August 24, 2024 • 30 mins
Unlock the secrets of modern network access control with Matt Fowler, the Director of AI-Driven Enterprise Sales and Engineering at Juniper Networks for the APC region. Matt takes us through his 18-year journey, starting from a support engineer at Cisco TAC to leading innovations at Juniper. Discover how network access control has transformed over the years, from basic authentication on Wi-Fi networks to advanced functionalities like guest access and compliance posturing. Learn how Juniper driven by Mist AI is pushing the boundaries, making NAC more dynamic and integral to today's digital environments.
Ever wondered about the complexities behind scaling on-premise NAC systems? Matt breaks down the significant design work required, including considerations for authentication rates, endpoint support, and redundancy. Uncover the challenges of maintaining high availability and the industry's shift towards cloud-based solutions. With Juniper's Access Assurance cloud NAC, scaling and configuration are simplified through user-friendly interfaces and integrations with identity stores like Azure AD and Okta. This chapter is a must-listen for anyone looking to streamline their NAC deployment.
IoT and BYOD are transforming how we approach network security. With technologies like Marvis Virtual Network Assistant enhancing customer experiences through conversational troubleshooting and continuous network monitoring, handling IoT and BYOD has never been easier. Matt shares real-world insights from a Melbourne law firm and a large school district that transitioned to scalable NAC solutions. As we wrap up, we reflect on the advancements in AI technology and its transformative role in network infrastructure. Don't miss this episode; it's a glimpse into the future of network evolution.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Matt Fowler (00:02):
This encompasses both access assurance as well as
just the general AI that wehave.
Machines can automaticallycollect data instead of
reactively collecting data afterthe fact.
If you're always capturing thetelemetry, you don't have to ask
the user to reproduce a problembecause you've already captured
the problem.
Michael van Rooyen (00:19):
On today's episode I'm having a chat to
Matt Fowler, Director ofAI-Driven Enterprise Sales and
Engineering at Juniper, for theAPC region.
Welcome, Matt.
Thank you, Michael.
Thanks for having me.
No problem at all.
Look, welcome to the show.
We're thrilled to have you onboard.
For those who don't know MattFowler a bit of a legend in
wireless, a long history from anengineering point of view.
To kick things off, could youshare a little bit about your
(00:41):
journey in the tech industry andwhat led you to your current
role, really driving the ARnative sales engineering play?
Matt Fowler (00:48):
Yeah, absolutely.
So.
I've been in the industry for18 years now and, throughout
that time, actually been heavilyinvolved in the Wi-Fi industry.
As you mentioned, I started outas a support engineer,
troubleshooting some of thelargest Wi-Fi networks globally,
so I did that at Cisco TAC andback then a lot of manual
(01:08):
process that's required gettingusers to reproduce problems,
hoping that you can capture thatparticular problem and so I've
lived the pain, so to speak,myself.
I then transitioned into asales engineer role at Cisco,
which I was in for a good seven,eight years, and then, at that
time, I had worked with SujayHajela and Bob Friday and Sidiya
(01:31):
Mata and Tom Wilburn.
Sujay and Bob started a newcompany called Mist Systems.
When they were ready to expand,I was fortunate enough that they
approached me and took thegamble, so to speak.
I was fortunate enough thatthey approached me and took the
gamble, so to speak, but youknow, with such industry
veterans, the gamble to join astartup I felt was quite a low
risk one.
Yes, just because of theirtrack record and how good they
(01:55):
are as people as well.
And so in 2018, I joined MissSystems as a startup alongside
Zohar Cohen here in Australia,and we were very successful very
quickly here with a very largeretailer and also a large bank.
That moved across to us.
And then we were acquired byJuniper and been on that journey
for the last five years,bringing in the Juniper
(02:18):
Enterprise product into the Mistcloud and that's been extremely
exciting as well and thenbuilding, building my own team
around that as well.
So when I joined miss, that wasas an individual contributor,
and then, since joining juniper,I've been able to build my own
team, a great team across asia,pacific, which has been exciting
(02:39):
as well.
Michael van Rooyen (02:39):
Yeah great, great.
I remember, um, you were a bitof a cisco veteran and you've
been dealing with wireless, asyou you say, for a very long
time.
And I remember hearing andobviously dealing with you when
you were at Cisco, but thenhearing that you'd left to join
this company called Myst and Ithink a lot of people were like,
well, there's got to besomething for Matt to really
take this seriously.
And of course, it's many yearsalong the journey now and quite
a lot of innovation happening inthe Mist portfolio.
(03:02):
What I really wanted to talk toyou today about is knowing your
technical skills and capabilityand what you're dealing with is
really around a knack right.
So people you know have beenusing network access control for
a long time.
There's a lot of evolution thatspace and I know Mist and
Juniper have really createdsomething a little bit different
in the way to approach that.
So if we don't mind, we spent alittle bit of time this morning
just talking around.
(03:22):
You know some of the things youguys are doing in that space
and if we just run through acouple scenarios and bits and
pieces, that'll be great.
If you think about in today'scontext of you know dynamic and
digital environments.
Matt Fowler (03:31):
You know how's the role and the strategic
importance of network accesscontrol evolved over what you've
seen over the years and whatyou guys are doing, I think a
good way to answer that would bejust to look at, maybe, the
history of network accesscontrol and where it came from,
what it's been used for in thepast, and then maybe touch on
where it is today and where it'sgoing.
(03:53):
So when I think back to those18 years ago, we're talking
about products like MicrosoftIaaS, which became NPS.
We're talking about Cisco ACS.
Primarily back then it was allabout authenticating users onto
the Wi-Fi network to generate akey for WPA.
(04:13):
With WPA you have personalpre-shared key, you have
enterprise and internal 1X.
In order to generate thepairwise master key, you need to
do some type of authentication,and so it was very important in
Wi-Fi just to generate that key.
That was then used for theencryption In the wired network.
Pretty much no one use any typeof network access control right
(04:35):
.
You could walk into anybusiness and you get past their
physical security and that couldbe as easy as tailgating
someone.
You plug into a network portand you've got complete access,
and in a lot of organizationsyou can still do that today.
But yeah, I think in the veryearly days it was really around
how do I generate a pairwisemaster key for my Wi-Fi access?
(04:56):
And then, as time went on, youstarted getting things like
guest access right.
How do I allow guest users intothe network?
How do I onboard them easily?
And in the enterprise products,you know a local Australian
company, amigopod, which wasacquired by Aruba and then
became part of ClearPass.
It was that captive portalguest access that was important.
(05:19):
And then you started to getproducts that combined these two
things, and so I mentionedClearPass.
Cisco had the identity serviceengine, and then you saw things
like posturing start to come into network access control.
How can I ensure that myendpoint devices are in
compliance with firewall, beingenabled, antivirus, up to date,
(05:39):
those types of things.
And then what we kind of saw wasthat you know, having a single
box that can do everythingstarts to become bloated, and
then when you're wanting toscale that up or handle high
availability, it becomesextremely complex to have those
boxes that do everything.
(06:00):
Also, you can try and doeverything, or you can try and
do a couple of things very well,and so one of the things we saw
around posturing is, with theexplosion of BYD and mobile
devices Android and iOS mobiledevice management became a
specialty, and so suddenlyposturing became something that
was a bit separate as well.
If we look at today, I think alot of organizations are much
(06:24):
more aware of securing that widenetwork as well.
Yes, particularly with one ofthe major vectors for
cybersecurity attacks to beinside the organization, whether
that's malicious orunintentional, and so being able
to segment your network becomesvery important.
You can do that statically, butthat involves a lot of overhead
, introduces potential for humanerror, or you can let NAC do it
(06:46):
, and NAC can do it dynamically,based on who the user is, what
device they're on and a wholerange of other things.
What level of access can youprovide to the network?
And that's a real big use casefor NAC on the wired side of the
network you touch on a goodpoint.
Michael van Rooyen (07:00):
Over the years that I've been working
with customers and consultantsin many different flavors,
you're absolutely touching on areally good point.
Over the years that I've beenworking with customers and
consultants in many differentflavors, you're absolutely
touched on a really good point.
People really adopted forwireless and it was so hard to
everyone always had the visionof let's secure everything, but
it was really cumbersome, as youjust touched on.
You know there's lots of manualways to do it and sure it would
work but, as you said, needs alot of overhead and then devices
disappear for the network anddevices are replaced.
(07:21):
It really becomes a bigoverhead task, right, right, but
now we also and we'll talk abit later about you know some of
the more IoT use cases and thiscontinuous explosion.
So the systems you're talkingabout talk about ClearPass.
You talked about Cisco ISE orIdentity Services Engine.
Those are really wereoriginally built many years ago
as real on-prem type scenarios,right?
So you know water feed servers,configure them, do all that
(07:41):
heavy lifting, which is prettytraditional networking and space
.
So what have customers in thepast or your experience, you
know seen with the primarychallenges they have with
on-prem NAC deployments,especially in terms of
scalability, flexibility,maintenance, all those.
Can you talk a little bit aboutthe current state of people's
way they do it on-prem today?
Matt Fowler (08:00):
Yeah, I think this definitely impacts organizations
differently depending on theirsize, right?
So for the small to mediumbusinesses, they're very complex
, and so you need to havesomeone that is skilled in being
able to configure and managethem.
The medium to the large end.
The issue is, as you said, withscale.
You basically have to run acluster of these devices,
(08:22):
whether it's ISO or ClearPass.
A cluster of these devices,whether it's ISO or ClearPass,
and quite often they'll take ondifferent personas Understanding
the requirements aroundauthentications per second,
understanding total number ofendpoints, supported latency and
throughput requirements betweenthese nodes.
The design work before you evenget to deploying, is quite
(08:42):
significant.
There's hundreds of pages ofmanuals on just designing these
on-premise NAC deployments.
So I think that's number one.
The design can be quitechallenging and complex.
Number two is around kind ofrelated to design, but around
the scaling.
So how many nodes do I need?
How do I handle redundancy?
How do I handle load balancing?
(09:03):
So now you need things likeradius low balances as well, and
that's additional complexity.
And then, once it's actuallydeployed at large scale, you're
basically deploying your ownprivate cloud for these network
access control systems.
But once it's deployed, you'rethen having to maintain it when
it comes to troubleshooting,quite often the logging and the
(09:24):
visibility is completelyindependent to the network
logging and visibility.
So you might have a platformthat provides visibility into
the user connectivity state onthe network, but if they have
problems authenticating you'lloften have to go to the NAC
server to actually look throughlogs and find out why a user is
not able to connect to thenetwork.
(09:45):
So they're a bit disjointed.
And then if there's an upgradeor a patch that's required
because it's a distributedarchitecture, it can be quite
tricky in terms of having themaintenance windows and
upgrading all of that equipment.
That's on-prem.
So it really comes down todesigning for scale, designing
for redundancy.
(10:05):
How do you handle maintenanceand patching?
This becomes a not-the-vendorproblem and then therefore it
becomes either the integratorand, at the end of the day, the
end customer, because even ifthe integrator is doing it, the
customer is paying for it.
That's right.
Michael van Rooyen (10:19):
Let alone some of the licensing
constraints right.
So there's lots of tiers oflicensing and certainly that's
understandable from the use casethey're trying to solve.
But we've seen over the yearslots of changes in that space
for what the licensing was anddifferent versions of it and
keeping that up to date.
And we've seen customers and nodoubt you've seen plenty of it
as well where the on-prem stuffis working, it gets configured,
gets deployed.
You go to that whole phase ofbuilding.
(10:40):
Customer solves their problem byat least having some sort of
security mechanism in place andthen it gets kind of forgotten
about.
Right, it runs and runs andruns.
They don't necessarily keep aneye on patching and updating,
which becomes a bigger businessproblem later from a security
point of view.
And then they've got to jumpmulti-levels, which is just this
extra complexity which you'retalking about, which is now
we're going to do a multi-phasedupgrade.
Hardware needs to be refreshedat some point.
All these common challenges thatwe've seen for a long time,
(11:02):
which is obviously why a lot ofcustomers are moving to cloud,
Just adding to that is reallythe industry needed a different
type of thinking on this, andone thing that Australian
listeners will like is I alwayshave this thing about don't get
knackered with all the stuffyou've got to do to fix up knack
right, which really puts you ina jam.
Looking at the Juniper, I thinkit's called Access Assurance
cloud-based knAC effectively,which integrates deeply with the
(11:23):
missed AI and the developmentthere.
Can you just tell the listenersa little bit around what the
access assurance cloud is?
Matt Fowler (11:34):
no-transcript.
Yeah, so we've really focusedon addressing those problems
with more traditional on-premiseNAC approaches by treating NAC
as an application inside of ourmicroservices cloud.
It means that we get all of thesame benefits that we got for
wireless LAN controllers whenMIS started, is now coming over
(11:55):
to NAC as well, and so what thismeans is our customers don't
have to worry about scaling upor scaling down the NAC service,
because we do that as a service.
It also means that from a highavailability perspective, we
take care of that, and we takecare of that in a global sense
with geo-redundancy as well.
So even if you're amultinational company and you've
(12:16):
got sites in different parts ofthe world, we will actually
automatically load balance,route the authentication to the
closest authentication serverglobally, and you don't have to
even worry about that, like wedo all of that.
Our auth acceleration servicescaling redundancy is a big one.
Also, we've simplified theconfiguration.
This is a lot of feedback thatwe get from our customers about
(12:39):
our user interface in general.
There's two ways to think aboutsimplification.
You can have simplification byjust getting rid of a whole heap
of features, but you can alsohave simplification by thinking
about the actual flows thatadministrators use when doing
their configuration.
A lot of feedback that we getis it's really great that we
(13:00):
have everything in one place.
I don't have to go click here,click there, click there to do
something.
It's all in this one place.
We've done something verysimilar with access assurance by
leveraging concepts that wealready use in our dashboard,
like labels, and applying thatto policy.
Now You'll actually see thatyou know if you're coming from
an ICE or a ClearPass deployment.
(13:21):
It's all very familiar.
You know, you have your matchcriteria and then what you want
to do.
But also, if you're an existingMIST customer, you'll find that
the UI is very similar to, say,our WXLAN policy, and that
makes the learning process a loteasier as well.
Also, being cloud and the factthat a lot of identity stores, a
lot of customers are moving tocloud identity.
(13:42):
So, away from Active Directoryand maybe more to Azure, ad or
Intra, or maybe they're usingOkta or Ping Identity, having a
direct cloud to cloud OAuthauthentication.
You know it just makes sense.
If you're moving your identityto the cloud, you may as well
look at moving your networkaccess control to the cloud as
well.
Michael van Rooyen (14:00):
Fair enough too, and what the team at
Juniper did is really build onthat.
As you talked on themicroservices architecture, so
being able to add this type ofservice to the environment well
integrated, not another producttrying to be bolted in.
It was created from scratch andthe whole premise was solving
these common challenges thatpeople have with on-prem
equipment you know, water,maintain and feed, plus all the
complexes of how to build thosesystems.
(14:20):
And why do we move that to thecloud as part of our portfolio
or the MIS portfolio, to providethat in customer experience?
Matt Fowler (14:25):
Yeah, we really wanted it to be fully integrated
into the microservices cloud,not have it as a standalone
product, so that, when it cameto understanding user experience
, you get the full view.
You get how did they connect tothe network?
Was it successful?
If it wasn't, why?
All inside the one userexperience or admin experience?
(14:46):
And so it was extremelyimportant for us not just to
come up with a NAC product, butto come out with a service, and
that's why it's called AccessAssurance Service, because it's
just another service inside theMist cloud, nice, nice.
Michael van Rooyen (14:58):
So off the back of that, it's great.
You talk about user experience,which I know is critical for
what Mist is trying to offer.
But if we take a lens on NAC,user acceptance is crucial for
NAC deployments.
You know, if you can't connect,I think you're the one who said
to me once that people who havetwo problems with wireless they
can't connect or have a badexperience.
So, talking on that userexperience, for it to be
substantial or be comfortable,how does the access assurance
(15:18):
make sure that troubleshootingand remediation of access issues
are both smooth for the userand the help desk?
Absolutely.
Matt Fowler (15:25):
From a business-as-usual perspective,
the experience that the usershould have when things are
going right should be nodifferent.
Moving to the cloud should haveno consequence for the end user
, and that's what we see.
Whether you're using a radiusauthentication to an on-prem or
RADSEC secure to the cloud, it'sbasically the same.
(15:45):
So, from an end userperspective coming into the
office or the school or theuniversity or the hospital, it's
the same experience.
Where it differs is ifsomething goes wrong.
Let me step you through thinkingback to my days in support.
What would a support engineerhave to do if a user can't
connect to the network?
Quite often you would have tostart a debug or start logging.
(16:05):
You would then have to ask theuser to reproduce a problem.
So, straight away, the user'sexperience is now poorer.
They're now having to help youfix your problem.
That's right.
Then you'd have to hope thatthey actually were able to
reproduce.
Because you're dealing withlaptops, smartphones, tablets,
now IoT devices.
It's not guaranteed that you'regoing to reproduce every
(16:27):
problem, particularly if it'slike a roaming problem, for
example.
These are very difficult totroubleshoot.
So I remember just that datacollection would take days,
sometimes lining up schedulesand everything like that, and
the end user is probably busywith their day-to-day job.
Michael van Rooyen (16:42):
They might be in the retail floor, they
might be doing something else.
That's just taking the time upis a painful exercise.
Matt Fowler (16:47):
Correct.
And then you, as a supportengineer, need to look through
all of that logging.
Maybe it pinpoints to anindividual client issue and
maybe you need a packet capture.
So now you need to go back tothe end user and say, can you
just give me another hour or two, we'll capture this together.
And so what could be a verysimple problem to solve actually
(17:08):
becomes a very difficult andlong problem to solve just
because you don't know where tolook and you have to do all of
the analysis.
What we do differently and thisencompasses both access
assurance as well as just thegeneral ai that we have inside
the misproduct there's a lot ofthings there that machines can
do very, very well, right?
Machines can automaticallycollect data, right.
(17:30):
So instead of reactivelycollecting data after the fact,
if you're always capturing thetelemetry yes, you don't have to
ask the user to reproduce aproblem because you've already
captured the problem Then, whenyou look at what is AI very good
at it's very good at findingpatterns in data.
Humans can be quite good at thattoo just a bit slower, whereas
machines can be very fast atthat pattern recognition and
(17:52):
when you're looking through logsor debugs of problems, that's
really what you're just doing.
You're looking for patterns,because when it works, you know
what it looks like, and if itdoesn't look like that, it must
be something that's going wrong,and so the Mist AI, marvis, can
do that very efficiently andvery quickly, and then, if it
does, pinpoint to an actualauthentication issue so the user
entered the wrong credentials,certificates have expired, the
(18:15):
external directory source deniedthe authentication.
Having all of that for the AIto have access to means that
they can not only identify theissue, but also what's the cause
of the issue as well, and so Ithink that's a big
differentiator for accessassurance.
Michael van Rooyen (18:31):
Yeah well, that's massive right and users,
rightly so don't necessarilyunderstand the technology.
They just say I've got awireless problem.
Right From what I've seen and Ithink you've shown me is the
ability for it to also give youa suggestion.
Look, pulling that packetcapture apart, actually making a
suggestion on why it's failing.
So quite amazing shift and endusers are you know If I think
about it.
Matt Fowler (18:48):
When I was doing port, you know I had to be an
expert.
I had a CCIE wireless becausethat's what you needed to do to
look through.
Michael van Rooyen (18:55):
You needed that level, correct?
Matt Fowler (18:58):
And I think Marvis really has three personas, right
.
It's got its Marvis Actions,which is more about alerting and
alarming, but with using the AIto remove false positives.
It does time series analysis tounderstand deviations from
normal, and so that removesfalse positives.
We've got our latest one, whichis Marvis Minis, which is
basically a digital experiencetwin, so even when users aren't
(19:21):
in the network, it can actuallydo testing to validate user
experience.
The one that really helps helpdesk is the conversational
assistant, so instead of needingto be a CCIE wireless, you can
just ask a natural question.
Right?
You can just say what's wrongwith Matt's iPhone and it'll
actually suggest what is wrong.
If they're having anauthentication issue and it's
because they entered in thewrong password or their
(19:42):
certificate's expired, it'llactually just tell you that and
it'll tell you how to remediatethat as well.
If you wanted to look acrossthe entire organization, just
say something like who are myunhappy users being on the help
desk?
You don't necessarily have to bean expert.
It's your digital guide toassist you.
As a non-expert, it can be theexpert for you.
And actually I was justlistening to a podcast with Sam
(20:05):
Altman from OpenAI and hementioned something that I
thought was quite insightful,talking about AI and how it will
reduce the workforce, and hethinks of it not as reducing the
the workforce and taking awayjobs, but breaking it down and
and it being able to removetasks.
So, whether it's a five minutetask, a 10 minute task, an hour
(20:29):
task, yes, and then that meansthat the the person doesn't have
to waste that time.
You still need the person, ofcourse, but all of those mundane
time-consuming things can beautomated.
Michael van Rooyen (20:41):
I couldn't agree with you more.
And there's a, I guess, as theexplosion of you know a chat
came along in 2022.
People are now getting theirhead around it and you know, for
me, ai is lots of acronyms forit, but, you know, augmented
intelligence is one that standsout to me.
The mundane tasks are speedingup, in your instance, with not
only marvis.
Conversational troubleshootingnot in their deep skills first
of all makes the customersexperience better, as quicker
(21:02):
resolution must be a hugebenefit in cost reduction of
support staff being able toresolve tickets quicker.
The other part is that, if wetalk about a bit more about
marvis minis you know that was,I think, only announced about a
month or so ago being able todigital twin or rerun the
scenarios of the network in anongoing basis.
That's like kind of having ateam of engineers continuously
testing, looking all the time,which I think was the cover idea
(21:23):
.
Can you tell me a little bitmore about that?
Matt Fowler (21:24):
Yeah, so at the moment we do testing for things
like DHCP, arp, dns andapplication-based testing For
authentication testing because,for example, a lot of it uses,
you know, eaptls, so you'd bedoing certificate-based testing.
It's a little bit harder to do.
It is something that we'reexploring doing as well.
Michael van Rooyen (21:43):
You talked about.
You touched on IoT and,obviously, the amount of data
ingested.
So what are you seeing inrelation to how is AccessSeries
going to facilitate theonboarding of this continuous
explosion of IoT devices intothe enterprise?
Matt Fowler (21:55):
I guess one of the challenges with IoT devices is a
lot of them don't have editedor 1X supplicants, so you can't
actually even do WPA enterprise,and so you have to look at
using PreShareKey.
This is, if they're wirelessWi-Fi devices, right.
If they're Wi-Fi IoT sensors ordevices or things, then you'll
need to use PreShareKey.
(22:15):
The insecurity is right in thename shared.
Correct, correct.
And so one of the things thatwe do with a sub-component of
access assurance, which iscalled IoT assurance, is we can
do something calledmulti-pre-shared key, where you
can have the same SSID, which isimportant from a performance
perspective, because in Wi-Fieach additional SSID adds
(22:37):
overhead, so you can't just adda separate SSID for each IoT
device or category of device,and so we can be efficient by
having a single SSID but stillhave the security by having a
different key for differenttypes of devices on that SSID,
and so that gets rid of theshared component of pre-shared
key.
What we can then do is, basedon the key, we can do
(22:59):
segmentation.
So that segmentation could be adifferent VLAN based on the key
they have.
It could be applying a WXLANpolicy, so filter traffic.
It could even be what we call apersonal WLAN, where you just
completely isolate it.
It means that those commonvectors for attacks in IoT
devices, which would beeast-west attacks right, you get
(23:21):
in to the IoT device and thenyou spread out.
That attack surface isminimized by having segmentation
.
That can be done through thisIoT assurance service.
So that's where we're seeingthat.
We're also actually seeing thatsimilar technology being
applicable to BYOD as well.
It's for a little bit of adifferent reason.
For IoT, the reason is becausethey don't have added .1X
(23:42):
applicants, but your iPhone,your Android device, they do.
The challenge in the past,though, has been the onboarding
of those .1X profiles to thosedevices.
If they're personal, if they'recorporate-owned, you just put
MDM on it, and that's the bestsolution.
But for personally-owneddevices, you may not want to, or
you can't afford to, put MDM onall of those devices, and so
(24:10):
the approach in the past wouldbe let's have the NAC do that
onboarding of those profiles,and I think anyone that's
listening, that has been throughthis process or deployed this
before, knows that when a newiOS or Android version comes out
, that breaks, knows that when anew iOS or Android version
comes out, that breaks.
Now, the MDM vendors are veryquick to update that, but the
NAC vendors not so much.
Yes, I think we've all beenthere.
Michael van Rooyen (24:27):
Yes, exactly .
Matt Fowler (24:28):
And so this ability to do these multi or personal
pre-shared keys we're seeing isa big transition for BYD.
The fact that our IoT assuranceincludes BYOD onboarding, where
we can actually authenticatethe users via SAML, sso, to then
generate a key that they canthen click and install on their
(24:48):
personal device, is a muchsimpler and therefore less risky
way to handle BYOD as well, andactually there's an Australian
company that was an earlyadopter of this.
It was actually a law firm downin Melbourne and they for years
suffered with this problem ofthe onboarding of BYD devices
through different iOS andAndroid versions, and they've
(25:11):
deployed this IoT assurance fortheir BYD devices and haven't
looked back.
Michael van Rooyen (25:17):
It's been really great for them.
That's awesome.
So there really has been somethinking there around IoT device
.
Right, we can see thiscontinuing explosion, but I
really like the multi-pre-sharedkey.
It really sorts a simpleproblem for customers today,
right, and you're thinking therearound IoT, so really, again,
that identifying the device isreally the key.
Right, you just touched on alaw firm there as an example.
Can you share an example?
And certainly no need to nameor share many customers, but can
(25:39):
you walk us through anyorganisations you've seen, you
know, move from a traditionalon-prem NAC solution to a more
flexible, fibrous approach, andwere there any lessons learned
from that?
Matt Fowler (25:48):
So we've had a very large school district that went
through that migration.
They were migrating from anon-prem NAC solution experienced
all the challenges that we'vealready talked about before
right, scaling.
If you think about a school,let's talk about scaling NAC.
There's two vectors there'stotal count of users, but then
(26:10):
there's also the authenticationrate per second.
And if you think about a school, everyone comes to the school
at the same time and so everyonewants to connect to the network
at the same time.
And now if you've got adistrict of schools, all of
those schools, all the students,are all trying to connect at
the one time, and so you'reactually scaling for the worst
possible scenario, but you haveto.
That was one of their challenge.
How do they scale?
And therefore, because of thatscale that's required when it
comes to maintenance patchingyou mentioned it before If
(26:32):
patching is too complex, peoplejust don't patch, yes, and then
they're open to securityvulnerabilities.
Yes, and don't patch, and thenthey're open to security
vulnerabilities, and that's whatthis customer found as well.
And then they also saw that thecomplexity of the configuration
just didn't make sense for aschool.
They migrated over to ouraccess assurance service by
moving to the cloud.
It meant that those problemswent away.
(26:54):
So you don't have to worryabout scaling anymore.
You don't have to worry aboutredundancy anymore.
You know we take care of you.
The fact that they were alreadya Juniper customer meant that
the telemetry and visibilityinside the Mist dashboard now
included the NAC side of thingsas well, so you can see you know
why users are failing toconnect.
(27:15):
If they do, you know they sawthe benefits that they had from
Mist in general now applying totheir NAC, which was something
that they saw was quite valuable.
Another example that we've seenis from a customer that had a
mixed environment.
Because they were going througha transition.
They decided to move to JuniperMist, but they still had a lot
(27:35):
of sites running their incumbentvendor, and so one of the great
things about Access Assuranceis it also has third-party
support.
With Juniper devices they'lljust build a RADSEC connection
to our Access Assurance service,but with third-party devices
they might not even supportRADSEC, and even if they do,
provisioning the certificates tothose endpoints can be
challenging.
(27:55):
So we have a very elegantsolution where we can use our
MistEdge product as a RadSecproxy with our incumbent vendor
devices, the third-party devices.
They just point to MistEdge asa radius server and MistEdge
will proxy the radius insideRadSec to our cloud, and so that
helps with migrating as well.
Michael van Rooyen (28:15):
That's very cool.
So what that really means forthe listeners is really, if
you're wanting to take advantageof all the benefits you talked
about moving to the cloud, youhave an existing network and you
want to move to a cloud-basedNAC type service that solves
your problems, keep yourexisting environment as it is.
You don't have to have Juniperend-to-end.
It is really giving you thatadvantage to secure or
authenticate people on yournetwork via proxy using your
(28:35):
cloud service.
That's brilliant.
Proxy using your cloud servicethat's brilliant.
Coming to the end of thisepisode, I thought, matt, this
doesn't have to be a juniperspecific related question and I
know you've been obviously veryrelated to wireless for a very
long time but a real generalquestion for you is you know
what is the biggest technologychange or shift that you've
personally been involved with?
That's just an open question.
Matt Fowler (28:51):
I like to ask my guests I mean, for me it has to
be ai, and so I think thebiggest transition we're living
it now, and sometimes whenyou're on an exponential curve,
it's hard to understand thechange that's happening.
Michael van Rooyen (29:04):
Yes, that's true.
Matt Fowler (29:05):
At Myst and now Juniper Myst.
We've been doing this for nowsix, seven years and over that
time, just to see the impactthat just being able to collect
the right data, analyze theright data and give insights
into that data that alone ismind-blowing for a lot of
organizations.
What AI can then do on the topof that around removing false
(29:27):
positives, assisting non-expertsI think we're really just at
the starting point of that and Ithink, as we're seeing
industry-wide the rapid pace ofinnovation and the push towards
AGI, I think this is anextremely exciting point in the
industry.
Michael van Rooyen (29:46):
I completely agree.
Take all this time to buildthis plumbing, this
infrastructure.
Networks evolve.
We've all evolved as anindustry and you're right when
you're actually going up as partof the curve, you're not really
looking behind you.
Seeing how far we've come andhow it's compressing.
It is impressive and Icompletely agree with that,
while we're seeing the shift.
Matt, thanks for your time,really good to see you again and
appreciate it.
(30:06):
Great Thank you.
This encompasses both access assurance as well as
just the general AI that wehave.
Machines can automaticallycollect data instead of
reactively collecting data afterthe fact.
If you're always capturing thetelemetry, you don't have to ask
the user to reproduce a problembecause you've already captured
the problem.
Michael van Rooyen (00:19):
On today's episode I'm having a chat to
Matt Fowler, Director ofAI-Driven Enterprise Sales and
Engineering at Juniper, for theAPC region.
Welcome, Matt.
Thank you, Michael.
Thanks for having me.
No problem at all.
Look, welcome to the show.
We're thrilled to have you onboard.
For those who don't know MattFowler a bit of a legend in
wireless, a long history from anengineering point of view.
To kick things off, could youshare a little bit about your
(00:41):
journey in the tech industry andwhat led you to your current
role, really driving the ARnative sales engineering play?
Matt Fowler (00:48):
Yeah, absolutely.
So.
I've been in the industry for18 years now and, throughout
that time, actually been heavilyinvolved in the Wi-Fi industry.
As you mentioned, I started outas a support engineer,
troubleshooting some of thelargest Wi-Fi networks globally,
so I did that at Cisco TAC andback then a lot of manual
(01:08):
process that's required gettingusers to reproduce problems,
hoping that you can capture thatparticular problem and so I've
lived the pain, so to speak,myself.
I then transitioned into asales engineer role at Cisco,
which I was in for a good seven,eight years, and then, at that
time, I had worked with SujayHajela and Bob Friday and Sidiya
(01:31):
Mata and Tom Wilburn.
Sujay and Bob started a newcompany called Mist Systems.
When they were ready to expand,I was fortunate enough that they
approached me and took thegamble, so to speak.
I was fortunate enough thatthey approached me and took the
gamble, so to speak, but youknow, with such industry
veterans, the gamble to join astartup I felt was quite a low
risk one.
Yes, just because of theirtrack record and how good they
(01:55):
are as people as well.
And so in 2018, I joined MissSystems as a startup alongside
Zohar Cohen here in Australia,and we were very successful very
quickly here with a very largeretailer and also a large bank.
That moved across to us.
And then we were acquired byJuniper and been on that journey
for the last five years,bringing in the Juniper
(02:18):
Enterprise product into the Mistcloud and that's been extremely
exciting as well and thenbuilding, building my own team
around that as well.
So when I joined miss, that wasas an individual contributor,
and then, since joining juniper,I've been able to build my own
team, a great team across asia,pacific, which has been exciting
(02:39):
as well.
Michael van Rooyen (02:39):
Yeah great, great.
I remember, um, you were a bitof a cisco veteran and you've
been dealing with wireless, asyou you say, for a very long
time.
And I remember hearing andobviously dealing with you when
you were at Cisco, but thenhearing that you'd left to join
this company called Myst and Ithink a lot of people were like,
well, there's got to besomething for Matt to really
take this seriously.
And of course, it's many yearsalong the journey now and quite
a lot of innovation happening inthe Mist portfolio.
(03:02):
What I really wanted to talk toyou today about is knowing your
technical skills and capabilityand what you're dealing with is
really around a knack right.
So people you know have beenusing network access control for
a long time.
There's a lot of evolution thatspace and I know Mist and
Juniper have really createdsomething a little bit different
in the way to approach that.
So if we don't mind, we spent alittle bit of time this morning
just talking around.
(03:22):
You know some of the things youguys are doing in that space
and if we just run through acouple scenarios and bits and
pieces, that'll be great.
If you think about in today'scontext of you know dynamic and
digital environments.
Matt Fowler (03:31):
You know how's the role and the strategic
importance of network accesscontrol evolved over what you've
seen over the years and whatyou guys are doing, I think a
good way to answer that would bejust to look at, maybe, the
history of network accesscontrol and where it came from,
what it's been used for in thepast, and then maybe touch on
where it is today and where it'sgoing.
(03:53):
So when I think back to those18 years ago, we're talking
about products like MicrosoftIaaS, which became NPS.
We're talking about Cisco ACS.
Primarily back then it was allabout authenticating users onto
the Wi-Fi network to generate akey for WPA.
(04:13):
With WPA you have personalpre-shared key, you have
enterprise and internal 1X.
In order to generate thepairwise master key, you need to
do some type of authentication,and so it was very important in
Wi-Fi just to generate that key.
That was then used for theencryption In the wired network.
Pretty much no one use any typeof network access control right
(04:35):
.
You could walk into anybusiness and you get past their
physical security and that couldbe as easy as tailgating
someone.
You plug into a network portand you've got complete access,
and in a lot of organizationsyou can still do that today.
But yeah, I think in the veryearly days it was really around
how do I generate a pairwisemaster key for my Wi-Fi access?
(04:56):
And then, as time went on, youstarted getting things like
guest access right.
How do I allow guest users intothe network?
How do I onboard them easily?
And in the enterprise products,you know a local Australian
company, amigopod, which wasacquired by Aruba and then
became part of ClearPass.
It was that captive portalguest access that was important.
(05:19):
And then you started to getproducts that combined these two
things, and so I mentionedClearPass.
Cisco had the identity serviceengine, and then you saw things
like posturing start to come into network access control.
How can I ensure that myendpoint devices are in
compliance with firewall, beingenabled, antivirus, up to date,
(05:39):
those types of things.
And then what we kind of saw wasthat you know, having a single
box that can do everythingstarts to become bloated, and
then when you're wanting toscale that up or handle high
availability, it becomesextremely complex to have those
boxes that do everything.
(06:00):
Also, you can try and doeverything, or you can try and
do a couple of things very well,and so one of the things we saw
around posturing is, with theexplosion of BYD and mobile
devices Android and iOS mobiledevice management became a
specialty, and so suddenlyposturing became something that
was a bit separate as well.
If we look at today, I think alot of organizations are much
(06:24):
more aware of securing that widenetwork as well.
Yes, particularly with one ofthe major vectors for
cybersecurity attacks to beinside the organization, whether
that's malicious orunintentional, and so being able
to segment your network becomesvery important.
You can do that statically, butthat involves a lot of overhead
, introduces potential for humanerror, or you can let NAC do it
(06:46):
, and NAC can do it dynamically,based on who the user is, what
device they're on and a wholerange of other things.
What level of access can youprovide to the network?
And that's a real big use casefor NAC on the wired side of the
network you touch on a goodpoint.
Michael van Rooyen (07:00):
Over the years that I've been working
with customers and consultantsin many different flavors,
you're absolutely touching on areally good point.
Over the years that I've beenworking with customers and
consultants in many differentflavors, you're absolutely
touched on a really good point.
People really adopted forwireless and it was so hard to
everyone always had the visionof let's secure everything, but
it was really cumbersome, as youjust touched on.
You know there's lots of manualways to do it and sure it would
work but, as you said, needs alot of overhead and then devices
disappear for the network anddevices are replaced.
(07:21):
It really becomes a bigoverhead task, right, right, but
now we also and we'll talk abit later about you know some of
the more IoT use cases and thiscontinuous explosion.
So the systems you're talkingabout talk about ClearPass.
You talked about Cisco ISE orIdentity Services Engine.
Those are really wereoriginally built many years ago
as real on-prem type scenarios,right?
So you know water feed servers,configure them, do all that
(07:41):
heavy lifting, which is prettytraditional networking and space
.
So what have customers in thepast or your experience, you
know seen with the primarychallenges they have with
on-prem NAC deployments,especially in terms of
scalability, flexibility,maintenance, all those.
Can you talk a little bit aboutthe current state of people's
way they do it on-prem today?
Matt Fowler (08:00):
Yeah, I think this definitely impacts organizations
differently depending on theirsize, right?
So for the small to mediumbusinesses, they're very complex
, and so you need to havesomeone that is skilled in being
able to configure and managethem.
The medium to the large end.
The issue is, as you said, withscale.
You basically have to run acluster of these devices,
(08:22):
whether it's ISO or ClearPass.
A cluster of these devices,whether it's ISO or ClearPass,
and quite often they'll take ondifferent personas Understanding
the requirements aroundauthentications per second,
understanding total number ofendpoints, supported latency and
throughput requirements betweenthese nodes.
The design work before you evenget to deploying, is quite
(08:42):
significant.
There's hundreds of pages ofmanuals on just designing these
on-premise NAC deployments.
So I think that's number one.
The design can be quitechallenging and complex.
Number two is around kind ofrelated to design, but around
the scaling.
So how many nodes do I need?
How do I handle redundancy?
How do I handle load balancing?
(09:03):
So now you need things likeradius low balances as well, and
that's additional complexity.
And then, once it's actuallydeployed at large scale, you're
basically deploying your ownprivate cloud for these network
access control systems.
But once it's deployed, you'rethen having to maintain it when
it comes to troubleshooting,quite often the logging and the
(09:24):
visibility is completelyindependent to the network
logging and visibility.
So you might have a platformthat provides visibility into
the user connectivity state onthe network, but if they have
problems authenticating you'lloften have to go to the NAC
server to actually look throughlogs and find out why a user is
not able to connect to thenetwork.
(09:45):
So they're a bit disjointed.
And then if there's an upgradeor a patch that's required
because it's a distributedarchitecture, it can be quite
tricky in terms of having themaintenance windows and
upgrading all of that equipment.
That's on-prem.
So it really comes down todesigning for scale, designing
for redundancy.
(10:05):
How do you handle maintenanceand patching?
This becomes a not-the-vendorproblem and then therefore it
becomes either the integratorand, at the end of the day, the
end customer, because even ifthe integrator is doing it, the
customer is paying for it.
That's right.
Michael van Rooyen (10:19):
Let alone some of the licensing
constraints right.
So there's lots of tiers oflicensing and certainly that's
understandable from the use casethey're trying to solve.
But we've seen over the yearslots of changes in that space
for what the licensing was anddifferent versions of it and
keeping that up to date.
And we've seen customers and nodoubt you've seen plenty of it
as well where the on-prem stuffis working, it gets configured,
gets deployed.
You go to that whole phase ofbuilding.
(10:40):
Customer solves their problem byat least having some sort of
security mechanism in place andthen it gets kind of forgotten
about.
Right, it runs and runs andruns.
They don't necessarily keep aneye on patching and updating,
which becomes a bigger businessproblem later from a security
point of view.
And then they've got to jumpmulti-levels, which is just this
extra complexity which you'retalking about, which is now
we're going to do a multi-phasedupgrade.
Hardware needs to be refreshedat some point.
All these common challenges thatwe've seen for a long time,
(11:02):
which is obviously why a lot ofcustomers are moving to cloud,
Just adding to that is reallythe industry needed a different
type of thinking on this, andone thing that Australian
listeners will like is I alwayshave this thing about don't get
knackered with all the stuffyou've got to do to fix up knack
right, which really puts you ina jam.
Looking at the Juniper, I thinkit's called Access Assurance
cloud-based knAC effectively,which integrates deeply with the
(11:23):
missed AI and the developmentthere.
Can you just tell the listenersa little bit around what the
access assurance cloud is?
Matt Fowler (11:34):
no-transcript.
Yeah, so we've really focusedon addressing those problems
with more traditional on-premiseNAC approaches by treating NAC
as an application inside of ourmicroservices cloud.
It means that we get all of thesame benefits that we got for
wireless LAN controllers whenMIS started, is now coming over
(11:55):
to NAC as well, and so what thismeans is our customers don't
have to worry about scaling upor scaling down the NAC service,
because we do that as a service.
It also means that from a highavailability perspective, we
take care of that, and we takecare of that in a global sense
with geo-redundancy as well.
So even if you're amultinational company and you've
(12:16):
got sites in different parts ofthe world, we will actually
automatically load balance,route the authentication to the
closest authentication serverglobally, and you don't have to
even worry about that, like wedo all of that.
Our auth acceleration servicescaling redundancy is a big one.
Also, we've simplified theconfiguration.
This is a lot of feedback thatwe get from our customers about
(12:39):
our user interface in general.
There's two ways to think aboutsimplification.
You can have simplification byjust getting rid of a whole heap
of features, but you can alsohave simplification by thinking
about the actual flows thatadministrators use when doing
their configuration.
A lot of feedback that we getis it's really great that we
(13:00):
have everything in one place.
I don't have to go click here,click there, click there to do
something.
It's all in this one place.
We've done something verysimilar with access assurance by
leveraging concepts that wealready use in our dashboard,
like labels, and applying thatto policy.
Now You'll actually see thatyou know if you're coming from
an ICE or a ClearPass deployment.
(13:21):
It's all very familiar.
You know, you have your matchcriteria and then what you want
to do.
But also, if you're an existingMIST customer, you'll find that
the UI is very similar to, say,our WXLAN policy, and that
makes the learning process a loteasier as well.
Also, being cloud and the factthat a lot of identity stores, a
lot of customers are moving tocloud identity.
(13:42):
So, away from Active Directoryand maybe more to Azure, ad or
Intra, or maybe they're usingOkta or Ping Identity, having a
direct cloud to cloud OAuthauthentication.
You know it just makes sense.
If you're moving your identityto the cloud, you may as well
look at moving your networkaccess control to the cloud as
well.
Michael van Rooyen (14:00):
Fair enough too, and what the team at
Juniper did is really build onthat.
As you talked on themicroservices architecture, so
being able to add this type ofservice to the environment well
integrated, not another producttrying to be bolted in.
It was created from scratch andthe whole premise was solving
these common challenges thatpeople have with on-prem
equipment you know, water,maintain and feed, plus all the
complexes of how to build thosesystems.
(14:20):
And why do we move that to thecloud as part of our portfolio
or the MIS portfolio, to providethat in customer experience?
Matt Fowler (14:25):
Yeah, we really wanted it to be fully integrated
into the microservices cloud,not have it as a standalone
product, so that, when it cameto understanding user experience
, you get the full view.
You get how did they connect tothe network?
Was it successful?
If it wasn't, why?
All inside the one userexperience or admin experience?
(14:46):
And so it was extremelyimportant for us not just to
come up with a NAC product, butto come out with a service, and
that's why it's called AccessAssurance Service, because it's
just another service inside theMist cloud, nice, nice.
Michael van Rooyen (14:58):
So off the back of that, it's great.
You talk about user experience,which I know is critical for
what Mist is trying to offer.
But if we take a lens on NAC,user acceptance is crucial for
NAC deployments.
You know, if you can't connect,I think you're the one who said
to me once that people who havetwo problems with wireless they
can't connect or have a badexperience.
So, talking on that userexperience, for it to be
substantial or be comfortable,how does the access assurance
(15:18):
make sure that troubleshootingand remediation of access issues
are both smooth for the userand the help desk?
Absolutely.
Matt Fowler (15:25):
From a business-as-usual perspective,
the experience that the usershould have when things are
going right should be nodifferent.
Moving to the cloud should haveno consequence for the end user
, and that's what we see.
Whether you're using a radiusauthentication to an on-prem or
RADSEC secure to the cloud, it'sbasically the same.
(15:45):
So, from an end userperspective coming into the
office or the school or theuniversity or the hospital, it's
the same experience.
Where it differs is ifsomething goes wrong.
Let me step you through thinkingback to my days in support.
What would a support engineerhave to do if a user can't
connect to the network?
Quite often you would have tostart a debug or start logging.
(16:05):
You would then have to ask theuser to reproduce a problem.
So, straight away, the user'sexperience is now poorer.
They're now having to help youfix your problem.
That's right.
Then you'd have to hope thatthey actually were able to
reproduce.
Because you're dealing withlaptops, smartphones, tablets,
now IoT devices.
It's not guaranteed that you'regoing to reproduce every
(16:27):
problem, particularly if it'slike a roaming problem, for
example.
These are very difficult totroubleshoot.
So I remember just that datacollection would take days,
sometimes lining up schedulesand everything like that, and
the end user is probably busywith their day-to-day job.
Michael van Rooyen (16:42):
They might be in the retail floor, they
might be doing something else.
That's just taking the time upis a painful exercise.
Matt Fowler (16:47):
Correct.
And then you, as a supportengineer, need to look through
all of that logging.
Maybe it pinpoints to anindividual client issue and
maybe you need a packet capture.
So now you need to go back tothe end user and say, can you
just give me another hour or two, we'll capture this together.
And so what could be a verysimple problem to solve actually
(17:08):
becomes a very difficult andlong problem to solve just
because you don't know where tolook and you have to do all of
the analysis.
What we do differently and thisencompasses both access
assurance as well as just thegeneral ai that we have inside
the misproduct there's a lot ofthings there that machines can
do very, very well, right?
Machines can automaticallycollect data, right.
(17:30):
So instead of reactivelycollecting data after the fact,
if you're always capturing thetelemetry yes, you don't have to
ask the user to reproduce aproblem because you've already
captured the problem Then, whenyou look at what is AI very good
at it's very good at findingpatterns in data.
Humans can be quite good at thattoo just a bit slower, whereas
machines can be very fast atthat pattern recognition and
(17:52):
when you're looking through logsor debugs of problems, that's
really what you're just doing.
You're looking for patterns,because when it works, you know
what it looks like, and if itdoesn't look like that, it must
be something that's going wrong,and so the Mist AI, marvis, can
do that very efficiently andvery quickly, and then, if it
does, pinpoint to an actualauthentication issue so the user
entered the wrong credentials,certificates have expired, the
(18:15):
external directory source deniedthe authentication.
Having all of that for the AIto have access to means that
they can not only identify theissue, but also what's the cause
of the issue as well, and so Ithink that's a big
differentiator for accessassurance.
Michael van Rooyen (18:31):
Yeah well, that's massive right and users,
rightly so don't necessarilyunderstand the technology.
They just say I've got awireless problem.
Right From what I've seen and Ithink you've shown me is the
ability for it to also give youa suggestion.
Look, pulling that packetcapture apart, actually making a
suggestion on why it's failing.
So quite amazing shift and endusers are you know If I think
about it.
Matt Fowler (18:48):
When I was doing port, you know I had to be an
expert.
I had a CCIE wireless becausethat's what you needed to do to
look through.
Michael van Rooyen (18:55):
You needed that level, correct?
Matt Fowler (18:58):
And I think Marvis really has three personas, right
.
It's got its Marvis Actions,which is more about alerting and
alarming, but with using the AIto remove false positives.
It does time series analysis tounderstand deviations from
normal, and so that removesfalse positives.
We've got our latest one, whichis Marvis Minis, which is
basically a digital experiencetwin, so even when users aren't
(19:21):
in the network, it can actuallydo testing to validate user
experience.
The one that really helps helpdesk is the conversational
assistant, so instead of needingto be a CCIE wireless, you can
just ask a natural question.
Right?
You can just say what's wrongwith Matt's iPhone and it'll
actually suggest what is wrong.
If they're having anauthentication issue and it's
because they entered in thewrong password or their
(19:42):
certificate's expired, it'llactually just tell you that and
it'll tell you how to remediatethat as well.
If you wanted to look acrossthe entire organization, just
say something like who are myunhappy users being on the help
desk?
You don't necessarily have to bean expert.
It's your digital guide toassist you.
As a non-expert, it can be theexpert for you.
And actually I was justlistening to a podcast with Sam
(20:05):
Altman from OpenAI and hementioned something that I
thought was quite insightful,talking about AI and how it will
reduce the workforce, and hethinks of it not as reducing the
the workforce and taking awayjobs, but breaking it down and
and it being able to removetasks.
So, whether it's a five minutetask, a 10 minute task, an hour
(20:29):
task, yes, and then that meansthat the the person doesn't have
to waste that time.
You still need the person, ofcourse, but all of those mundane
time-consuming things can beautomated.
Michael van Rooyen (20:41):
I couldn't agree with you more.
And there's a, I guess, as theexplosion of you know a chat
came along in 2022.
People are now getting theirhead around it and you know, for
me, ai is lots of acronyms forit, but, you know, augmented
intelligence is one that standsout to me.
The mundane tasks are speedingup, in your instance, with not
only marvis.
Conversational troubleshootingnot in their deep skills first
of all makes the customersexperience better, as quicker
(21:02):
resolution must be a hugebenefit in cost reduction of
support staff being able toresolve tickets quicker.
The other part is that, if wetalk about a bit more about
marvis minis you know that was,I think, only announced about a
month or so ago being able todigital twin or rerun the
scenarios of the network in anongoing basis.
That's like kind of having ateam of engineers continuously
testing, looking all the time,which I think was the cover idea
(21:23):
.
Can you tell me a little bitmore about that?
Matt Fowler (21:24):
Yeah, so at the moment we do testing for things
like DHCP, arp, dns andapplication-based testing For
authentication testing because,for example, a lot of it uses,
you know, eaptls, so you'd bedoing certificate-based testing.
It's a little bit harder to do.
It is something that we'reexploring doing as well.
Michael van Rooyen (21:43):
You talked about.
You touched on IoT and,obviously, the amount of data
ingested.
So what are you seeing inrelation to how is AccessSeries
going to facilitate theonboarding of this continuous
explosion of IoT devices intothe enterprise?
Matt Fowler (21:55):
I guess one of the challenges with IoT devices is a
lot of them don't have editedor 1X supplicants, so you can't
actually even do WPA enterprise,and so you have to look at
using PreShareKey.
This is, if they're wirelessWi-Fi devices, right.
If they're Wi-Fi IoT sensors ordevices or things, then you'll
need to use PreShareKey.
(22:15):
The insecurity is right in thename shared.
Correct, correct.
And so one of the things thatwe do with a sub-component of
access assurance, which iscalled IoT assurance, is we can
do something calledmulti-pre-shared key, where you
can have the same SSID, which isimportant from a performance
perspective, because in Wi-Fieach additional SSID adds
(22:37):
overhead, so you can't just adda separate SSID for each IoT
device or category of device,and so we can be efficient by
having a single SSID but stillhave the security by having a
different key for differenttypes of devices on that SSID,
and so that gets rid of theshared component of pre-shared
key.
What we can then do is, basedon the key, we can do
(22:59):
segmentation.
So that segmentation could be adifferent VLAN based on the key
they have.
It could be applying a WXLANpolicy, so filter traffic.
It could even be what we call apersonal WLAN, where you just
completely isolate it.
It means that those commonvectors for attacks in IoT
devices, which would beeast-west attacks right, you get
(23:21):
in to the IoT device and thenyou spread out.
That attack surface isminimized by having segmentation
.
That can be done through thisIoT assurance service.
So that's where we're seeingthat.
We're also actually seeing thatsimilar technology being
applicable to BYOD as well.
It's for a little bit of adifferent reason.
For IoT, the reason is becausethey don't have added .1X
(23:42):
applicants, but your iPhone,your Android device, they do.
The challenge in the past,though, has been the onboarding
of those .1X profiles to thosedevices.
If they're personal, if they'recorporate-owned, you just put
MDM on it, and that's the bestsolution.
But for personally-owneddevices, you may not want to, or
you can't afford to, put MDM onall of those devices, and so
(24:10):
the approach in the past wouldbe let's have the NAC do that
onboarding of those profiles,and I think anyone that's
listening, that has been throughthis process or deployed this
before, knows that when a newiOS or Android version comes out
, that breaks, knows that when anew iOS or Android version
comes out, that breaks.
Now, the MDM vendors are veryquick to update that, but the
NAC vendors not so much.
Yes, I think we've all beenthere.
Michael van Rooyen (24:27):
Yes, exactly .
Matt Fowler (24:28):
And so this ability to do these multi or personal
pre-shared keys we're seeing isa big transition for BYD.
The fact that our IoT assuranceincludes BYOD onboarding, where
we can actually authenticatethe users via SAML, sso, to then
generate a key that they canthen click and install on their
(24:48):
personal device, is a muchsimpler and therefore less risky
way to handle BYOD as well, andactually there's an Australian
company that was an earlyadopter of this.
It was actually a law firm downin Melbourne and they for years
suffered with this problem ofthe onboarding of BYD devices
through different iOS andAndroid versions, and they've
(25:11):
deployed this IoT assurance fortheir BYD devices and haven't
looked back.
Michael van Rooyen (25:17):
It's been really great for them.
That's awesome.
So there really has been somethinking there around IoT device
.
Right, we can see thiscontinuing explosion, but I
really like the multi-pre-sharedkey.
It really sorts a simpleproblem for customers today,
right, and you're thinking therearound IoT, so really, again,
that identifying the device isreally the key.
Right, you just touched on alaw firm there as an example.
Can you share an example?
And certainly no need to nameor share many customers, but can
(25:39):
you walk us through anyorganisations you've seen, you
know, move from a traditionalon-prem NAC solution to a more
flexible, fibrous approach, andwere there any lessons learned
from that?
Matt Fowler (25:48):
So we've had a very large school district that went
through that migration.
They were migrating from anon-prem NAC solution experienced
all the challenges that we'vealready talked about before
right, scaling.
If you think about a school,let's talk about scaling NAC.
There's two vectors there'stotal count of users, but then
(26:10):
there's also the authenticationrate per second.
And if you think about a school, everyone comes to the school
at the same time and so everyonewants to connect to the network
at the same time.
And now if you've got adistrict of schools, all of
those schools, all the students,are all trying to connect at
the one time, and so you'reactually scaling for the worst
possible scenario, but you haveto.
That was one of their challenge.
How do they scale?
And therefore, because of thatscale that's required when it
comes to maintenance patchingyou mentioned it before If
(26:32):
patching is too complex, peoplejust don't patch, yes, and then
they're open to securityvulnerabilities.
Yes, and don't patch, and thenthey're open to security
vulnerabilities, and that's whatthis customer found as well.
And then they also saw that thecomplexity of the configuration
just didn't make sense for aschool.
They migrated over to ouraccess assurance service by
moving to the cloud.
It meant that those problemswent away.
(26:54):
So you don't have to worryabout scaling anymore.
You don't have to worry aboutredundancy anymore.
You know we take care of you.
The fact that they were alreadya Juniper customer meant that
the telemetry and visibilityinside the Mist dashboard now
included the NAC side of thingsas well, so you can see you know
why users are failing toconnect.
(27:15):
If they do, you know they sawthe benefits that they had from
Mist in general now applying totheir NAC, which was something
that they saw was quite valuable.
Another example that we've seenis from a customer that had a
mixed environment.
Because they were going througha transition.
They decided to move to JuniperMist, but they still had a lot
(27:35):
of sites running their incumbentvendor, and so one of the great
things about Access Assuranceis it also has third-party
support.
With Juniper devices they'lljust build a RADSEC connection
to our Access Assurance service,but with third-party devices
they might not even supportRADSEC, and even if they do,
provisioning the certificates tothose endpoints can be
challenging.
(27:55):
So we have a very elegantsolution where we can use our
MistEdge product as a RadSecproxy with our incumbent vendor
devices, the third-party devices.
They just point to MistEdge asa radius server and MistEdge
will proxy the radius insideRadSec to our cloud, and so that
helps with migrating as well.
Michael van Rooyen (28:15):
That's very cool.
So what that really means forthe listeners is really, if
you're wanting to take advantageof all the benefits you talked
about moving to the cloud, youhave an existing network and you
want to move to a cloud-basedNAC type service that solves
your problems, keep yourexisting environment as it is.
You don't have to have Juniperend-to-end.
It is really giving you thatadvantage to secure or
authenticate people on yournetwork via proxy using your
(28:35):
cloud service.
That's brilliant.
Proxy using your cloud servicethat's brilliant.
Coming to the end of thisepisode, I thought, matt, this
doesn't have to be a juniperspecific related question and I
know you've been obviously veryrelated to wireless for a very
long time but a real generalquestion for you is you know
what is the biggest technologychange or shift that you've
personally been involved with?
That's just an open question.
Matt Fowler (28:51):
I like to ask my guests I mean, for me it has to
be ai, and so I think thebiggest transition we're living
it now, and sometimes whenyou're on an exponential curve,
it's hard to understand thechange that's happening.
Michael van Rooyen (29:04):
Yes, that's true.
Matt Fowler (29:05):
At Myst and now Juniper Myst.
We've been doing this for nowsix, seven years and over that
time, just to see the impactthat just being able to collect
the right data, analyze theright data and give insights
into that data that alone ismind-blowing for a lot of
organizations.
What AI can then do on the topof that around removing false
(29:27):
positives, assisting non-expertsI think we're really just at
the starting point of that and Ithink, as we're seeing
industry-wide the rapid pace ofinnovation and the push towards
AGI, I think this is anextremely exciting point in the
industry.
Michael van Rooyen (29:46):
I completely agree.
Take all this time to buildthis plumbing, this
infrastructure.
Networks evolve.
We've all evolved as anindustry and you're right when
you're actually going up as partof the curve, you're not really
looking behind you.
Seeing how far we've come andhow it's compressing.
It is impressive and Icompletely agree with that,
while we're seeing the shift.
Matt, thanks for your time,really good to see you again and
appreciate it.
(30:06):
Great Thank you.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.