I’m a huge friend of network segmentation, no matter if it is done with vlans or user/device roles. From my point of view it is an easy way to add some security to you’re network. Well at least it is an easy way if you automate it and do it dynamically. If you do it manually it takes a lot time and requires good communication.
One way to automate network segmentation is with a central network policy management system. I use to work with Aruba ClearPass Policy Manager.
A good Network Policy Management is not recognized by the user which means, sometimes it can get complex on the other end – in the backend.
During my pre-sales appointments whether it was one on one or at events I meet a lot of different people which are, for sure all experts in their individual jobs but all operate at their different level, with a different focus.
In an ideal world there is time to prepare for and speak to administrators and CIO/CISO individually but in the real world(at least in mine) you either meet all at one table or you just get the chance to speak to one of these groups.
With my technician heart too often i lost myself in details and cli outputs and finally felt the need to have a different way to visualize how this segmentation thing is working.
Inspired by a setup of one of Arubas SEs (triggering a smart light bulb, once someone connects to a network) i had the idea that a multi color light bulb will be able to show the authentication type or even the device category.
The smart light bulb of choice was from the Philips Hue portfolio. A smart light bulb controlled by a bridge via Zigbee. My former colleague Sven, thought me how to use the Hue API and we created some so called Content Server Actions to trigger the lights, based on authentication events.
Green light means a corporate device was connected
Blue light means an IoT device was connected
Yellow light means an infrastructure device was connected
red light means an unknown device was connected
…and so on – i guess you already got the point.
For sure this is nothing for production environments unless you want to trigger a warning once your manager connects to the nearest Access Point, but you’ll usually get the attention of the whole audience whether it is the administrator or the CIO/CISO. If you design your network policies for the demo a bit more open than you would do it for production environments – ask the prospect to connect his own device – this will proof, this is no fake!
If you want to configure it on your own, you can find the HowTo here.