Nile presents a networking architecture where security is built into the fabric itself rather than bolted on as an overlay, featuring identity-based micro-segmentation, continuous verification, and autonomous operations that eliminate lateral movement of malware by default denying all traffic and only allowing connections based on authenticated identity and policy rules.
安装我们的扩展,即时搜索任意视频内容
🔴 WATCH LIVE: Nile Presents at Mobility Field Day 14 #MFD14 #TFDLive本站添加:
Hey everyone, welcome back. We are continuing day three of mobility field day 14. We are once again honored to be speaking with our friends from Nile. One of their very first public presentations was here at field day and we've continued a long tradition of bringing them back so that they can give us updates on some of the cool stuff that they're working on. We've seen the development and evolution of their platform as we go along. And honestly, I just occasionally drop by their offices when I'm in Silicon Valley with a spare hour. So, as not as often as I would like because spare hours are hard to come by around here, but that's because we pack all of these events with such great content that we don't want you to miss any of it. And we're so very happy that you're joining us online. We've seen a lot of commentary that's been happening on our YouTube channel. So, one of the things that we started doing this year is we started streaming live on YouTube. So go to youtube.com/techfieldday and join the live video and leave a comment. Uh provide your perspective.
I'm sure that the folks here would love to hear it because they'll relay it into the room. Also, you can check us out on LinkedIn live. We'd love to see you over there watching the video, leaving a comment. Uh lots of great interaction there as well. We've had some great uh folks joining us there like uh Jeremy Rain and uh Jake Snyder and many many more. Also uh Techstrong TV, techfieldday.com. If you want to watch us in a Vimeo player there, uh, techfieldday.com is the best place to go to learn about who is here around the table. If you're a company that wants to participate in this event, we would love to have you. Uh, if you go to techfieldday.com, there's a link for sponsors and it says, uh, click to become a field day sponsor. Um, we'd love to get in contact with you so you could be up here just like our friends from Nile. Uh, I'm actually going to step out of the way uh, so that our friends can take it from there. If you have any comments, please uh jump on social media, use the hashtag MFD14.
That is the way that you get noticed by all of our folks here and they'll relay your question into the room. But for now, we have an hour and a half with Nile and we've got some great stuff headed your way. Sesh, are you ready to go?
>> Yep.
>> Come on up, sir.
>> Hello everyone. I'm Suresh Katakam. I'm one of the co-founders and chief product officer at Nile and I'm joined with uh two of my colleagues, Deepen W and Shimra. So, they'll be introducing themselves. So delegates first of all thank you. Thank you for your time.
Thank you for your insights. We learn a lot from you. It helps our road map and our technology. So we'll welcome all your questions, suggestions, inputs along the way. And we'll have also have 30 minutes close session. So we can go much deeper into any of the technology questions that you may have. Thank you everyone who is watching live on the web. And let's jump in. You know what you see on the slide? It's a bold claim.
The world's most secure network delivered as a service. Two halves. The first one is what we do. The second one is how we deliver it. And that's where the how part is where the industry stops short of. And as we go through the architecture, you will see why we claim that. You know, the architecture is built to deliver what we call built-in identity based micro segmentation with a single pane of management. You will see why we make that claim as we go through it. Let's get into the details. So, what we'll do is we'll give a quick snapshot of Nile. Some of you are familiar with it and we'll give an update for the folks who are familiar with it and but more importantly we'll talk about the mobility security the gap that exists in the industry today and then after that you know we'll talk into what does built-in zero trusta architecture means not a bolt-on architecture and then after that the fun part starts where we'll have six demos for you guys talking about identity policy containment as well as the trust circles with that here is a quick snapshot of Nile the company is founded I punkage Patel who is the CEO of the company and John Chambers who is another co-founder of the company and punkage was number two at Cisco chief development officer he had 30,000 people and all the products from Cisco came from his organization John XCO of Cisco no introduction required Shri Hosakote he was an SVP EVP built large scale products powering Google's and Facebooks of the world this team we didn't come here to build better Cisco we felt the campus network really needed a complete new rehaul especially around the security and the operations. So in terms of numbers over the last 3 four years so we're in the garden magic quadrant we are visionary in the unified wide and wireless land as well as we are present in the uh infrastructure uh as a service and the reason we started the company is to really change everything that we have done over the last 30 years we've been doing exactly the same way better and better but really fundamentally did not change I'll give you an example we do not have any configuration documents for our access point switches even within our company not just for you multiccast runs when you need it. If you think of all of these, this led to more than 60 patterns and we're in 30 plus countries.
We're in 30 plus countries and we have single location the solution scales to single location where you have 200 200,000 users and in terms of the campus we built large scale campuses we deployed it and with the 40 building campuses and we are present across 12 verticals. So it's not just meant for a single use case small, medium, large to across many different verticals. And as you go through it, you'll see what is secure force connect means right.
All right. So nine, what do we do? We deliver fabric. So this is when we talk about the fabric we're talking about the hardware the software and everything that's inside the campus right it delivers the data center class security what do we mean by that you get the micro segmentation identity based micro segmentation and policy with built-in policy and micro fine granular controls that you need and the second part is hands-off operations this is a critical part of it this is why the architecture is built to deliver the hands-off operations you don't own the operations we do it for you guys. That's the key.
You own the control. You have the policy. You have the complete control and visibility. You have you we know we take care of all the operations.
Software upgrade, security patches and end of life, end of support, anything tech refresh. All of that is owned by Nile part of it. And we'll give further clarification, but more importantly, you know, it's think of like AWS, think of Salesforce and you consume, you have control and visibility. The underlying part of it is managed by the provider.
That's how we delivered the our service.
And in terms of the agility, how many of you heard of project project glass wing or the project mythos, right? When you think of that, we all know that vulnerabilities will exist in the networking in the infrastructure. They talked about thousands of thousands of vulnerabilities in in the infrastructure. Vulnerabilities are going to happen, but are you ready to take care of those? And what it means is how fast can you respond whenever a vulnerability is uh found. And what it means is you need to patch the network the infrastructure very fast probably within few hours and today's mechanisms do not allow you to upgrade your software very quickly. The validation, configuration, backup, interoperability, everything takes if not weeks, you months pro in many cases not months it takes and we are delivering like you know all the software upgrade security patches we deliver it like a SAS. Here is the architecture and if you look at it's a single architecture that works across all of our verticles whether you're talking about a higher red or whether you're talking about healthcare whether it's a distribution center we have a single architecture that works across all of our verticals and the fabric includes the access points the switches access switches distribution switches core as well as the edge where you can terminate the internet links directly on Nile this is a single unified entity and it communicates with the cloud and where the data is coming in real time to in the cloud and our AI is constantly monitoring and managing and fine-tuning the network and on the uh on the left side you see Nile portal this is the portal that you and the customers or the partners they can login and see everything anything that you needed to know about the network or the devices or the security policies you control the intent you provide the intent through policy and you can do the you know the integrations with all the tools that you have so you don't necessarily have to log into the Nile portal you have integrations with anything and everything that you can think of. On the other side of it you see Nile autonomous operations. This is what the Nile the architecture is built for. We have hundreds of customers in 30 plus countries without people monitoring the networks. We are talking about business critical networks. The reason is while everyone is talking about self-driving cars or self-driving networks, we are already delivering autonomous operations. And the proof is we when we think of the service we are guaranteeing the service at every corner of your building every corner of your site we guarantee network is up and running you have fiber Wi-Fi coverage you have the capacity if you don't meet our commitment we have the financial liability so this is not just a claim but we have financial guarantees behind our claim.
>> How many times have you had uh how many times has a customer been able to take advantage of that financial claim?
>> Sure. So you know over a period of last three interviews it happened once where we took the isolator and provided the credits with so the question keeps coming up especially folks who have been in the industry for a long time what do we do and what does Nile do right like you know you and let's clarify that we we take care of the day zero day 1 day2 operation from the backend perspective but you the planning the designing happens by you guys you guys know the planning is the most important part when it comes to the wireless. So that is done by you guys. We have a tool called NLab where we you know give you that and you can use the tool to do the planning and once the planning is done on one all the information site survey all the information is entered we take care of the network architecture network design bill of metal that's fully automated because we have a single architecture across every customer and once the network is deployed the deployment is customer or the partner responsibility once it is deployed the entire setup this is your network you control it how should it behave the behavior is controlled by you device not by us. Just like when you think of the cloud, you have the VPC, you control what happens inside the VPC. So you control how the users should get on the network and what kind of authentication access mechanism they need, what kind of policy, who what is the allow to access, who can talk to whom or and the integration is completely done by you guys and the first line of you know support is done by the customer or the partner.
Everything else whether the software upgrades, security patches, keeping it compliant, the security posture, all of that is Nile responsibility.
Any questions?
>> So on the uh on the wireless part do you provide uh like design services and what or or is it just configuration?
>> So the wireless part you will provide the SSIDs. You don't have to think of the APs and the switches the ports even switches. You say that I want employee access throughout my building, guest access only in my first floor.
>> So what's your approach on like send somebody on site, they do a survey, validate, identify where to place access points, where to put IDFs, >> see if it exists.
>> So the partner or the customer does the site survey, okay, using Hamina, we have integrations with all of those tools.
And you also do not just the wireless set of wired sites survey. How many PoE ports you need, how many Ethernet ports you need, where all you have it. And once you have that information collected in NAV, we go ahead and do the network architecture. Who is supposed the topology including the cabling plan in case if you don't have the cabling already and we provide all of that information and that information is and the bill of metal we send it to the customer site or the partner and the Nile Nav guides them step-by-step direction how do you install it? You have a simple QR code. Here is the AP that needs to go here. This AP needs to connect to this particular switch. If they misconnected, right off the bat, it tells you that you have misconnected so that you can connect it corrected. So we have a digital twin as designed at the time of the design. Then we have a digital twin at the time of the deployment. If there are deviations from that design, we work with the customer or the partner and rectify those or accept those deviations knowing that this may lead to some of the subper sub performance. Okay. So maybe I'm missing something obvious then if the customer is doing the planning and everything the site survey how are you guaranteeing the coverage everywhere that you discussed earlier.
>> Sure. So as part of that we have the guidelines for the customer you know or the partner who is doing the site survey what kind of site you know site survey is required what kind of tools they use.
So they follow our guidelines and and we give the information about our access points into you know into the tools.
It's embedded in the tools the industry standard tools embedded. So use that information to do the site survey. Are you reviewing their design?
>> Yes, definitely we are right with that. You know this presentation is going to be all about the security but I want to give you know about uh how we deliver the service. So when you think of autonomous operations, we have these customers all over the world. The network just works and many of our customers tell us that we eliminated 100% of the tickets and in fact some of our customers told us that they didn't even log into Nile portal for years because it just works right and how is that why is that possible? So we build an entire hardware and software from ground up to really deliver autonomous operations. When you think of AI, why do 95% of the AI projects fail? Because you don't have the right foundation. you don't have the right data, you don't have the right data format. What we did was we started with a deep instrumentation, every hardware, software component. We build the entire hardware so that every register, every CPU, every process, anything and everything you ever need to know, that data is coming in real time to the cloud. It's being streamed and not just the information coming from the systems, but we also have the sensors that we deploy throughout the building. They act like end users giving the outside in perspective whether the network is working well or not whe it's a power levels whether it's SSID or the radio is stuck or not whether the port is stuck or not all that information is coming from the sensors so we have a 360deree view of the network systems as well as from end user perspective this data is coming in in a unified data model that's very important right you know to have the AI working you need to have a single unified data model now the second one is learning How many of you believe that AI hallucinates? I know it's a rhetoric question, but you cannot really throw all sorts of things at AI and expect it to work fine. We built a specific architecture, specific data platform, and we train our AI with that data. It's it's a contained explicitly designed for the data that we created it. It's a standardized architecture deterministic design across every customer, right? And we have network and security models trained specifically based on our data that we have. And it's a self-learning mechanism. It's not a supervised or unsupervised line. It's really a self-arning mechanism. It learns on its own, continues to improve and we can go in into more details, you know, in case you're interested in how we do it. And third is once you have it, you know, once you learn it and let's say I'll give you an example, you are in a zoom call. There's an elevator going right next to it. that can cause electromagnetic interference and that can lead to zoom you know CRC errors, packet errors and zoom issues. How do you figure it out? Right? That is where the data is collected and AI is acting on it and OPF sessions may not declare that link is down but our AI detects it and reroutes the traffic by increasing the OPF cost around that link and then run lot of tests and take care of it after that. But more importantly, can you trust the AI? Usually no because you don't want to run your network just based on the AI. So we created agents.
What they do is before you take an action, we take the snapshot of the entire network. Every user, every CPU, memory, how the AP switch, everything is working and every user device connected to the network. Once we take the action, we go back and verify that did every user device connect back and is that experience. If we collect about 50 different parameters to talk about their signals and so the data rates to all aspects and and verify that did every user connect back and they have equal or better experience only then we consider that it is successful.
>> I like I like that feedback loop with the clients and all the issues. Do you also use that same loop for your RRM algorithms if you're going to change a transmit power or a channel?
>> 100%. Okay. And you know this is why we also have proactively the sensors the wall outlet sensors as well as we dedicated radio in all our access points to give us that information as well as the clients and when you think of the clients you have devices that move and the devices that do not move like printers some of the Wi-Fi so we use that information to continue to you know give the feedback to our channel planning algorithms and take care of it.
So if I may jump in Keith. So one solid example I can provide of that is we detect as an example if there are nonDFS devices on the network we are collecting that information through u uh you know the wireless data that we connect. So we know that we have spotted and we have detected non DFS capable devices that influences our channel plan uh directly based on you know that data. So we know if the devices with non DFS are showing up in such and such location, we make sure that we sprinkle in enough nonDFS channels on our APs across the floor so that those devices don't struggle. And we actually learned that from one of our high customers because we noticed that this laptop was connecting to an AP far away because nearby APs are all on DFS, right? So that's one example and we have several other examples where we take that feedback and uh do that. uh removing lower data rates is another one >> right? So when you think of this you know fully autonomous operations and remember we guarantee that network is always up and running five bar five coverage you have the capacity and human on the loop not in the loop that's the difference in the loop is they're not really coming in and pressing every button to make the AI work instead they give they do the oversight they give the instructions to the AI and they if there are high-risk actions that's when they'll jump in but otherwise they're constantly giving the instructions to the AI to so that it performs within the guidelines, right?
>> Who determines what a high-risisk action is?
>> So, first of all, most of the actions that we look at is, you know, like, hey, is it impacting one user, multiple users? What type of the action the impact the blast radius for lack of better word? What's the blast radius of it? That's determines the criticality of the action >> and then who determines the criticality.
>> Oh, the criticality is determined by the system itself automatically because that we know where you're making the change.
Based on the change we can see how many people are connected behind that system.
So the impact is automatically calculated. But more importantly here is what we've done right in the past. So whenever there's an action recommended first is humans validated very early on and look at three four times have you looked at the situation correctly. Are you taking the action right? Right. Once it's automated so then it gets automated. After it gets automated now you are doing the oversight.
No, you know, I was talking to Tom a couple days back at the mixture and he said, "Do not talk about AI. You'll get brownie points." You know, the reason everyone is whitewashing the AI, everyone. And if you look at the AI, MIT clearly said 95% of the AI projects fail. There's no ROI. Why? Because you are really bolting on the AI on existing infrastructure. Look at the hardware, the software that's been built. It's been built over the last 20, 30 years.
It's not built for the AI. It's not built for that a you know AI agent or a chatbot is not going to fix your problem. The way to I really think of it is a smarter way of looking into the broken architecture. Chatbot is smart window to look into the broken architecture. When you think of AI for networking is really AI to clean up the mess that was created in the past.
You're talking about the missing van.
Even today in 2026 in our case there's no van to be missed because there's no layer 2. It's a completely layer three architecture. Ports stuck. There are no more ports. Close, shut, no shut. None of that happens at night. Everything is open. You're connected. But until you get authenticated, authorized, you're not on the network. So if you look at the foundationally, you're taking, you know, think of a car where you're building your own car from multiple, you know, Honda Toyota parts and you create a unique car. Every network you you guys agree is a snowflake. Today many of our customers told you cannot automate your way through snowflakes and that is what we are trying to do it.
You need to really build what Tesla has done built a platform for autonomous network driving. That is what we are doing. We built a single architecture.
We have a unified data model. Data coming from inside, data coming from outside in a closed loop manner. That's and with a guaranteed service. So autonomous operations require a new architecture. That's the reason why we founded the company and that's what we're delivering to our customers. Right now let's talk about you know uh security. You know when we think of mobility we always thought of mobility is kind of the Wi-Fi then networking is switching routing then security knock on bolted solutions and we you know many of our customers came to us and said before starting the company that hey mobility at scale has been solved but mobility with mobility security at scale has not been solved. CIOS and CSUS have been telling us that and the gap has been you know the security gap as you guys know we designed our networks connect first secure later hey let's get the device on the network we'll figure out how to secure it by the time you figure out the device is already on the network already know discover that everyone scan the network connected to the printer talking to your file server and the lateral moment of malware is already happening it is too late and this is where we said Every user device they get on the network only when they authenticate, authorize, no authentication, no identity, no access, no policy, no traffic. And your access, your trust is not, you know, granted and then revoked.
Instead, you earn it every time when you get on the network, every time you connect, every time you access something, your trust is earned and enforced as you go through it. That's what you see on the right side of it is secure first, connect later. that required fundamental rethink of the architecture.
And this one goes without saying it. You know 80% of the 80% of the devices on the network are not under IT control. 80% of the devices we talking about IoT and IoT devices even the BYOD lot of devices they're not under the IT control. And about 60 to 70% of the cyber security attacks start in the campus side of it. your biggest surface area of attack is your campus land not your data center not your others and that is fully exposed and if it's not sufficient enough now we coming with the AI agents and AI requires new identity new security paradigm new trust and new you know enforcement policy and if you're familiar with it you know there there is a saying in the next two to three years you will have 10 AI agents for every user so 10 non nonhuman identities for every human identity. The question is is your network ready for what's coming up in the next 2 3 4 years and your architecture frankly sadly is not ready. That's on a standard across most of the customer base we know of and how many of you heard of air snitch almost all of you right this is the Wi-Fi attack came as across a Wi-Fi attack most of our customers and Wi-Fi engineers got pinged hey what happened to you know and it's not a Wi-Fi problem it's the underlying network problem once you're on the network you're implicitly trusted that is back in back side of it you know once you're on Wi-Fi network you're implicitly trusted because you're on the lay network and you can you know take identity of somebody else once you're on the network and you can masquerade as someone else and start doing the man-in-the-middle attack the problem is is the architecture problem that's masquerading as a Wi-Fi issue it's not the Wi-Fi issue so with that right why is it you know why do you have all these security challenges you know all of you know this very well we started with the you know the networking then we added the wireless then we added the controllers then we added the knack we bolted on the knack and you know these are patchwork solutions one after another one then you know you have all the operational challenges you know patching and upgrading interoperability issues validations and on top of that you have the you know operational costs this is where we came in and said hey we need a clean slate approach where the entire fabric acts like a single unit not as multiple entities whether it's from the operations perspective whether it's From security perspective, if it's a deployment of visibility control, it acts like a single entity.
Okay.
>> Do you do you do you provide also the uh DHCP, DNS and all those services?
>> Yes. So let yeah I skipped it in the interest of the time but not only we provide the entire fabric the hardware and the hardware is you know we built on the hardware from ground up and on the service side we have the access layer which is wired and wireless land we have the edge which is the where you can directly terminate internet links and Nile then we have the guest where guest service as soon as the guest connects to the network we siphon off the guest traffic to the internet so we have point of presence locations where we take the traffic we guarantee the guest traffic is only going to the network. Then we have the radius cloud-based radius. We have the cloud-based DHP service and we have the cloud-based trust service where you you know trust service is our micro segmentation and the policy that replaces not only the knack but also replaces your internal firewalls.
>> But then the customer provides the the DHCP and DNS services.
>> No, we have the we offer the DHP service. We offer the radius service but we also inter interoperate with what you already have it.
>> Okay. H so it's a customer's choice whether they want to leverage our services or the their already existing services.
>> So so I assume there is a a clear line of like where you stop and where the customer has to do X that's clearly defined or that varies depending on >> it is it is defined but we also give the flexibility because you know sometimes the customer may want to start with a single building or a single site or across the enterprise. So we go into 90% of our deployments are brownfield. So we go and work with existing components quickly. So you know when you look at the security side of it today 80% of the IT devices devices are not under IT control. You do not have the visibility into it. Nile provides complete 100% visibility. If you can't see it you cannot secure it. Where the what device is it? Where is it connected? How is it behaving on the network? And more importantly as soon as the user the device gets on the network first thing is we isolate the user you're in a segment of one by default there's no layer there's nobody no peer relationship it's by default you're in a segment of one or a network of one and after that based on the identity we provide the least privilege access we give you the complete controls on who can talk to whom and this is identity based not based on the IP address not vans not location it's truly based on the IP addresses and after that you Again you cannot trust when the user mark you know when you're getting on the network. It's not sufficient to just validate the mark when you're getting on the network but you need a continuous verification and authentication authorization of the identity and more importantly it's built into the fabric.
You're not buying another set of hardware appliances overlays or any of those things. It's built into the uh fabric itself. So you will hear these four words as we go through the demos and everything. First is identity first.
Every connection, every user, every device has to get identified at the time of the connection and the micro segmentation not d VLANs, not dynamic vlans, vxlans or any of that. It is truly based on identity. You can do the policy group and you can apply least privilege access and this completely eliminates the lateral movement of the malware, right?
And you have typically today one pane for the wired, one pane for the wireless, one pane for the security. We have a single pane of management to going back to across all of our services. Right now, let me summarize it. When you look at on the left side of the screen, you have five to seven different products, three to five different vendors, two three different operating models and lots of different licenses to manage, lots of different operations to handle it. On the right side, you have single fabric, one fabric, one operating model, one management pane, right? and with a native knack native security and native micro segmentation policies with that.
Yeah. And to give you you know a little bit given this jerotus fabric we have seen our customers telling us that about 90% of the complexity goes away and they see more than 50% of the savings in the total cost of ownership. With that I'll hand it over to the >> uh one more question. Uh >> does the customer have access to your dashboard in Star Wars? That's just you.
So we we have two things N portal that's customerf facing we have internal autonomous operations where you get every aspect of it in some cases we're given access to the customers if they ever want to see it yes they do have the access to that >> okay >> okay all right thank you Suresh our quarterback as always he's thanks for setting up the stage Now in the remainder of the sections we're going to make it very interesting with lots of demos. You will see our Nile portal a lot more and uh we'll actually show you things in action. Everything that Suresh has talked spoken about. Um main thing is you will constantly hear us repeat a thing about unified management built-in zero trust secure infrastructure zeroateral movement. If there is anything that we would like you folks to walk away with today is the fact that you're not having to leave the Nile portal. You're not having to leave the Nile ecosystem to achieve all of these outcomes we're talking about within our zero trust fabric. So to start with, let's just think of the network in three layers as far as security is concerned.
There is the infrastructure layer, there is access and there is policy.
With that, let's introduce some characters and let's use these characters as we go along and show you demos. So, Priya is our IT and security admin and she's been tasked with driving zero trust initiatives across enterprise as well as an MDU location that she manages. Alice is a contractor, Bob is an employee and we also have an IoT device. These are basically representing the realm that essentially Priya is having to manage. So with that the very first thing Priya is starting to thinking about is hey you know when I'm thinking about zero trust initiatives I have to start at the infrastructure which means do I have to worry about SSH and TNET on the boxes? Do I have to worry about my topology getting discovered? What about upgrades and security patches? everything that Suresh alluded to earlier in terms of the project Glass Wink and uh Claude Mthos that has essentially gotten all of us to think can the patching ever be fast enough right how am I going to manage all of that so Nile's differentiation packaged with how it is is actually getting solved is on the right side over here there is no device level access across any of our fabric elements so there is no SSH no TNET All the access to the fabric elements is only through our cloud and through a secure gRPC channel. The entire topology and we did a demo of this in our previous security field day. Our fabric topology is not discoverable. So if an end device is trying to run scans and trying to discover our Nile service block or the Nile fabric topology, they are unable to do that. L3 based host isolation we already talked about very intuitive default on config free vids whips with the default deny posture on all of our fabric switches we have diluted the threat of rogue Wi-Fi APs coming onto the network to start with but if you do have a loosely configured rule to let some devices on your network and it happens to be a Wi-Fi AP customers are not having to worry about fine-tuning a very complex Widswifts with that essentially in the previous world Priya is now worried that you know hey admins are having to deal with fragmented security with Nile we have rebuilt the fabric so that it's true zero trust so there isn't an explicit demo that we're going to talk about as far as the infracurity is concerned but let's move to the next challenge which is the access challenge so now in the access world as I introduced some characters already there is users there is IoT And the the land surface is so huge.
Plus you have the enterprise location, you have the MDU locations and now PIA is thinking about how do I manage access for all of these things and still drive my zeros initiatives.
In the traditional world, you're immediately thinking about how do I deal with per port 1x configurations? How do I deal with I configure the SSIDs and my VLANs in one interface then I go to the radius to drive my knack.
Then you have IoT and headless devices.
All of that can become very overwhelming very soon. So on the right side and as we'll talk about in the demo as well Nile starts every endpoint with default deny which means let's think of this building as an MDU. If there is an open Ethernet port, someone just unassumingly plugs something in, that device is not going anywhere. It's going to pop up in our Nile portal as waiting for approval.
And an administrator is going to get a notification saying there's a MAC address that's waiting for approval. So this basically is reinforcing secure first, connect later, which is a complete shift from how things have been so far with connect first and secure later. So with that, let's jump into some live demos, get things uh a little interesting. So we have a demo of our cloud-based Radius service that we're going to show. And Radius is not new.
Radius is table stakes. But what's new is you create segments within Nile. You create the SSIDs and you jump into creating policies within the same interface. Your SSIDs show up in your policy rules right away. your segments show up in your policy rules right away.
So imagine you having to go to a different interface and then make mistakes when translating those segments and dealing with VSAs and so on and so forth. How many of you over here have mistyped a VLAN number when you're going from I see Tom raising his hand >> right? I see smiles around the room. So imagine with Nile you've created segments and you need a certain device that's getting authenticated to fall into a certain specific segment. It just shows up in the drop down right there's no room for error. So when we say that we try to make things easy and simple for our customers that's one example of what what we mean by that.
Uh this is the second demo preface and then we'll jump into the demo. The first one was all about identity. We integrate with MS Entra SKIM. We also have compliance check with MS in tune for HP office printer in this case like our IoT. Essentially we are using agentless fingerprinting. And what's cool about that is the fingerprinting is happening in line because we are doing this all within the fabric. An IoT device plugs in, it goes into a pre-staging segment.
we are able to detect a bunch of traffic from the device, get it authenticated, then move it to its rightful segment. So with that, let's go ahead and jump into the Nile portal.
So over here, we going to jump into authentication and what you see there is Nile Radius.
This is the Nile portal. This is what our customers and partners see. And we have skipped over some initial steps like for example creating service areas uh that get created before even day one like hey here's my site here's my building here's my floor and once you get to radius we have two options supported today we support els as well as e peep with els the very first thing that of course you have to do is uh upload a certificate once that is done you basically are ready to hit the ground to start creating your policies so So the next screen is all about policies. We have some pre-created policies here.
We're going to click on one and uh just look at the contents of that policy.
So in the very first one as you can see there is in tune. So our radius as a service from cloud is already integrated with MS in tune. It's becoming more and more popular uh with our enterprise customers and it's checking for various different things that we could pull from the in tune service and those are all listed here.
uh we've chosen compliance state in this case and if it's equal if it's equal to compliant that we get from MS in tune great then we have a second rule which we have pulled the skim groups for and this is what I meant by earlier you're not having to worry about making mistakes with did I get the group right am I taking a segment from here and I'm creating rule in some other interface am I taking a group from some other interface and bringing it into uh my network fabric so this rule says if this group for this employee falls in group value as employees then great. Then the next is also you know hey something very basic as you know hey is the SSID Nile guest or sorry ACME SSO or whatever right once you chain all of these rules together right at the bottom then you can basically take an action hey accept this and then as you can see this is what I meant by these are all the segments in the traditional world imagine these would be your VLANs and imagine creating those authentication rules in some kind of a knack solution >> VLANs right >> sorry >> these are just named VLANs is essentially what they are.
>> So you can think of it them as the similar construct but segments are L3 in a in case of Nile because it's a completely layer three fabric and each segment could have multiple subnets within it.
>> They're security containers, right?
>> They are not security tags either. So segment is think of segment as for simplicity sake a subnet that it's mapped to. So let's say you come in and you authenticate and the policy says you need to fall in segment employee. You get mapped to segment employee. In turn segment employee is mapped to let's say 192 168 10.0/24 something of that nature. So segment at its very simplest form is a subnet.
>> Still sounds like a vlan interface.
>> So segmentation without the vlan ID tag zone.
>> Okay.
>> So let's clarify that. So first of all this is completely lay three so there's no layer two that's one part of it second is segments are not really required in fact it's because of the way we've been thinking we allowed the segmentation because the that's how most of the industries and ideally we need a single sub network globally to all our every device on the network then you have the policy groups based on the identity you can define the policies the reason we allow segmentation is that's how people think today and we needed to provide a way to migrate them to this but more and more customers are looking at this as a single network with a single single subnet where you have the policy groups that define what you're supposed to be doing. Hopefully that clarifies it, >> I guess. So, >> I'm still confused. How's this traffic going to flow in the network based on what tag or what I mean what identify you capture one of these packets? How you identify who it belongs to based on?
So that's actually a deeper discussion on how the fabric itself is constructed and we didn't go into a lot of the uh how the fabric itself comes up and what constructs we use. At a high level and we can talk about this in the close 30 minutes because it's going to take >> but at a high level within the fabric it's all tunnneled and whether it's AP or switch it's all basically getting tunnneled to the NSB gateway. So it's an overlay that we are running but every device is still an L3 endpoint and it's L3 isolated. So if you take a pecap you will see some GRE tunnel headers and you will see IP addresses for >> so we talking like the same the same um uh IP scheme yet just different it's just chopped up into different subnets.
>> Yes. Yes.
>> So essentially it's like a /16 but we're instead of using VLANs we're using this designation this subnets and >> we are in fact moving away from even we are in fact moving away even from subnets right and I think a lot of the questions I'm hearing I think it comes down to then possibly understanding you know you know how the fabric itself build itself out >> u but essentially we are also moving away from subnets in a way right because you're looking at identity first. So you could literally have two employees or two devices on the same subnet but completely different policies. Right? So like in this case uh in my infographic earlier I had Bob and Alice connecting to the same SSID they could be given the same subnet but based on their identity they have access to completely different things and we'll we'll go more into that and we'll have we'll address more questions in the close session as well.
I think Kevin this show >> help this view because a lot of us are like >> yeah but I don't at that level >> I think I kind of get the feeling that that's not something that you guys ever want or need think your customer ever needs to do is to do a peak that's why he he's asking because you know we could see oh this this is marked for the wrong VLAN so something is wrong there policy didn't work or something didn't work to put them on the right VLAN to get the right subnet whereas in New your case, we wouldn't see any of that. In essence, it's kind of just a huge layer three that you're chopping up subnet that you're chop. I mean, I'm I guess I'm trying maybe I'm oversimplifying it, but I guess I'm trying to figure out exactly what what >> that's you would you would kind of go down the path of troubleshooting the same way that hey, this MAC address showed up and it showed up on segment X where it was supposed to be on segment Y and then you would go look at the policy logs within the same Nile portal to say why did that happen and then you would go fix your policy rule because what if I selected the wrong value in the drop down there, right? That's essentially how you would go from there. This is just classic micro segmentation like basically everybody does it right like I mean I don't mean to like >> lowest common denominator right but like from from a packet and frames perspective this is just micro segmentation nothing nothing >> we've not even gone there so the next set of demos we'll show right now it is just putting the device and the personas in the right segment >> the policies you can do a lot lot more >> what about applications or systems that require layer 2 connectivity across from multiple sites to a core and there has to be layer 2 all the way through.
>> So now we're going to the edge gateway.
Uh today we work with other vendors in case you know they have their existing solution but we have our own edge gateway road map and that's where we will certainly be supporting those type of use cases.
>> It would be like VXLAN or something like that.
>> We So you want to add anything on there?
So actually you know why don't you take this one during the close session because we have 45 minutes so we have six more demos but let's go a lot deeper into that one.
>> Yeah.
>> Okay. So we have looked at uh users on boarding and we saw how simple it was to create a policy. Now the next one we'll go into fingerprint based onboarding.
Let's go to access management. And this is where now we have switched from onboarding devices through let's say like a.1x policy. This is a simple MAC address based but there is a lot more packed in here. So if we can add a rule here please and select fingerprint and I would like this particular IoT device to go into a certain IoT segment and we have an entire list of fingerprints available as you start to type these.
Right? So I can go as specific as the printer model number in order to create a policy based on fingerprint. So that's the power we're talking about by basically unifying everything within one interface and giving you agentless fingerprinting in order to assign it to the right segment.
So with these two examples, we just demonstrated how easy it was to go from creating your segments and service areas and then having policies in place to basically start onboarding employees, contractors, and even IoT devices by simply using fingerprint based rules.
>> Uh reliable are your fingerprints? Like I've seen behavior I don't I'm not sure how you're actually doing the fingerprinting but I've seen the things like where you do a firmware update and device behavior changes and I've seen other systems start to mis identify them. So >> y >> how reliable has that been for you guys?
>> Yeah I'm I'm so glad you asked that question.
So with Nile because we are in line we are actually able to look at a lot more traffic than what an outofband system can do in terms of figuring out the fingerprint. So we're looking at upwards of 11 different types of data points. So traditionally fingerprinting is based on just DHCP let's say or maybe the user agent from the browser. We are able to see all kinds of other packets that the device is spewing out. Let's say we look at discovery packets that MDNS type of packets the device is spewing out or SSDP packets or LLMR packets that it's sending out. So we are in a position to actually fingerprint a lot more accurately. In fact, we have an example from a real customer where they were using another Knack solution previously, but when Nile went in, we were able to provide them a specific HP printer model number, whereas with the previous one, they were only able to go as far as this is an HP printer. So to your question, do we have misfires? We have had misfires but we are able to uh fix those mainly there because of the finger bank the service that we use and they are you know quick enough to you know fix one-offs very quickly but our accuracy rate has been great because we are in line right thanks for the question all right so u next we're going to move into the second challenge with access so the third demo in this section is going to be sh if you can go back to Uh so we talked about onboarding users how easy it was to create the policy unified management for that we talked about easy IoT onboarding with fingerprints the next we going to talk about continuous verification so in Nile just like we talked about verify first connect later secure first connect later the thing about trust is trust also has to be continuously earned not permanently assumed. Okay. So, while Bob and Alice are two personas that Priya has successfully onboarded, it's the IoT devices that are going to make her life challenging, right? things like what if someone unplugs the printer and this happens all the time during red team testing but what if you know a friendly guy with bunch of donuts walks in and plugs in uh tries to reuse the same port that your printer is using and gets in.
So this is where I have a recorded demo because it has lots of moving parts. So here's an example of a fingerprint-based max poofing alert and this is where some of our accuracy with fingerprinting because we are in line has has played a huge role. In this particular demo I'm showing just for uh sake of more visibility and and and unpacking this more the blocking of this device can happen automatically. Once blocked, we sorry.
>> So I have a question.
Is MAC address your method of of fingerprinting?
>> No, that was the 11 data points we were talking about earlier.
>> So we look at DHCP uh browser agent. We look at bunch of different packets like SSDP, >> LLMring.
>> Uh no, we do not do SNMP polling. This is everything that we see coming out of the device. By the way, to your point about SNMP polling, we are going to talk about something called inline device verification. So hold on to that thought and we'll show something really cool uh about that.
So in this particular example we have detected uh the spoofing and we have al we do have the option to automatically block the device.
In this particular case the device has been blocked. Now it's time for the administrator to physically go remove the device but there is the original device that's probably waiting to get on the network. So that original device is struggling. So what do you do now? So how do you know that the original device is back? So we have something called observation A and observation B human in the loop test. So the admin has to come and say hey here are the two observations we made.
You need to confirm to us which is the one that aligns clo aligns with your original one. So if the admin says hey you know what this device actually was a Mac OS and not some random Debian based Raspberry Pi. The admin makes that selection, confirms observation A indeed is the original and that's how we then decide to then close the incident, close the alert and the original device is now able to get on the network.
>> Do you give visibility into why it decided that was a Raspberry Pi?
>> This is all fingerprint based, >> right? But you're you're having the the uh administrator decide which one is the correct one. So in order for them to decide that kind of how it made the decision that it was a PI versus a OSX you got the fingerprints you've got those 11 data points you're only showing three of them there you expose more information to the user or no >> sure we have that information and you know we definitely could and you know that's something we can certainly look into and uh to giving more visibility as to what fingerprints led to us decide that hey this was a Raspberry Pi we can >> particularly in a spoofing scenario where you're where you're trying to decide which one is legitimate or not.
Kind of looking at at each of those side by side would be helpful.
>> Yeah. No, that's a good point. Yeah, we definitely have the data and that's absolutely something we could do.
All right, so with that just to wrap up the section, we talked about you know simplified policy creation as well as continuous verification of devices on the network.
So we have gone past the access challenge for Priya and now let's jump into the policy creation and continuous authorization. Over to Shir refreshen thank you so much. Uh so we spoke about infrastructure how airtight we can make it no SSH no TNT you cannot discover the management network. Uh then we spoke about access that how do you get access to the network we spoke about segments segments essentially are layer three constructs. If you have 10 VLANs in your network, you can create 10 segments in Nile. In the VLAN world, you have a SVI.
In Nile, you have a segment maps to a subnet. So everything gets tunnneled based on identity. We put them on that subnet. Right. So we'll now basically get into some more details around this.
>> Wait, you said everything gets tunnneled.
>> Yes.
>> So on let's say a switch, a physical switch, the traffic is being tunnneled where >> to the head end or control.
>> Okay. And is that a piece of hardware that is a piece of hardware?
>> It can be virtualizing a switch for a small network or it can be a separate hardware that can scale up to 30,000 devices.
>> Okay. So all traffic whether it's wired or wireless is tunnneled to that core.
>> Exactly. So the in the AP's case when you create five SSIDs and it's a controller based AP you do not create a trunk port on the AP. Right. The same thing applies with with Nile. you don't have any trunks or VLANs on the switch just because like an AP that switch is designed to be kind of a zero trust box tunneling everything to that uh >> okay to solve the problem which I think it would be a problem of just doing layer three everywhere actually everything is tunnneled directly to the controller >> exactly and we have layer two we do multiccast right the whole shebang and we can get into more details in our close session >> okay >> all right so let's quickly look right if you look at VLANs they were designed for containing broadcast storms right they were designed for segmentation. They got morphed into using that. VXLAN came around to fill the gap that VLANs had, right? From 4,96 to 16 million, right?
Or to migrate a VM from data center one to data center 2, you want an L2 extension, right? They were never designed for segmentation. Nile out of the box is saying that every device no matter what its IP is, it could you could have different subnets, you could have one single subnet, but every device is hosted segmented. Now, can you do that with VLANs and VXLAN? Absolutely.
Right? Right? You bring private VLANs into the mix, do you know granular IP access list, you know, create SGTs, you can certainly do that. But out of the box, you do not get that experience.
Right? Next thing is on a large campus, you can go and do all of this stuff.
Great. You're going to put SG SGD tags.
You're going to do all the segmentation.
You're going to, you know, do the VXLAN.
However, how do you start scaling, right? The complexity that's needed, the overlay systems, the knack solutions, the firewalls that go with this, right?
It becomes extremely complex. With Nile, this is completely vertically aligned.
And you'll see in the demos how simple and straightforward it is. So the goal here is whether it is a small site which is two access switches 10 APs whether it's a medium uh site with two distribution switches ring of access switches and APs or a large campus our policy remains constant when you say employees can communicate with with the printer on TCP990 or 9100 that policy sticks everywhere. right now. You cannot do that if you start building these different systems and architectures because in large uh enterprises you definitely have different architectures.
The smaller sites probably like internet cafes, right? Uh so you probably do some sort of firewalling or segmentation on your firewall versus what you would do on campus. So ideally what we really want to do is we want to bring operational simplicity. The word simple does not go with security, right? The more security you add, the more layers you add becomes more and more complex.
So with Nile as you see in the following demos this is going to be extremely simplified.
So what what are we doing with our micro segmentation right what is that trust engine that we talk about right what is that identity first in order to do that we are obviously have to define some constructs so Nile has this concept of groups every device that connects into Nile whether it's a user device or a IoT device has to fall into a group if you want to do hostbased segment sorry if you want to do policy based or identity based segmentation so you've got a user group what we're saying is you can do user group and you can say that if someone is on 1916 1.0 you know, put them on on this user group. But what we're saying is don't do that. You have that option. Go with identity. Use that skim group that you get from from your IDP, right? Use that AD group that you get from ads. And using that skim group, put that device into a segment, sorry, into a uh group. So basically, you could have employees uh they could be sales, HR, marketing. Uh they could all be in the single subnet, right? Right? You could even have your IT devices if you want in that single subnet because it's identity that we're after, not just the IP, right? Or the location of that device. So that's what we have with the user group device group. Same thing. You can do it based on the MAC address of the device. You can do it based on the IP address of the device, but do it based on fingerprint. And then we go a step further. How do you distinguish between a corporate HP printer and a Costco brought HP printer which is identical? The fingerprint is going to be identical. And that's where you know we've been mentioned we do the device validation check. You can actually create an SSH rule or an SNMP rule. You can log into that device verify the credentials and only then would you allow that device to get on the network.
And we'll show you a demo about that as well. And finally you have the app group. App group usually are things outside of of the Nile network. Your data center subnets your your applications that reside. So the idea is take all your devices within the network group them and then basically go and apply the policy at that group level. So do not do it based on IP. uh do it based on identity. So that's where Sur was mentioning technically if you want you could have a single subnet. Yes.
>> I'm guessing you work with other IDPs but do you have your own IDP service built in?
>> No, we we work with other IDPs.
>> Okay.
>> All right. So this is an example. You could have these employees over here.
They could be different personas, HR, sales, they probably want access to different services. On the right hand side you have an IoT segment where you have your security cameras. Employees should never have access to them, right?
But employees should have access to printers. So technically they're all on the same subnet because in the Nile world a segment maps to a subnet. But when you start to create a policy, you can create a policy where you can say employees have access to those printers on TCP 9100 and that's it. They would never get access to the cameras even though those cameras on the same subnet as a printer. Right? And that's what we want to kind of demonstrate today.
And then we'll also demonstrate quarantine. What happens in the traditional world today? You have all these new features where if it fails uh a compliance check, you're going to actually give it a different VLAN, right? You're going to change the IP of the device, especially if it's already online. That user experience is horrible, especially for IoT devices like printers where it just gets stuck, you know, even though you've changed the VLAN at the back. What Nile is saying is let it onboard. Let if you know it's a printer, it it meets your criteria, let it come on the printer segment because it is already going to be hostace segmented from the get- go. Then we do device validation checks and if it does not meet the compliance rather than moving the segment in the back end which is VLAN in the traditional world and changing the IP we still leave it on that same segment on the printer segment but it automatically gets into a quarantine group which is defined in our policy system right the quarantine group is basically a policy that you can define and say anyone that quarantined group only has access to a remediation server right or the internet or nothing that's your choice so we'll show you that as a demo as So in this demo, we're going to show you this matrix. We're going to show you some of those constructs we spoke about and then we'll also show you the the the view of how you can look at all of the stuff, all the traffic, you know, through your network.
I think we spoke about that. We can move forward.
So what we're going to start with is we're going to start with looking at the policy metrics and then we'll come back to some of these user groups uh fairly quickly. But the idea here is it's a global default policy set. That is very critical. It's applicable to all sites.
Right now we do give you the option that let's say you you want to have a completely different policy set for your retail sites because they're very different than your corporate sites. You could certainly do that. But the idea really here is the the policy set is not dictated by the type of or the scale of that site. It's more around the personas and the devices you have. Maybe you don't want to mix those two, right? But here all this stuff would basically be applicable to uh to the sites. What you see here in white versus yellow, white is what you would define as your groups and yellow is something that's already system defined. So you have things like quarantine devices that's already been defined. It's a system group and if devices fail off they will automatically fall into that group and we'll come back and create some uh you know some policies. You have three options over here. You can either allow the traffic, you can deny the traffic and the third is you can forward it to the firewall by default. That is one option. So even though you have you know a device on segment A with 192 16810 and another device 1.11 if you really wanted you could send that traffic to the firewall right or you could have Nile isolate that. But the idea is it's all explicit deny by default. And when you forward it, you can also forward it to a zcaler or a prisma or an entra. So you can create very granular rules saying if you're an employee uh with an in tune compliant laptop, then you would be able to reach the data center subnets through the zscaler IPSC tunnel. Right. So we have that option as well in there.
>> Reporting the firewall. Is that a Nile firewall or is that a third party?
>> That that is a third party firewall. Uh now Nile has a firewall especially for branch sites. You can have a full stack solution where we are doing natting, we are doing the van load balancing. So combination of firewall one and SD van.
In that case, obviously you would not need anything because you would use this policy engine to make that call.
All right, let's go back to the groups really quick. So if you look over here, what we have is uh groups. So we'll start with user groups. Uh if we go to one of those uh groups really quick, uh what we've done here is we've added this value of employees. If you just uh click on the dropown again, depend if you don't mind.
uh the group the values the values yeah these are all coming from your IDP so again as deepen mentioned right Priya does not have to sit and identify what was the group name right so when she's creating these policies in here for an IT admin she's going to pick all the groups that are coming from your IDP so no fat fingering of of groups and you can obviously match multiple groups over here >> if I if I rename that in the IDP do does that uh reflect in in this interface I don't have to like recreate those groups or yes policies What happens is uh the good thing about skimm integration is skim is a first time pull we pull all the information from your IDP not the password it's just the username you know some some metadata along with your groups now if you go and add a group or you disable a user in IDP ski pushes that information directly to us right so that's how we can get this real-time information uh in here uh the next thing we do is uh if you go to device groups depend if you don't mind uh and just click on add because we'll be good to show the options Right?
So if you go there, it says selection criteria uh is going to be a uh segment.
So segment would mean you would do it based the traditional way on an IP, right? Which is what we would discourage you to do. Uh but uh what we saying is you want to do it based on fingerprint.
So again you can go there and do a fingerprint and then you can you know again choose that fingerprint. This exact same feature that we saw for onboarding is also available for policy.
Right. Are there any wild card options for the because do I care what model of printer it is or what model of access camera?
>> So what you can do is you can say printers and scanners the broad group >> or you can say HP printer right or you could do very specific. So we've got three layers. You could do OS level. So there are about three layers of hierarchy that we get and you can do it based on that.
>> Okay.
>> Right.
>> Uh and then maybe you can just go back to the uh one so we can show the device validation check really quick. Um, now this was what I was talking about.
How do you distinguish between a Costco printer and a printer that you bought and and you set it up? So, you can basically choose SSH, SNMP, V3 or HTTPS.
The good thing about this solution is right, we don't run SNMP on on that box.
We're actually having it come from the cloud. So, again, write less code on the systems, less bugs, less, you know, uh, less downtime. Uh, so we can basically now query that device as of today and validate this is your device. We'll be extending that where you could actually grab some information from that device, go and check a CMDB if you have one.
Right? So, this is where you can now start to distinguish between you know a printer that you have versus uh someone just bringing it in there. All right. Uh app groups very quickly we can just touch touch upon them. What we have here is I've just created these print servers and employee portal. Uh but here you can just start putting your IP addresses, your apps. These are something that external to Nile, right? because you want your print server to be reachable, you know, so that employees can can print. Uh, and then what you'll see on the bottom on devices is you'll see assigned devices. So any device that got onto the network and it matched a criteria will land up in the assigned group. Okay. Now what happens if you add devices and you don't have groups for them? They land up in unclassified state. And you can have a policy for unclassified as well. You can say, you know what, I don't want anyone to get black hole. So I'm going to have a policy for unclassified as access to the internet https only. Right? If you if you want to do that and then finally the quarantine devices and you already see one device in here. This device failed device validation check because we had put in the credentials for https. This is a speaker and because uh the credentials didn't match it is in quarantine state and this would basically be on the same subnet as a printer. However, what it can access is restricted by a policy that you as an admin can create, right? Uh service profiles, I think that's very straightforward. That essentially is what ports and protocols you can have, right? So when you create a uh uh a policy, you're basically going to say source, what ports and protocols you can talk through, and then the destination.
Uh so we can now move through creating a policy, just a sample policy set really quick. So if you go back into our policies, uh we can uh create one policy maybe from contractors to the print server or yeah the dubulation server just to show us what it looks like. U so basically you click on that that button over there and you can now create a policy uh between contractors and the remediation server right and then you can add service profiles as we as we go along.
>> I have a question. Now, the key key thing here again is, you know, we were talking about earlier. Sorry, Ricky.
>> I know you're doing a demo, so you're probably doing this fairly manual, but how automated can you make this happen?
Is you wouldn't want to touch these for everything in your network? So, is this whole process automated? Especially if someone else is a non- Nile setup, they want to move to Nile. How is that ingested into your system?
>> Great question. So Keith, there are two things, right? Two phases. I'll talk about phase one, right? One, what we want to do is you want to enable trust engine. Uh keep your policies maybe in your firewall and we just forward it into the firewall so things are working as expected. Uh and then we can start showing you the flow data and then by looking at the flow data you can start to decide what you want to do. Right?
That is what we are aiming right now.
What we are working towards is in the next 6 months or or nine months is hey we already know how a retail customer has set their firewalls in general across our uh you know our customer base. We know how enterprises set their firewalls. Can we automate 80% of those firewalls where when you migrate, we can automatically show you based on this say employee talks to printer what you know TCP 1990 or 9100 IT admins manage printers they have SSH they have you know HTTPS access so you want to get to that point where all printers are basically clubbed in there yes a finance printer is something different they would go and manually add that that falls in that remaining 20%. So that is where we're going to get to because you know Suresh will always tell us that it has to be simplified has to be automated. So to your point no one wants to touch firewall rules right we have seen a small site literally a very small site having almost thousand lines of firewalls firewall rules right so our goal is to get to that automation we're not there yet today but that is definitely something we're after.
>> Thank you.
>> All right. Uh so earlier there was a question how do you know what IP you know what uh segment you are in? And this is where you can see when you're creating it, you will see all those details. So you the IP subnets over there, you know you are doing it based on skim not on IP. So if someone is not able to get on the network because this is an identity based policy, you're seeing the word contractors. If this was a subnet based policy, you would actually see the subnet and realize, oh, I'm doing subnet based policies. This device is in the wrong subnet because I know the subnet cannot talk to data center. So you can actually go and you know troubleshoot that looking at the policy logs. But but when you're creating this, you would get that information right right here.
>> And I and and and and I think it all whatever identity is being used and how it's deployed. What we're trying to figure out is like in a packet, how do we identify these components, these elements that >> you can see, I mean, we're just trying to look under the hood. I know the end user doesn't care and as long as it works and you're managing it, that's why they're paying you to manage it, then it's fine. But from our perspective, we're probably just trying to get too deep into it, trying to figure out how it >> absolutely. So when we do the close session, we'll give you a simple, you know, packet how the packet goes, you know, from one place to the other. It's it's no secret sauce. It's just basic networking.
>> Okay. Thank you.
>> Yeah. And if I, if I may add real quick, Fern, to your point, we are going to talk about the whole policy log and what hits we are seeing, who's accessing what. So we want to talk about that. So that level of visibility and you know who's accessing what and who was denied what and what hits were seen. Absolutely that visibility you will have in this and we'll talk about that in a second.
>> We'll wait.
>> Okay. Uh so next uh when you hit next you can choose a service profile up there. So these are those profiles that you could create earlier which is nothing but your ports and protocols right you want open service profile you want a you know specific to a printer and you can create as many as you want with as many ports and protocols within it. Okay. uh and then if you uh we can do these three actions the deny action and the forward action right so the forward gives you that ability where you are migrating to Nile you have your firewall policies in place you don't want it to be very disruptive so you just come and start creating these policies and put everything forward to firewall for now uh and then we will just start sending everything to firewall and as you want to start testing and validating you would be able to see you know how this goes now we also have a monitor mode where you could actually see these firewalls and we would show you stats that if this firewall was active that traffic would be dropped right and I'll show you a screenshot later on in the demo. All right. So that's pretty much it from a uh from a uh you know demo of policy perspective. Um but but that is sorry go ahead.
>> So the policy sets that how how uh what's the word I'm looking for? How detailed can you get with the policies?
Like for example you you have identity but then you also have device. You can have device type. So Eddie could be on with his corporate laptop, but he's also connecting to the 802.1x with his mobile device, but that device, even though it's Eddie where he has full access, gets, you know, the guest subnet or whatever. um or you know does he have you know or after 6:00 p.m. he can no longer access here or you know how detailed can you get with your policies?
>> Go back to the So there's one thing that you're not seeing here to the PPT piece.
>> Uh so one thing that you're not seeing here is is this piece what we call the sorry is what we call the attribute set. Okay, the attribute set is going to be tied to the source of that device and that will actually have things like uh compliance with crowdstrike in tune you know any of your MDMs time of day uh SSID wire or wireless uh oype.1x or SSO. So what you can now OS as well so fingerprint as well. So now you can start to create a policy uh based on identity is the same because you're right I'm doing SSO on my personal phone because they allow me to do it and connect to the guest network versus my corporate issued laptop. So your identity will be the same but when you apply the attribute set you would create a separate different policy. So you would not match that and that is a piece that you've not seen the demo but that is what we we have right now from the uh policy perspective.
>> All right. Uh just go let me quickly jump on to the next thing. So we were talking about the visibility right. So this is where you will see this flow data show up uh in the portal itself and you know when you were saying can these devices communicate or not uh you can start to dig deeper uh and you can start to literally go and look at look at it at the policy level and when you click at the policy level you can actually go and see every single IP address that's going through. In the end of the day it is an IP address that's going through right it all gets translated to an IP address uh in the system. So you will be able to see you'll see the time you will to see the packet and then this would deny is if you had this policy in a monitor mode meaning you created an employee to printer policy we will show you that if you had applied this policy because you are in monitor mode yet it would have been denied right because it's probably using a different port number. Uh so you get that visibility within the uh policy logs that we have.
If you click on one of those, do you go does it give you data like what what was used? What were the the items that were used to actually make the decision?
>> Yes, you will actually see the entire policy and you will see within that policy what blocked it. So for example, if employee to printer is allowed and it is blocked, you would see the reason because using a different port number, your service profile did not match, right? So it tell you exactly which policy uh it mapped to and why did it get >> Do you have an example of that like the OT management one there that Yeah, I don't have >> Is that clickable and you could see why?
>> Yes, each one of these is going to be clickable. Uh, and you can get into more details on the right hand side. You can't see it, but there is a way to click on the detail logs and it'll give you a whole log of >> Oh, so so this isn't live.
Sorry.
>> You can click on it, but nothing's going to happen.
>> Exactly.
>> Uh, and then we give you different views as well. So one view we give you is how many matches right between these two policies right for this policy set what was the match uh rate what we also give you is how much traffic is being uh used between those two destinations right when that policy match happens again you can drill down into each of these and see which IP is using the most traffic so maybe there's just this one IP who's trying to use that application right and then the other view we also give you is even though you've allowed that you know privilege admin to manage laptops uh how much of it is getting denied and the denied could be because of your service profiles. You know, you you're probably trying to get to a printer using SSH or that manage laptop through SSH and that's not allowed. So, you would be able to see, you know, all of those things. Uh and the next version, you'll be able to click and add a rule on the fly. You can say, you know what, I'm seeing this. I forgot to add SSH as my protocol. Add it right now. And then it goes and does it automatically. So, going forward, you would have that built into the network.
>> What data sets can you can you connect to this? So, you know, like I'm thinking like like um my active directory. I'm thinking LDAP. I'm thinking a SQL database.
>> Uh what what a CSV file. I mean what what are the different authentication sources that you can link up to?
>> So what we can do is SSO natively built into Nile meaning integration. So once you set up your IDP integration, uh we can then do an SSO with SAML and then we can use skim to get information. That's one way. And we support both on wireless and wired. So you can do that both on wired and wireless. We obviously support.1x1x with ETLS. You could do you can do.1x with peep and ad servers. And the ad server comes into play where we get the ad groups using LDAP. Uh and then if you're using ETLS, we can do it from AD or we can do it from skim. And then we have integrations with Intune. Uh we have integrations with every single >> what about like a database like SQL like a student database you know SQL database. So you can get context if if they're part of you know maybe ad is one part but then we're also looking to verify that they're part of this class or whatnot and get certain kinds of access and things like that. Do you have access to alternative databases?
>> Yeah. So what we're doing and I'll talk about that in the next this trust circle uh and I would like to understand exactly what information you need but I'll just quickly give you what we are thinking of here. So what is trust circle? Trust circle is something that we're designing uh for I you could say MDUs right multi-dwelling units uh dorm rooms where students are uh even in in in some some types of enterprises where it makes sense. Uh the idea really here is today what's happening with MDUs is for every MDU you create a separate unique VLAN right and you put all your devices in the VLAN they can all talk to each other great uh but they cannot talk to the neighbor very easily right with Nile what we're doing is we're saying segment uh is basically agnostic you just have one single segment for the entire MDU all the residents are on the same subnet but we form a trust circle now how do we form the trust circle we form the trust circle based on uh integration with a billing system. So for example, someone wants to buy internet over there, they would go and register for internet bandwidth that would automatically create a trust circle with the Nile for that unit number, right? Uh and now you can basically have those devices which on the same subnet as other devices, but they can only talk to each other. Same thing happens with student, right? We create, you know, they log in through SSO. Through SSO, we know it's a student. We create a trust circle on their behalf. So all the devices in the dom rooms can now communicate with each other. Now the good thing is that student can invite his or her roommate as well to just access the Xbox. So they can literally on the fly create a policy through a portal we call the my Nile portal. Right. And I'll show you a screenshot of that as well. But the idea really here is to simplify. So to your point uh what we can do is we can integrate with a property management system. We can integrate with a billing system and based on that we can dynamically get some data like unit numbers. you could pivot based on that or you could you know pivot based on a student's name and create this trust circle on the fly. So from a config standpoint if you look at it um what we have here is the user uh sorry the admin is going to go to the setup and just going to create a trust circle and say I want to create a trust circle uh this trust circle is going to integrate with SSO or with property management system or with a billing system. Uh and then based on that I want residents to be onboarded self onboard themselves. When a resident checks in, they automatically get an email from Nile with a UPSK code.
So now they can start using that UPSK code. They also get a guest code that they can share with someone else, right?
And they can create more UPSK keys if they want to. Uh and then they manage everything from this uh portal which we call the uh my portal. This specific view because in the trust circle config you can say is a property management system. This view is for a property manager. uh but this view could also be applicable to a you know an RA in the dom room. They can see all the units there. They can click on each one of them. They can see all the devices. They can help someone disconnect connect again. So you you have that flexibility and the end user they see a uh they see a portal which is something like this.
So if I'm a student or I'm a resident of that dorm, I can actually see all the devices that are in that dorm. I can click on each one of them. I can disconnect, reconnect, I can go and create a UPSK key automatically. So completely self-s serve. Uh so to your point, if there is some sort of database that we can integrate using APIs to get information that will help us set up a trust circle, that is possible.
>> So this scenario would would only be usable with WPA2, right? You can't do it with WPA3.
>> Yes, we cannot unless you give us the MAC address of the device.
>> Yes, that is correct.
Any any questions?
>> You have a lot of MDUs using this or is it more education dorms? So today our major customers are are in the dorms but we are now working with some major MDUs.
Uh and this is where we gave a complete facelift. So we have shown this portal to you before. This portal was called the my.nc.com where you can go and see your single device but we have now expanded this because we're seeing a huge use case around that uh where we can integrate with the bidding system and things can automatically you know uh make it a selfserve portal for end users to troubleshoot right or onboard their devices.
question >> like the per user PSK is that's this kind of solves that in a way >> it does so if you think of how it is done today >> every unit is its own VLAN right so someone is creating those VLANs either through automation however it is but it is a VLAN that's created on that controller right uh and then how do you allow others to communicate with you right someone has to call in you have to create a firewall rule that's not going to happen so some customers just leave it wide open. As long as you know the IP address, you'll be able to reach that guy's printer or that guy's Xbox, right?
With Nile, that's what we're trying to bring that security first piece. We give the controls to you and you, you know, we can show you some of those uh clicks where you can actually give someone access to that Xbox for 2 hours, 4 hours or until I stop, for example, right? If you are in a um uh assisted living facility, right? And you know your parents are there, the parents can make sure that you are the guardian so you have full access to the network. you have a nurse who comes in, she gets permanent access but she doesn't access your network. Right? So those are the things that we've built in by looking at the use cases and again not thinking about VLANs not the way it is done today by really thinking that how should this be as secure as possible.
>> So it's solving it not by standards but by your own priority it's interesting.
>> All right. So this was that example right that Bob's parents basically are in there they have a resident UPSK key they can give a key to someone else and that key can be of two types either it's their relative who's going to manage their network for them right whatever is need they want a new Apple TV installed he has that ability to do it through his own devices or it's a nurse who just comes in every day a caregiver and she has access uh you know to the internet only rather than logging in through the access code every day she has permanent UPSK keys that she can get on network but she cannot manage network right so we can create that distinction uh as needed all right I think we can skip that for now uh yeah I think do you do you want to go ahead go ahead that's okay we already you only got 7 minutes so it'll be good to okay so just to conclude and wrap things up and of course you know we'll we'll have lot more Q&A in the 30 minutes that we have we talked talked about air snitch. We talked about why we had to fundamentally reimagine the fabric itself not just for making it an as a service offering because we had to foundationally change how networking was done right and same thing applies to security. So here's an example of when air snitch came out and we evaluated the effects of air snitch and what it's capable of doing. Our advisory on the right side was plain and simple. It's a layer three isolated fabric and hence the advisory was just very minimal. There was no impact to Nile customers. Whereas the way things are today, some of the advisories that I have seen out there looked something like on the left side.
We're talking about all these different things that you have to get right in order to be protected against something like air. So we're talking about you know complex van access control policies and then you have ARP inspection and you know DCP snooping in case of Nile a rogue DHCP server is not even possible.
There is no such thing as trying to uh bounce the gateway things of that nature. So with that I'm going to hand it off to Suresh to do a final uh wrap-up.
I I I understand you know it raises a lot more questions than answers. So we'll continue to answer some of those questions because it's a brand new you know we've been trained to think of certain way in the last 20 30 years and now we're coming and saying that hey we have a network that just works with autonomous operations and a network with a built-in security. So if you look at you know what we're delivering right is it's built into the fabric. It's not a separate appliance, not a separate overlay, not after the fact. It's built into the network itself. And more and as you guys know, snowflakes is a challenge whether it's automation perspective, whether it's AI perspective, operations, debugging, troubleshooting from all of that. We have a single architecture across all of customers and no network level configuration. So it's a determinist design. I give you an example. If you find an issue with a particular device in a customer's site and let's say you know interoperability issue, we can fix it and roll it out to every customer out in the world and they'll not even find that issue.
They'll not even encounter that issue.
That's a big deal when you think of it, right? And it's a single fabric whether it's a access layer, whether distribution or the core or edge entire thing acts like a single fabric. Single fabric for wide and wireless, single fabric across all the layers of the networking and single fabric for networking and security, not a multiple sets of products. And then it's designed from day one for the security and for the operations. And when you think of the competition out there, what's the market out there? This is what you hear, right? Hey, you can do however you want it, right? Many different architectures, many different protocols, many different knobs that you can think of it and you can build, you know, every way, any way you want it. But that leads to the security gaps. You have multiple panes of management. You know, whether it's a wired or wireless, whether it's security, typically you have at least two or three different PES of management. And the idea is you know when you think of it, what changed Nile, why are we able to deliver it? I'll give you the one clear secret sauce. When we were at, you know, we all worked at every other networking vendor out there, right? When we build the product, we build the technology. We gave it to TMEs who created the best practices, configuration guides and all of this and gave it to customers and the partners.
It's up to them to monitor and manage it. What we did is we flipped the script and we went to the engineering and said that anything and everything that you write needs to come up on its own other than plugging in, needs to monitor itself, manage itself. Why? In this day and age, we're giving the data to somebody. Someone monitors it and takes the action on it. That's a foundational difference in how we went about building the the hardware and the software.
Anything and everything, whether it's software, whether protocol, whether data, anything that you're presenting to somebody, you should be able to understand it. You should be able to take care of it automatically. That's the first principle that we changed. And second is we said that every user device that connects to the network has to be authenticated authorized. Start with the segment of one and segment of one where completely isolated from each other until someone writes a policy to allow them to access the resources on the network. With this that gives you know the idea why we had to go back to the drawing board and build the entire network the hardware the software the operations everything and which you know you cannot really go back and retrofit to existing networks. With that we have three more minutes. Any questions? Uh so for somebody that doesn't know about Nile, would you say you're a security company that happens to have hardware or a hardware company that happens to be really secure?
>> Great question and frankly uh funny we believe you know networking is a means to deliver the security. So networking is required because you cannot bolt on as we talked about. So it's a means to deliver the security. We are a security company delivering through the network.
the the one >> and let me add a little bit more to that before I come back. So when we started this company, we also said you know hey this should be like electricity we all take it for granted. It's about time for 30 years we've been doing the same thing over and over. Maybe you know CLI move to the UI move to you know a little bit more intent based but still we're doing the identical the way we've been van it's already more than 25 years when the van got conceived we said we need to flip the script where it should be as simple as electricity simple reliable just works needs to be secured that is what we set out to do it and that required the clean slate architecture go ahead >> well I mean we're out of time but I was I was going to the one thing we haven't looked at yet is visibility when looking into clients, what they're doing, they're having issues, what are those what are those issues? Um, you know, we asked about packet captures because it's not about the network, it's sometimes about the relationships between clients and one's not doing what it should be doing in response to the other. And so where how do we get access to that if we have to go deeper deeper in cuz I understand the value to the customer is it's we set it up for you and it's going and you don't you shouldn't think about it which is fair. They you know they they they have their own business to run. It's not to run their network isn't their business. But when the need arises what are the tools that we can have to get that visibility in there?
>> Sure. Multiple things. First, you know, we had multiple mobility field day sessions, networking field day sessions.
We showed a lot of those details early on when we came into presentation, >> but we can give you hands, you know, hands-on uh remote labs. We can give you the access to that where you can go on your own, you create your own tenant and play with. So, if that's something you're interested, we can definitely follow up with you and give it to you.
>> Any other questions? Comments?
>> What What about solving the harder problems? You guys seem to solve a lot of the easier ones. Um, but when it comes to harder problems like Radius, DHCP, you kind of hand it off and let it be somebody else's problems. How do you guys get visibility to that type of >> So, Mark, actually, as you know from the last time we talked to you now, we have our own radius service.
>> We do.
>> Yeah, we have our own radio service, our own DHCP service, and it's all integrated. So, you're not going to some other place to talk about radius or DHCP. It's all part of the same Nile portal that you saw. And you can say that, hey, it's Nile DHCP. As said the network talks to the DCP server, network talks to the radio server. You don't need to set up any of those shared keys and secret sauce. All of that all of that is taken out. Thank you everyone.
Thank you for your time and we'll we'll go into a lot more details on the road map as well as the Q&A.
It's >> perfect timing, sir.
>> All right. Thank you very much to Nile for a great presentation. Lots of discussion, lots of questions. That's what you come to expect from a field day audience. Um, we appreciate them stepping in and being a part of this.
And like you said, we are going to have about 30 extra minutes at the end of uh this session to do a little off camerara Q&A with them. But for those of you who are watching at home, this is the final presentation of Mobility Field Day 14. I know it feels like it just started, right? Uh, no, this was a jam-packed event and we're very happy to have a lot of companies that are participating, uh, coming back, being a part of this. It's it's what we do. Um, and I know that, uh, we we bring you a yearly mobility field day. Um, we're at the point now where, you know, the industry has consolidated a little bit. Um, people schedule their user conferences on top of this event. Um, we're kind of at the point where we're at where one mobility field day being very full every year uh is is I think the right thing. So, mobility field day will be back in 2027.
Uh, probably in May. Uh, that seems to be a good week. You know, I just love scheduling things over Chris Reed's anniversary and my anniversary and uh, Mother's Day. I mean, who really needs Mother's Day as a holiday, right? Please don't kill me, honey. Um, but uh I want to make sure that everybody knows that we also have more great tech field day content headed your way. Stephen Foscet, the man, the mythos, the opus legend, will be back out here next week for AI field day. He's got a great lineup and some wonderful people who will be taking part in it. So, I hope that you're able to tune in there. I will be back first week of June. We're going to be at Cisco Live. Uh, we're going to have some presentations from a lot of great people there. We're going to be enjoying the uh delightful June Vegas weather.
Oh boy. So, I'll probably be wearing short sleeves for that one. Um, but we also have other great content on our website. If you head over to techfieldday.com right now, you check out our list of future events. Uh, we have them lined up through at least the first part of the second half of the year. Uh, we have more networking, more security, more AI, more AI infrastructure. But keep an eye on that future events tab because you never know when you're going to see something pop in there. We might uh have an opportunity to go to a who knows black hat. Yeah, they might be there. We'll see. Um the reason why we can do that of course is the great companies that we have that present, but also the wonderful delegates who join us from around the table. So to Dan, to Megan, to Allan, congratulations. You're not the new people anymore. You are now part of the ship, part of the crew, part of the community. And if you want to be a part of the community, you know what to do. Head over to our website, techfieldday.com. Fill out that little form that says, "I want to be a Tech Field Day delegate. Um, we'll uh probably have a call with you today."
Sam made an introduction for me today to somebody that I'm going to be following up with in the next couple of weeks. But the idea behind it is is that we want to continue to have great people in this community because uh a lot of folks go to work for uh vendors. Uh they they love our evangelists and we love that for them. But once you work for a vendor, it means you can't be a field day delegate while you're there. So, we need somebody to fill that chair. If you have somebody that you would want to nominate, you can do that through our forum as well. Um, don't forget that we have a lot of other great stuff that goes on throughout the year. Uh, I mentioned the Tech Field Day Plus YouTube channel yesterday. That's where we do the Gestalt. Sorry, it's the tech field day rundown now. I, you know, you do that for seven years and you get the name in your head. Uh, the rundown utilizing AI. uh any one of our number of our tech field day podcasts which we'll be recording an episode of very shortly. But don't forget that we have other stuff that we do through the Futurum Group. I do a podcast called Security Boulevard. We have a podcast from one of our other co-workers, Dave Nicholson. Uh lots and lots of stuff.
Just go to futurumgroup.com. You can find out more information there. Uh before I forget, I want to say a special thank you to everybody who was watching uh online, but specifically to the staff of the Tech Field Day group who continue to do an amazing job. the two people who were in the back of the room today and all week. Uh Matt Garvin and Clara Huard, thanks for keeping our little gosslings in a row and not hissing at them too loudly when they got out of line. Uh but also Rachel, Andrew, Corey, Steven, all of the people that have been watching along back in the Ohio office.
Thank you so very much for all of your help. Uh and in some cases making sure that I'm paying attention when the mics don't sound right. Um, but we want to say, you know, we are going to continue to do this as long as you guys are going to keep watching it. So, don't forget to tune in, set your calendars. Um, Tech Field Day will be back next week.
相关推荐
Agentforce NOW AMA: Build with React and Salesforce Multi-Framework
SalesforceDevs
490 views•2026-05-28
How agent o11y differs from traditional o11y — Phil Hetzel, Braintrust
aiDotEngineer
450 views•2026-05-28
Re: 🗣️📍theprophedu📍2026 GST 103 CLASS (E-EXAM REVISION)
theprophedu
636 views•2026-06-04
WEB TECHNOLOGIES UNIT-2 | Degree 4th sem BCOM Computers web technologies unit-2 full explanation💯✅
LearnwithSahera
1K views•2026-05-29
More tests are always better? How to use AI to identify tests that bring little value
Alliance4Qualification
335 views•2026-05-29
Search Algorithms Explained in 60 Seconds! 🤖💨
samarthtuliofficial
218 views•2026-06-01
People of Game of Thrones using JavaScript DOM
AltCampus
296 views•2026-05-30
Instagram accounts got PWNed
EricParker
13K views•2026-06-03
