushed to the Aerohive devices, HiveOS will begin generating
logs that include the user identity, IP address, and operating system and will send them to the
configured syslog server. Sample logs look like the following:
802.1X:
2013-04-01 14:06:05 info ah auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username astrong
hostname Strong-iPad3-6 OS Apple iOS
PPSK:
2013-04-01 14:43:18 info ah_auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username Buster Keaton
hostname Strong-iPad3-6 OS Apple iOS
CWP:
2013-04-01 14:50:46 info ah_auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username
abby@ahdemo.local hostname Strong-iPad3-6 OS Apple iOS
3. Scripted info sent to UID-API
Once the logs are collected in the syslog server, a script can parse the bolded information and
collate it into a format the Palo Alto UID-API can deliver to the Palo Alto Networks firewall. There
are 2 major parts to the script – data extraction and push to agent. Within the data extraction
portion, a regular expression is used to parse the username, IP address, and operating system of
the connected client. One important note is that depending on how the network authentication
is configured, it may be necessary to append the domain information to the username if it is not
included in the log information.
Sample script written for Kiwi Syslog Server:
' Copyright (c) 2013 Palo Alto Networks, Inc. <info@paloaltonetworks.com>
'
' Permission to use, copy, modify, and distribute this software for any
4
Copyright ©2013, Aerohive Networks, Inc.
Aerohive and Palo Alto Networks Solution Brief
' purpose with or without fee is hereby granted, provided that the above
' copyright notice and this permission notice appear in all copies.
'
' THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
' WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
' MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
' ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
' WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
' ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
' OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
'
'Script takes syslog output sent from an Aerohive device to a Kiwi syslog server and updates user
data
'log data is expected to look like: 2013-04-01 14:06:05 info ah auth: Station 1cab:a7e6:cf7f ip
10.5.50.52 username astrong hostname Strong-iPad3-6 OS Apple iOS
Function Main() 'Kiwi syslog requires the content of the script to be
contained in a Main() function
'----CHANGE THESE TO MATCH AGENT OR FIREWALL---strAgentServer="10.3.3.16"
strAgentPort="5006"
'----CHANGE THIS TO MATCH AD DOMAIN NAME!---strDomain = "Corp"
'-----ADD API KEY HERE FOR AGENTLESS OPERATION
strKey=""
set xmlHttp = CreateObject("Msxml2.ServerXMLHTTP")
strLog = Fields.VarCleanMessageText 'This is a Kiwi variable for the
content of the log message
ptrn = "ip (\d+\.\d+\.\d+\.\d+).*username (\w+).*hostname (.*) OS (.*)"
if InStr(strLog,"n/a")=0 then 'Will not run script if there is no username
'// Create the regular expression.
Set re = New RegExp
re.Pattern = ptrn
re.IgnoreCase = False
re.Global = True
'// Perform the search.
Set Matches = re.Execute(strLog)
Copyright ©2013, Aerohive Networks, Inc.
5
'// Collect matches and assign the user and address to variables
set oMatch = Matches(0)
strUser = oMatch.subMatches(1)
strAddress = oMatch.subMatches(0)
strHost = oMatch.subMatches(2)
strOS = oMatch.subMatches(3)
'// Build the XML message
strXMLLine =
"<uid-message><version>1.0</version><type>update</type><payload><login>"
strXMLLine = strXMLLine & "<entry name=""" & strDomain & "\" & strUser &
""" ip=""" & strAddress & """/>"
if strKey!="" then
strXMLLine = strXMLLine &
"<hip-report><md5-sum>ae413e22b34a76366a542a1dd9b1108a</md5-sum><user-name>
" & strUser & "</user-name><domain>" & strDomain & "</domain><host-name>"&
strHost & "</host-name><ip-address>"& strAddress &
"</ip-address><generate-time>" & Now & "</generate-time><categories><entry
name=""" & "host-info" & """><client-version></client-version><os>" &
strOs &
"</os><os-vendor></os-vendor><domain></domain><host-name>android</host-name
</entry></categories></hip-report>
end if
strXMLLine = strXMLLine & "</login></payload></uid-message>"
'//
'// Post to the UID agent
'//
Const SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS = 13056
If strKey="" then 'Posting to software agent
'// Post data to Agent
sUrl = "https://" & strAgentServer & ":" & strAgentPort & "/"
On Error Resume Next
xmlHttp.open "put", sUrl, False
xmlhttp.setRequestHeader "Content-type", "text/xml"
xmlHttp.setOption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS
xmlHttp.send strXMLLine
6
Copyright ©2013, Aerohive Networks, Inc.
Aerohive and Palo Alto Networks Solution Brief
xmlHttp.close
else 'posting to firewall agent
'//Post using REST API
sUrl = "https://" & strAgentServer & "/api/?type=user-id&action=set&key="
& strKey & "&cmd=" & strXMLLine
On Error Resume Next
xmlHttp.open "put", sUrl, False
xmlhttp.setRequestHeader "Content-type", "text/xml"
xmlHttp.setOption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS
xmlHttp.send
xmlHttp.close
end if
end if
Main="OK" 'return value for Kiwi
End Function
4. Create Rules in Palo Alto Networks firewall
Once you have the additional UserID information, the Palo Alto Networks firewall can enforce
policies based on available context, such as membership group, device type, or IP address.
Summary
Next-generation networking requires knowledge of user identity, device type, location, and time to
enforce granular policies that allow users to access the network according to their context. By
combining two best-of-breed solutions, Aerohive Networks and Palo Alto Networks allow customers to
optimize mobility and ensure security with granular, context-based application visibility and policy
enforcement both at the edge and at the gateway. Together the solution provides unprecedented
visibility, monitoring, and policy controls for a mobile first enterprise.
Copyright ©2013, Aerohive Networks, Inc.
7
About Aerohive
People want to work anywhere; on any device, and IT needs to enable them -- without drowning in
complexity or compromising on security, performance, reliability or cost. Aerohive's mission is to Simpli-Fi
these enterprise access networks with a cloud-enabled, self-organizing, service-aware, identity-based
infrastructure that includes innovative Wi-Fi, VPN, branch routing and switching solutions.
Aerohive was founded in 2006 and is headquartered in Sunnyvale, Calif. The company's investors
include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light Venture Capital,
New Enterprise Associates, Inc. (NEA) and Institutional Venture Partners (IVP). For more information,
please visit www.aerohive.com, call us at 408-510-6100, follow us on Twitter @Aerohive, subscribe to our
blog, join our community or become a fan on our Facebook page.
.
About Palo Alto Networks
Palo Alto NetworksTM next-generation firewalls enable unprecedented visibility and granular policy
control of applications and content – by user, not just IP address – at 20 Gbps network throughput levels.
Based on patent- pending App-IDTM technology, Palo Alto Networks firewalls accurately identify and
control applications – regardless of port, protocol, evasive tactic or SSL encryption – and scan content
to stop threats and prevent data leakage. Enterprises can, for the first time, embrace Web 2.0 and
maintain complete visibility and control, while significantly reducing total cost of ownership through
device consolidation
Corporate Headquarters
Aerohive Networks, Inc.
330 Gibraltar Drive
Sunnyvale, California 94089 USA
Phone: 408.510.6100
Toll Free: 1.866.918.9918
Fax: 408.510.6199
info@aerohive.com
www.aerohive.com
International Headquarters
Aerohive Networks Europe LTD
The Court Yard
16-18 West Street
Farnham, Surrey, UK, GU9 7DR
+ 44 (0) 1252 736590
Fax: + 44 (0) 1252 711901
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising