Sanjoy Dey, VP Product Management​, Juniper Networks

Juniper and the Policy of the Future

Summits @ Juniper Security
Sanjoy Dey Headshot
The still image from the presentation shows host Sanjoy Dey in the bottom right corner. The slide shown from his presentation is titled, “IoT Assurance: Self-Provisioning Portal.” There are diagrams showing user authentication using corporation credentials via SSO. On the right side, there are bullet points describing the Feature, Function, and Outcome of the IoT Assurance Self-Provisioning Portal.

Policy complexity bringing you down? Here’s what we’re doing to help. 

Today, customers like you are facing increased policy complexity and device security concerns, which have emerged from the vast proliferation of atypical devices connected to enterprise networks. Push play to hear Juniper’s Sanjoy Dey discuss how we are taking on these complexities with a strategy and vision for policy, onboarding, and self-provisioning. 

Show more

You’ll learn

  • How Juniper is providing effective IoT Assurance 

  • The scoop on the new Self Provisioning Portal for BYOD, including its purpose, intended outcomes, and how it works

  • How Juniper is bringing insight and scale to next-gen NAC with Mist AI

Who is this for?

Network Professionals Business Leaders

Host

Sanjoy Dey Headshot
Sanjoy Dey
VP Product Management​ 
Transcript

0:09 very quickly

0:10 if you look at any enterprise right

0:12 there are primarily

0:14 four types of devices

0:16 there is uh your guest device there is

0:19 iot devices

0:21 you have byod users and then your

0:23 corporate users so if you look at like

0:26 you know what we have done as part of

0:28 the miss journey over the last three to

0:31 four years

0:32 we have built like you know probably the

0:35 most comprehensive guest solution and

0:38 yes i put in the word captive portal in

0:40 there we started with a captive portal

0:42 uh captive portals are kind of the

0:44 abomination for guest wi-fi with all the

0:46 issues around

0:48 the cna the pop-ups not working etc but

0:51 we still supported it and then

0:53 over the last couple of years we have

0:55 built in every single workflow whether

0:58 it's around sponsored guests whether

1:00 it's around oauth mechanisms with social

1:02 credentials

1:04 even hotspot 2.0 right like you know we

1:06 are starting to see especially in the

1:08 retail market customers starting to

1:11 pilot uh hotspot 2.0 and like you know

1:14 we have a good support so we have built

1:16 out a comprehensive

1:18 guest solution right so what's next for

1:21 us

1:22 let's actually conquer iot byod and and

1:26 the corporate devices are laptops and

1:28 macbook pros right and for any of these

1:31 different types of devices like you know

1:33 what we want to get to is seamless

1:36 onboarding

1:37 um unified policy

1:40 most importantly user experience and

1:42 having good visibility around who are

1:45 the people actors on my network and who

1:48 may not be sanctioned to be there

1:50 and overall stitch it together with a

1:52 simplified operation story right

1:55 so

1:57 last november we announced this service

2:00 for iot assurance and there are only a

2:03 few key things to

2:05 note about it

2:06 this was basically a service that came

2:08 out of customers asking for a simple

2:11 solution for headless iot devices

2:14 that do not support 802.1x

2:17 authentication right epls they they are

2:19 headless

2:22 so they have to use multi-pre shared

2:23 keys or private pre-shared keys and what

2:26 customers were struggling with was like

2:28 in a complex workflows in today's like

2:32 you know radius snack solutions to get

2:34 them onboarded assign the right policy

2:36 do the right kind of traffic engineering

2:39 and then most importantly right when you

2:42 think about a distributed enterprise and

2:44 you are actually thinking about uh like

2:47 you know potentially hundreds of

2:48 thousands of these different sensors in

2:51 the in the context of retail networks it

2:53 could be your food safety uh could be

2:56 your thermal humidity sensors in the

2:58 context of the enterprise campus it

3:00 could be your hvac

3:02 and lighting so all of these

3:04 different thousands of devices need to

3:06 be onboarded

3:08 and you need to do it at scale and

3:10 whatever we do at mist obviously one of

3:13 the foundational thing is ai but the

3:16 other thing whatever we build we we do

3:18 build for scale right so in a short

3:20 video we are basically just going to

3:22 explore uh

3:24 iot assurance in action and like you

3:27 know what what this video is going to

3:29 demonstrate

3:30 is our capability to go and

3:33 with a private pre-shared key where we

3:35 use the key as an identity right the mac

3:38 address is not the identity anymore why

3:40 because over the last three years we

3:42 have seen

3:43 google's and apple's of the world what

3:45 they have done with android ios and and

3:48 random macs right so with the key

3:50 becomes the identity how can i onboard

3:51 the device how can i assign the right

3:54 policy set them up for like you know the

3:56 right whether it's tunneling or whether

3:58 it's locally bridging uh the traffic and

4:01 most importantly how do you provide

4:03 visibility right

4:06 so

4:07 in in this particular example like you

4:09 know org wide like you know we have like

4:12 thousands of keys that you can create

4:14 literally there is no limit to the

4:16 number of keys now keep in mind that all

4:19 of this

4:20 can potentially be done natively through

4:21 whatever we provide right what we have

4:24 done here is given your portal to look

4:26 at administer and life cycle manage all

4:29 of these different keys

4:31 in a simple easy to use manner with the

4:34 right set of visibility so here i'm

4:36 actually like you know honing on you can

4:39 have like you know the email address or

4:41 the identity of a user as your key name

4:44 right and with that you can actually go

4:47 and

4:48 like you know assign a right segment of

4:50 the network so this will belong to like

4:53 you know vlan such and such and and that

4:55 iot device will be on a different vlan

4:57 all without the use of any kind of an

4:59 overlay neck radius system right so over

5:03 here you see like you know vlan 750 has

5:06 been assigned to the particular key the

5:09 key again to stress

5:10 is actually the identity because that is

5:13 what prove like you know insulates it

5:16 against your

5:17 uh uh mac randomization and then

5:20 with the role or with the right like you

5:23 know segmentation you can decide that

5:25 this these set of iot devices need to

5:28 tunnel traffic to an application server

5:30 like you know that is like you know in a

5:32 data center somewhere whereas the rest

5:35 of the devices iot devices or users

5:38 sharing the same ssid could potentially

5:41 just locally bridge their traffic right

5:44 the next important thing is visibility

5:46 right who are the users that are

5:48 actually currently using that particular

5:51 key right there have been instances

5:54 uh

5:55 where

5:57 people have actually done pilots right

5:59 and as part of pilots say i have this

6:00 ssid i have this preset key let me

6:02 actually go and administer these keys on

6:05 on these few devices

6:07 then i'm done with my pilot and then

6:09 i've left those devices forgotten that

6:11 provides a security intrusion threat

6:14 right in your in your building so it's

6:16 very important to have visibility into

6:19 who all are using that pre-shared key

6:22 but most importantly also have

6:24 visibility on

6:26 clients that have been registered to use

6:29 but currently not

6:30 using that particular key and that will

6:32 give you some insights

6:36 the next thing that is like you know uh

6:38 important is around administration of

6:40 keys so in our in as part of this

6:42 service we give you the the portal from

6:45 where you can actually look at

6:47 administering or life cycle managing the

6:49 keys uh and probably it has not happened

6:52 to uh

6:53 to any of you but in many cases what

6:56 happens is that we go and

6:58 rotate keys so there's like you know the

7:00 left hand not talking to the right hand

7:02 uh someone rotates the keys

7:05 and then the result is devices get

7:07 disconnected and like you know we are

7:09 going to be able to catch that through

7:10 marvis our connection sls but that is

7:13 actually a real problem and expose facto

7:16 so what if i could actually give you a

7:18 very easy to administer process

7:20 whereby

7:21 like you know you go and

7:23 rotate your keys out

7:25 without having to touch the end user or

7:28 the connectivity of the of the end user

7:30 so here i'm going to filter for all of

7:33 my like i filtered on iot devices and

7:36 i'm just going to duplicate that key

7:38 right so i'm going to duplicate that key

7:40 such that all the connected users are

7:42 still connected and all of my uh

7:45 like and then i can on the original key

7:48 i can go do my key rotation right if i

7:50 have to change attributes on the on the

7:53 expedition or the number of devices that

7:55 can connect like you know all of that is

7:58 done through this process if you had a

8:00 question

8:01 do you need anything on the client

8:03 device that can accept that change key

8:06 uh

8:08 today we do like you know for for any

8:10 client device management you need an mdm

8:13 solution so we are not claiming here to

8:16 be your mdm solution but what we are

8:19 claiming to be is all of your identity

8:21 vectors we are going to just manage

8:23 those right

8:28 the point keith is is that it is still

8:30 the enterprise's responsibility to push

8:33 the new keys to these devices

8:35 we're giving an option for old keys to

8:38 work and new keys to work simultaneously

8:42 and showing you visibility of who's

8:44 hanging on to dear life with the old

8:45 keys

8:47 right perfect thanks thanks keith so

8:49 sorry just because are these new

8:51 different keys or the same key with

8:53 different properties it is actually the

8:56 exact same key so what i did as part of

8:58 this process was i duplicated the

8:59 original key the client devices are

9:01 connected to the duplicate key while i

9:03 go and like you know rotate my

9:06 administer the the original key and then

9:08 at the right time

9:10 that

9:11 particular key can potentially be the

9:12 past phase or whatever needs to change

9:14 can be administered on the client

9:16 devices right

9:19 from the client's perspective is still

9:21 using the same key and then on the

9:23 infrastructure has different properties

9:24 that is correct so the client doesn't

9:26 care what's that is correct yes the

9:28 client doesn't care so this is

9:29 completely transparent to the client

9:31 okay

9:32 so connected to the same society that

9:34 support the ppsk yes can so you can have

9:37 clients that

9:39 are have different policies and their

9:41 traffic get tunneled somewhere and then

9:43 you can have other clients that get

9:45 locally switched that is correct on the

9:47 single ssid we can achieve micro

9:49 segmentation through roles uh and you

9:52 will be able to uh like you know tunnel

9:55 one set of devices so my sony iot

9:57 devices need to go to talk to the sony

10:00 application server i cannot let that

10:02 touch my corporate network that can get

10:04 tunneled and and by the way our

10:06 tunneling solution is missed edge a

10:09 shameless plug over there bob talked

10:11 about it like you know it's a wonderful

10:13 solution so they are all going to get

10:15 tunneled to a mistake and the traffic

10:17 will be dropped at a pop

10:19 while the others will be locally bridged

10:21 can you configure that at the uh wx lan

10:24 policy level well you can actually do

10:27 that just by your network segment so

10:29 like you know you you can use vlan 750

10:32 on that ssid

10:34 for tunnel traffic you can use vlan 710

10:38 for all your locally bridged traffic

10:40 okay right and then the ppsk works with

10:42 wpa3 isu

10:44 um ppsk wpa3 is currently a work in

10:49 progress

10:50 uh and and potentially just stay tuned

10:52 like you know we will have an update for

10:53 you soon okay

10:55 having a hard time tying this with vxlan

11:00 and the policy so how do you tie

11:03 a great question so as i was kind of

11:05 alluding to with with april april um the

11:09 cloud is a place where we stitch things

11:12 together right so you might actually

11:14 have a policy framework for

11:17 vxlan using gbp

11:20 i on the wireless side like you know we

11:22 have wxlam

11:24 on the cloud side the needful stitching

11:26 goes through and the right policies get

11:28 pushed out to access points and switches

11:31 right whether it's like an acl or or

11:34 like you know whatever it may be or a wx

11:37 lan policy so i'm just going to move

11:39 forward to the next use case

11:42 and

11:43 that is around extension and this is

11:45 basically your work in progress

11:48 to be released hopefully by end of this

11:50 month

11:52 like you know if you if you are familiar

11:54 with like you know byod

11:56 like you know workflows they can get

11:58 awfully complex and many times people

12:01 need simple mechanisms for students in a

12:04 in a higher ed uh like in a campus or

12:07 corporate devices corporate users

12:10 bringing their own devices and

12:13 self-administering like you know how to

12:15 get their devices on the network so as

12:18 we are we were developing this uh the

12:20 the private pre-shared key or

12:22 multi-pre-shared key based iot assurance

12:25 solution

12:26 we are extending that and to be released

12:28 this month hopefully like you know with

12:30 uh what we call the self-provisioning

12:33 portal extension to iot assurance and

12:36 what that allows you to do is use the

12:40 say for example your your directory will

12:42 have the identity of the user the

12:44 credential

12:45 and you are going to

12:47 it is completely self-administered a

12:49 user goes and enters his his or her

12:52 credentials

12:53 we are going to do a roll look up roll

12:55 look up like you know whether it's octa

12:57 or azure or adfs

13:00 and then we are going to get

13:03 a qr code returned back to the user the

13:05 user can just scan the qr code and

13:08 basically get on the network right so we

13:11 stitch together a demo uh that basically

13:14 shows the process through

13:16 this role integration with octa

13:21 so like you know over here uh so this is

13:23 basically the the client onboarding

13:26 piece

13:26 and if i just fast forward a little bit

13:30 so you as as part of your administration

13:34 like you know you are going to

13:36 provide a url for all of the users to go

13:39 and register themselves right so that is

13:42 basically so we provide you with a psk

13:44 portal configuration this is this is

13:46 basically where you provide your idp uh

13:50 information

13:51 and then

13:52 from

13:53 like you know

13:55 you also will modify the different

13:58 attributes of that particular psk

14:01 so things like like you know if you have

14:03 to assign a vlan or you have to assign

14:06 like an expiration and all that

14:08 configuration is out there so from a

14:11 user experience perspective what it

14:13 looks like is in this particular case

14:15 i'm going to like in a url that has been

14:18 advertised this is basically your

14:20 octa is used as a role directory

14:23 provider i'm going to go and like you

14:25 know enter my

14:27 email address over there the email

14:28 address is basically the identity of the

14:31 user on the directory uh i am

14:35 signing in and

14:37 we have once the authentication actually

14:39 goes through there's a callback to our

14:41 portal and we are going to give you a qr

14:44 code you can scan the qr code and get on

14:46 the network and the rest of the demo

14:49 covers that in the interest of time i'm

14:51 just going to skip this particular demo

14:54 and move on

14:55 to the last bastion that we are yet to

14:58 conquer

15:01 right so

15:03 if you have we have so we have talked

15:04 about guests we have talked about iot we

15:06 have talked about byod so really the

15:08 last thing to tackle is uh what do we do

15:12 with

15:13 like you know for corporate users right

15:14 and for the longest time we actually

15:17 have very good integration

15:18 with cisco ice aruba clear pass for

15:21 scout

15:22 like you know pretty much or microsoft

15:24 nps free radius anything that you can

15:26 think of like you know we have very well

15:28 documented tight integration of how we

15:31 ingest filter id attributes from clear

15:33 pass into our wx lan policy etc right

15:37 but as and when we were building this

15:39 solution up like you know we started to

15:41 look at like you know what is really

15:42 wrong with

15:44 today's overlay systems for

15:46 and radius and really there are three

15:49 things that that kind of jump up number

15:51 one is deployment and provisioning like

15:53 you know is basically a pain even if

15:56 they offer like in a software containers

15:58 it's rack and stack virtualization not

16:01 quite micro services driven but more

16:03 importantly when it when like you know

16:05 the examples that you have seen today

16:09 there is no single system that is

16:11 actually correlating data from the edge

16:13 the client data from the edge or the

16:15 client experience from the edge to what

16:17 is going on in the rest of the network

16:19 so today what we do is we highlight that

16:21 if a user has had an authentication

16:23 problem we will say that go check

16:26 the radius side of the house right

16:28 especially if wi-fi or wired is not to

16:30 blame

16:31 but someone still needs to know what is

16:33 going on the radio system and you have

16:35 to go through log mining and parsing to

16:37 figure out like you know what is wrong

16:39 and what is broken and and that is

16:42 basically a pain for the user and then

16:44 last but not least like you know goes to

16:47 uh

16:48 all the solutions being non-cloud native

16:50 non-cloud driven

16:52 they lack the agility and scale like you

16:54 know so uh in the world of mist we've

16:57 actually solved all this problem in the

17:00 in the enterprise edge right so our

17:03 aspiration is to really

17:06 provide the or bring the same micro

17:08 services architecture and the ai driven

17:11 insights that we have done for network

17:13 devices

17:14 and then bring it into the

17:16 mac radius market right

17:18 so this is not a product announcement

17:21 this is not a launch of any kind but i'm

17:24 just going to give you a teaser of what

17:26 that actually looks like

17:28 uh in in our world

17:31 and

17:32 role like you know if you've seen wxlan

17:34 like and it will seem very familiar one

17:36 of the important aspects is the policy

17:38 configuration right and and what we show

17:41 in this demo is a simplified like in a

17:44 policy framework instead of having to go

17:46 through three or four different tabs

17:49 to have simple policies for your wired

17:51 and wireless devices in like you know

17:53 this is set up like a wxlan engine uh

17:57 where you have like you know your

17:59 wireless devices that are using uh epls

18:02 uh authentication on the left hand side

18:04 are all the different like you know

18:07 identities the different users

18:10 and the attributes that will provide

18:12 rules to match on so you're going

18:14 through this list like a regular

18:15 firewall trying to find the best match

18:18 and assign the right set of policies and

18:20 and rules right so here we're showing it

18:23 so it's a wireless user using epls

18:26 corporate like an end you can filter on

18:29 like subject of a of a certificate if

18:31 the subject of the certificate is this

18:33 like you know i am now going to put that

18:35 user in that

18:37 like in a corporate vlan and potentially

18:40 assign uh an

18:42 advanced role right uh similarly like

18:45 you know um i'm not going to go through

18:47 the whole thing uh but if you look at

18:49 like you know we do this exact same

18:51 thing for wired devices like you know so

18:53 if you have a uh like a dot one x device

18:56 or if you're doing like in a map and

18:59 it's a

19:00 it's a it's a printer you will assign it

19:02 the the printer vlan right so so this is

19:05 basically one aspect of what we are

19:07 bringing to the table on the surface of

19:09 it is like in a simplified policy

19:12 framework that can be now pushed to the

19:14 switches and um and and the access

19:16 points and by the way our

19:19 the goal number one is to do this on

19:22 juniper miss devices and eventually we

19:24 are going to expand over to third party

19:27 uh infrastructure

19:28 um

19:30 i am

19:31 going to go to the money slide here like

19:33 you know basically this is the bread and

19:35 butter

19:36 of

19:37 where the problems today lie right and

19:39 it is like you know this

19:41 troubleshooting like you know what is

19:43 going on on the infrastructure and the

19:45 clients and what is going on the radius

19:47 side and as i said april cloud is a

19:50 place where we are stitching all of this

19:52 together right

19:54 so here you are going to basically see

19:56 that when i've had an authorization

19:58 failure like in an authentication fail

20:00 exactly why did the authentication fail

20:03 did your certificate like can i have an

20:05 expired year was it incorrect so on and

20:08 so forth right

20:11 yes franco so the radius server is in

20:14 the cloud and you're getting all of that

20:15 regis log into marvis for

20:18 that is exactly correct right it's a

20:20 very resilient high availability

20:21 architecture with like you know lots of

20:24 geo-redundant pods that are going to and

20:26 and i'm probably getting a two-bit ahead

20:28 of myself we will come back and do an

20:30 architecture deep dive but to answer

20:32 your question simply yes so we are

20:35 taking all of the data the cloud is

20:36 where

20:37 uh we configure the cloud is where we

20:39 get visibility but the radius

20:41 authentication really happens

20:43 at a point of presence closer to the uh

20:46 to the user location okay yes it was

20:49 this integrate with something like

20:50 eduroam so if i've got

20:52 it will different like you know

20:54 eventually that is the goal

20:56 whatever mechanisms we have today like

20:58 you know whether it's hotspot 2.0 uh

21:00 like you know to be the like you know

21:02 kind of the provider for a clearing

21:04 house or

21:06 uh like you know all of your

21:08 social social credentials all of that is

21:11 going to be stitched and come under this

21:13 umbrella

21:14 open roaming right

21:17 so so so francois and raul um

21:20 what mist has done

21:21 to the wireless players in the industry

21:24 when when we started

21:26 is what we're planning to do

21:29 what this is going to do for ice and

21:31 clear pass right

21:32 completely step function change the

21:35 paradigm

21:36 of how

21:37 policy get administered natively

21:41 to the systems and cloud native right

21:44 so france what to your point the radius

21:47 server is not in the cloud it the radius

21:50 server is the missed cloud right so um

21:54 so anyway um we're not ready for uh for

21:58 pilots and and production yet

22:00 but we're excited we're we're just

22:02 showing you the progress we're making um

22:05 i think uh we're gonna put the industry

22:07 on notice um on uh when this truly comes

22:10 out uh it's going to be

22:12 an

22:13 exciting uh sort of a turn in in the

22:16 industry in terms of policy and

22:19 thank you very much for everybody that

22:20 was that are watching the live stream uh

22:23 if you're watching this recording uh you

22:25 know post process

22:26 or uh for uh for all the delegates um

22:29 sort of um uh in the room uh truly again

22:32 as as we started um you are part of our

22:35 extended family you you've really helped

22:38 us uh uh through throughout this journey

22:41 and um and you know i hope what you saw

22:44 today is is very simply a manifestation

22:48 of our sort of client to cloud strategy

22:51 of continuing to add you know breadth um

22:55 and depth uh in this client-to-cloud

22:57 journey and obviously there's a lot more

23:00 to do there is a lot more we can do

23:02 everal to your point of things we can do

23:05 so the last thing i will tell you you

23:07 know what is around the corner and what

23:09 is uh you know exciting as we as as the

23:12 year unfolds for us is where does marvis

23:14 go

23:16 um

23:16 where we think marvis can go is imagine

23:19 if marvis had an army of minions

23:22 you know doing things and and learning

23:26 and and coming back and reporting and

23:28 and asserting on the network

23:31 before a user a single individual user

23:35 has to suffer

23:36 we believe there is a

23:38 even better future on on we could get to

23:43 ai that is not predictive not reactive

23:47 but

23:48 100 proactive

23:50 before users experience a single failure

23:53 so there's a lot more we're excited

23:55 about what's around the corner for us

23:57 think of mario's marvis with a bunch of

23:59 minions uh you know checking out the

24:02 network and validating it for you

Show more