Networks of the Future will be about a great user experience, devices and things…
In an industry that’s already defined, Extreme Network’s recent announcement of The Automated Campus is a significant advance in networking. For the first time, all the essential technologies, products, procedures and support are gathered together and integrated. All too often, the piecemeal/piecewise growth strategy, typically applied in network evolutions, results in too many tools, procedures, and techniques. The patchwork quilt approach precludes fast responsiveness, optimal operations staff productivity, and sacrifices the accuracy and efficiency required to keep end-users productive as well.
The most important opportunity to improve efficiency for governments today is in boosting both the productivity of end-users and network operators. The automated campus must address the productivity of network planners and network operations managers and staff. The often-significant number of elements required in an installation can demand significant staff time and can, consequentially, have an adverse impact on operating expenses (OpEx). While It is possible to build traditional networks that, when running correctly and optimally get the job done, they often embody such high operating expenses that cost becomes the overriding factor controlling the evolution of the campus network. The Automated Campus will allow XYZ Account to address all these issues and concerns. A key goal must be for XYZ Account to reduce the number of “moving parts” required to build and operate any campus and introduce a level of simplicity and automation that will address your future.
Extreme’s strategy for Campus Automation begins with re-thinking the way networks are designed, deployed and managed. Extreme’s Fabric-based networks enable faster configuration and troubleshooting; As a result, there is less opportunity for misconfiguration. Several automation solutions designed to enhance security often force network managers to accept complexity and degraded resilience to secure the network to meet local policies. Should a breach occur, containment to that segment protects even more sensitive parts of the network, resulting in a true dead-end for the hacker. With Extreme’s Automated Campus services can easily be defined and provisioned on-the-fly without disruption. Network operators specify what services are allowed or prohibited across the network.
Six Myths about Ontologies: The Basics of Formal Ontology
Places in the network (featuring policy)
1. 2018 Extreme Network of the Future
XYZAccountconnectingPeople,Processes,Data,andThings.
Therealityofdevicecreep(Manage,discoverandsecure)3devicesperusergoingto7.
2018 Wifi Design
Jeff Green
2018
Rev. 1
South
2.4&5GHzSpectrum
Spectrum
802.11ac MU PlatformWallPlate Camera High Temp
AP + PoE Switch (AP3912)
Delivers XYZ Account unique fit...
q Simplifies Installation by Reusing existing
Ethernet.
q BTLE or 802.15.4 and 3 LAN ports in a single
Access Point.
q 1x 802.3af out to power devices.
AP 3912: 3x 1 Gbps ON-Port
authentication of devices.
Wired IOT AP + Camera (AP3916i)
Great utility, use cases include motion
detection, face recognition, people counting
and parking detection.
q 2X2 802.11ac Wave2 - Bye 1 get 2
eliminate need to run separate cable.
q Up to 2-Megapixel 1920x1080 at 30fps
(H.264/MJPEG) Microphone for audio.
q Combine with ADSP WIDs WIPS.
Manual adjustment: 360
Horizontal Rotation, 90
vertical rotation
AP3935i/e (high-density)
This is where, XYZ Account s Flow-based heavy
lifting will be done
q High-density with Flow-based 450 users/AP
11ac W2, 4x4:4; 3xMU-MIMO.
q Four dedicated single-band antenna ports per
band (8 total) delivering no bottlenecks.
q Transparent PoE failover.
Drop Ceiling Bracket
The tough guy -40C to 70C.)
Cellular Coexistence Filter (ACF) - Minimizes
interference from 3G/4G, distributed antenna
and commercial small cell/femtocell systems.
q One Ethernet Client Port for device chaining to
drive connectivity for Outdoor cameras.
q Dual concurrent 2.4GHz and 5GHz 802.11ac
Wave2 , 2×2:2 radios
q Future for Industrial IOT (ISA100,
WirelessHART
802.15.4 Thread
Border Gateway
LocationUse all 8 spatial streams
20 MHz
40 MHz
80 MHz
802.11ac
20Mhz
20Mhz
40Mhz
40Mhz
80Mhz
80Mhz
160Mhz
20Mhz = 75Mbits per channel
The efficient use of the XYZ Account RF
spectrum still relies on a strong client and
requires tradeoffs between competing
needs including:
Performance
Long battery life
Low cost
QAM
16-QAM
64-QAM
256-QAM
AP3965i/e (Large venues or stadiums)
XYZ Account s outdoor heavy lifting
q IP67 / NEMA 6 certified for use in Florida s harsh
weather conditions.
q 3 dedicated antenna ports per band supporting
triple feed and 6 feed antennas.
q Full range of high-performance MIMO antenna
offerings for meshing and backhaul services.
4x4:4 (P90X)Venue
This is where, Extreme delvers XYZ Account
advanced wireless functionality...
q Flow based Wifi for greater performance and
visibility. Role-based grouping of users, devices, and
applications to deliver priority, QoS, and security.
q Fabric Attach mapping SSIDs to VLANs to CIDs at
the Edge.
q Cloud-ready for zero-touch provisioning (private or
public). XYZ account selects the use-case that fits
best (OPEX or CAPEX).
Compute
(POD N)
VM
VM
VM
Compute
(POD 3)
VM
VM
VM
Compute
(POD 2)
VM
VM
VM
Compute
(POD 1)
Leaf
VM
VM
VM
HPC Students Admin
NSX
App
OS
VM VM VM
Extreme + NSX = Network Agility
7
Service
Velocity
Virtual Switching
XYZ Account
Data Center
AP391x Common Platform
4xCore ARM
CPU
5.0
GHz
2.4
GHz
IOT/2.
4
Eth
1Gbps
AP3917
CP
AP3915 (e*)AP3916
CP PT
AP3912
Harsh Temp
3915e/7632e (-20C to +60C)
Extended temperature range for
Florida s HOT environment. AP3915
is derivative product of the
AP3912i. (Uses the Dakota chipset)
q 802.11ac 2x2:2 Wave 2 MU-MIMO
q Integrated BLE/802.15.4
q USB for opt IoT module
SuperSpec SuperSpec
Integration with ExtremeAirDefense - AP39xx as AirDefense Sensors
Integration with ExtremeLocation - Retail analytics through AP39xx devices
8
VLAN 3
10%
VLAN 2
25%
VLAN 1
15%
IDF 1 IDF 2 IDF 3 IDF 4 IDF n
4
Complete Policy Control
One SSID
Router
3
XYZ Account Campus Fabric
OAM
VLANs
OAM
802.1 802.1
ControlPlane
(wOAMbuilt-in)
How the proposed integration works? First We can leverage the power of
existing XYZ Account Palo Alto Policy Enforcement.
q Enable Network Wide Intent- When the address resolution is finished the
radius accounting message is sent to the firewall.
q Ensure XYZ Account Visibility and Compliance – Based on the information
from the XMC the firewall knows the username for the source IP and also
the Access Control Profile. The user group can be assigned based on the
Access Control Profile.
q Ensure User experiences through Speed- Policy is applied in ASIC
hardware = performance of Tbps for acceptable price, with many ports.
Firewall is software = performance of Gbps, lower number of ports, higher
price.
6
Key Integration
Palo Alto Network
Fortinet
FortiSIEM
CheckPoint
IBM Qradar
AlienVault
FireEye
McAfee
• Roles are Business level groupings built to correspond to specific
user types.
• Rules are policies enforced at the port level to decide what
types of traffic XYZ Account wants to allow, deny, rate limit or
prioritize (No complicated scripting).
• Services are containers of similar Rules so XYZ Account can
apply rules in groups rather than as individual components.
Roles
Faculty
Student
Guest
Rules
Allow, deny,
rate limit,
prioritize. Or
contain.
Services
if X + Y,=Z thenaction then place user into a defined
ROLE
RolesRulesServices
IT Admin Employee Guest
Oracle VPNAdmin.
AllowHTTP
AllowHTTPS
AllowIPSec
AllowSAP
RateLimit
AllowPing
AllowTelnet
AllowEmail
AllowTFTP
AllowSNMP
AllowOracle
DenyBlast
4
Security Analytics
Provide Multilayer detection &
Automation
Threat management policies
Geo-location dashboard
Detect & classify unknown traffic
Automated threat mitigation
2
Default Action
Policy Rules
WLAN Service
Non Auth Policy
Auth Policy
Default Topology
RADIUS Server
Timeout Role
Default Action
Contain to VLAN
Policy Rules
Egress List
Default Action
Contain to VLAN
Policy Rules
Egress List
Default Action
Contain to VLAN
Policy Rules
Egress List
Start Troubleshooting at XYZ Account
in the Right Place
5
Data Sources
NetfFow
sFlow+
IPFix
Packet Inspection
External Threat Feeds
Alert from 3rd Party
Security Infra
DHCP, DNS,AD Logs ?
Bring Intelligence to Edge
Threat Intelligent feeds
Onboard DNS name Matching
East to West traffic visibility
Redirect suspicious traffic
Infrastructure
Looks like a next generation Firewall across
your XYZ Account Network.
Initial Breach
Threat
Undetected
Remediation
Threat Landscape
Multi-Staged
Multi-Vector
Persistent Threat Actors
Polymorphic Malware
Security Pivot
Bad Actor
SOC (time to
detect)
IR (Time to Respond)
It is all
about time
Logs or
Events
StackStorm
Decoupling of vendor
and control
Infrastructure
Business model
Ownership
Considerations
Management
Location
Orchestration
9
XYZ Account
Smart Campus Infrastructure
(Great User Experiences, Devices and Things.)
HVAC
Alarms
Access
Control
Video
Surveilence
Scada Water
LED
Lighting
Intercoms
Almost all new construction today is designed around the
concept of a "green" building. It s essential to ask what
additional things in the XYZ Account Campus will benefit
from network connectivity. First and foremost, a smart
building optimizes energy use.
1
LocationingEnvironmental
Security
Kiosks
medical
bracelets
Smart
locks
Presence
detection
Who is who in IOT?
Geofencing
Alert on out-of-
bounds access
LDAP NAC DHCP Radius Captive
Portal
DNS MDM
St. Petersburg College ServicesSt. Petersburg College User Repositories or Corporate Control
NAC
AnalyticsCompliance
Open Control Plane (v Closed)
AirDefense
193 Signatures
Bad
Actor
Control can run anywhere
q Out-of-the-box, sub-second failover for 1000s of
APs & sessions.
q Automatic synchronization of configuration,
sessions, and statistics across HA pairs.
q Intelligent APs, operate independently of the
wireless core (Survivability in the event of WAN
or DC outage).
Compliance Auditing;
PCI, HIPAA, SOX, Federal
WIDS/WIPS
10
Mobility
Authorize
Analyze
Enforce
2 Open Control Plane
Data Plane Control
Security&QoS(L2-L7)
Analytics&Measurements
Policy
Flow Flow Flow Flow Flow Flow
Flow Flow Flow Flow Flow Flow
Packet Processing Flow Processing
Performance Bottleneck – Eliminated!
Sessions iBeacon IPFix
User ExperienceQoS Context
Understands the
complete network
Flow-based
Technology
Awareness with Zero
impact to Wifi
performance,
Data
Control
Control for context
driven mobility
Data
Control
Management
Control
Fabric Attach (Binding VLAN to I-SID) Automates segmentation...
AP negotiates topology mapping with Fabric via LLDP
AP tags traffic VLANs per user Policy/Role
Fabric recognizes tagged and maps to I-SID for forwarding
VLAN & SSID Independent - Mange more with less, identify multiple
devices per port or SSID. This is where, XYZ Account can enforces policies: user,
device, status, location, time Fine-grained rules.
Actions: Allow, Deny, contain, QoS, rate limit, traffic shape, log, and mirror!
7
Workflow
Composer
Need for Speed - Experience Matters, it is Like going from a hub to a switch. Deliver
wireless Mobility equivalent with wired experience.
q Air-to-the-wire and wire-to-the-air - No bottlenecks, we get the WiFi data onto
the wire from the AP better than anyone else. Access Points include upgraded
CPUs, additional memory, additional amplifiers, and purpose built antennas for
more predictable RF coverage.
q IP Multicasting - Contain multicast at APs, but centralize unicast traffic.
Enforcement of security and policy at the access point
q Over-the-air-performance (90K pps) @ AP. {# Tx antennas} x {# Rx antennas} : {#
spatial streams}
Security Assisted Networking – XYZ Account Building Blocks?
Threat Detection and Remediation Automated Workflow
Threat
Intelligence
3rd Party Cloud
Hey Bad Guy.. I
dropped you at
Source
Security
Services
Security
Analytics
Policy, Visibility, Automation
SIEM IDS/IPS
Cyber Malware
NOC
SOC
Comprehensive Security
intelligence at XYZ Account
Network edge
Sensing-as-a-Service
XYZ Account Benefits...
• Participatory (Crowd sensing)
• Reduction of Data
Acquisition (Built-in)
• Collect Data Previously
Unavailable (leverage
Smartphone as Your Sensing
Assistant
93
Operations cost
Software cost
Scarcity has
shifted from code
to operations
I/O I/OPort Port
Punch above
one's weight
Next Generation Secure Automated Edge
Threat Indicators
Lateral Movement
Port Scans & Sweeps
Default Credential Scan
Behavioral Anomaly Detection
IoT Bot
Command & Control
Malicious DNS Request
Security Eco-System
Create a Stronger Security Posture
Edge to Perimeter coverage
NGFW, Endpoint, SIEM
Leverage their current security devices
Security information sharing
Why make your XYZ Account network Extreme ?
• Augmented Security: Maximizes ROI on existing
Security & XYZ Account Investments
• Threat Detection and Remediation closer to source
Featuring 360 degree Security Insights
• Open, multi-vendor and API driven approach to
Ecosystems