Alcatel Lucent Enterprises’ unified access solutions improve network security with dynamic macro- and micro-segmentation. Users or IoT devices are authenticated at the point of connection, the switch port or SSID, and they are matched with a profile based on their identity. This profile determines the virtual network segment, the VLAN or VPN, that the device is mapped to (the macro part) as well as the set of security and QoS policies associated to their role (the micro part). This mobile security perimeter follows users and devices as they connect, disconnect, move, and re-connect throughout the network. Communication between different network segments, when necessary, is controlled by a firewall. Communication within the same segment is controlled by the security policies attached to the profile.
These two segmentations combined limit the damage that cyber-attacks can cause if they do manage to infiltrate a network. Whilst macro-segmentation can prevent the spread of threats from one network segment to another, guest to employee Wi-Fi for example, micro-segmentation prevents lateral movement within the same segment, an illustration being from one IoT device to another.
OmniVista Unified Policy Authentication Manager (UPAM) makes identity-based policies possible at the access layer. For the firewall to apply identity-based policies to cross-segment traffic also, the user identity must be known to the firewall as well. Whilst not ideal, users can be forced to re-authenticate, through a captive portal at the firewall. However, IoT devices are unable to do so. How to apply role-based policies to both users and IoT devices? The solution is to integrate OmniVista UPAM with the firewall for transparent single sign-on to both. Through this integration, we can achieve seamless identity-based on macro- and micro-segmentation.
To learn how to integrate OmniVista UPAM with your firewall, please refer to the application notes below which describe the procedure for Palo Alto and Fortinet. Integration with other firewall vendors is also possible using similar mechanisms.
