Identity Management for Networks

Transcription

1 Network Access with Precision through Identity Identity Management for Networks NYMISSA 19 APR 2007 Sean Convery Identity Engines 2007 Identity Engines, Inc. All Rights Reserved.

2 Who am I? (a.k.a. Full Disclosure) Everyone s background influences their perspective, so here s mine: CTO at venture-funded, network identity management startup, Identity Engines Previously spent seven years at Cisco most recently in the office of the Security CTO within the Security Technology Group (STG) Principal architect of Cisco s original SAFE[1] security architecture Spent a sizable amount of my time at Cisco in security consulting for large enterprises Author of Network Security Architectures[2] Identity Engines, Inc. All Rights Reserved.

3 Agenda Background Identity Management for Networks Considerations Identity Engines Overview Identity Engines, Inc. All Rights Reserved.

4 Identity Management (IdM) Defined The set of processes, tools and social contracts surrounding the creation, maintenance, utilization and termination of a digital identity for people or, more generally, for systems and services to enable secure access to an expanding set of systems and applications.[3] Identity Engines, Inc. All Rights Reserved.

5 Key Identity Management Components Provisioning - Initial account creation and attribute / rights association Authentication - Validating a supplied credential against a provisioned account Authorization - Determining and enforcing permissions associated with an account Accounting - Auditing account activity Re-provisioning / De-provisioning - Modifying or removing account attributes or rights including potential deletion of the account Identity Engines, Inc. All Rights Reserved.

6 What Problem are we Solving? Organizations large and small are accessing more data across more different systems These systems need security for any number of reasons It isn t effective to manage each system as a silo Or, to put it another way Identity Engines, Inc. All Rights Reserved.

7 We Want to Change This User Directory Policy policy policy policy Resource System 1 System 2 System Identity Engines, Inc. All Rights Reserved.

8 Into This. User Directory Policy policy Resource System 1 System 2 System Identity Engines, Inc. All Rights Reserved.

9 It Began with Applications Application IdM has numerous challenges Legacy applications Competing standards Widely disparate policies Security at the application and at the data level Authentication is far more common than authorization Policy is hard to centralize Major vendors are attempting to solve this problem Oracle, Microsoft, Sun, HP, Novell, CA, etc. Systems generally involve Provisioning / workflow systems for account creation access gateways / portals for web apps custom connectors to legacy apps LDAP[4] user directories to house accounts Identity Engines, Inc. All Rights Reserved.

10 And Deployments Look like This User Directory Policy policy policy policy Resource System 1 System 2 System Identity Engines, Inc. All Rights Reserved.

11 Let s Look at the Network Distributed Traditional perimeter firewall; security only on special purpose devices Expanded threat profile leads to more security devices (IDS, VPN, Basic Host Controls). Legacy RADIUS[5] serves authentication requests but lacks richness for authorization policy. Most access IP rather than user based. Enforcement Authorization Policy Enforcement Authorization Policy Distribution of security continues, with authorization tied closely to enforcement. Lack of flexibility of legacy AAA leads to multiple discreet RADIUS stores and local users configured in enforcement devices. Enforcement The goal: 1. Centralize user authentication through flexible next-generation AAA services. 2. Centralize key elements of the authorization policy creating centralized audit and control. Centralized Enforcement Authorization Policy Authentication Policy Authentication Policy Authentication Policy IdM Phase 1 IdM Phase 2 Authorization Policy Authentication Policy Identity Engines, Inc. All Rights Reserved. Time

12 Networks have the Same Problem policy policy policy WLAN VPN Dial-Up Identity Engines, Inc. All Rights Reserved.

13 Though Without all the Baggage Applications have no common authentication protocol Networks have RADIUS There are thousands of applications There are only a handful of network access types across a handful of vendors Policies for applications vary widely Networks often have the same basic policy building blocks (i.e. ACLs) Networks have challenges but they aren t the ones that typically plague IdM for applications Identity Engines, Inc. All Rights Reserved.

14 Agenda Background Identity Management for Networks Considerations Identity Engines Overview Identity Engines, Inc. All Rights Reserved.

15 Identity Management for Networks Goals Centralize authentication Centralize audit Authenticate most / all forms of access Enforce consistent policy Leverage existing directory and network investment Identity Engines, Inc. All Rights Reserved.

16 IdM for Networks Taxonomy Client - Device / user attempting to access the network Policy Enforcement Point () - network device that brokers access request and enforces policy result (i.e. WLAN AP, Firewall, VPN gateway, Ethernet switch) Policy Decision Point (PDP) - network device that decides policy for client based on and interaction Policy Information Point () - a source of information in setting policy (i.e. user directory, asset management system) Accounting - Audit destination for client access and network usage Credential - Element offered as proof of identity (i.e. password, certificate, smartcard, biometric) Let s see how the parts fit together Identity Engines, Inc. All Rights Reserved.

17 1. Client Requests Network Access Client connects to the net (perhaps a WLAN AP), is challenged for identity, and sends this information to the Protocols PPP[6] PPPoE[7] 802.1X[8] IPsec[9] SSL VPN HTTP Acct. Client PDP 1 Production Network Identity Engines, Inc. All Rights Reserved.

18 2. Sends Identity to the PDP In some cases the relays information as in the case of the Extensible Authentication Protocol(EAP)[10] may add additional identifying information for the network Protocols TACACS+[11] RADIUS DIAMETER[12] Acct. Client 1 2 PDP Production Network Identity Engines, Inc. All Rights Reserved.

19 3. PDP Queries Relevant s Query includes learning about the client and validating the client s credential Microsoft AD is a very common.edu often have multiple s Protocols LDAP SQL Database Kerberos NIS (Network Information Service) Acct. Client 1 2 PDP 3 Production Network Identity Engines, Inc. All Rights Reserved.

20 4. (s) Respond to PDP Includes: success / failure for credential Client attributes / groups Protocols LDAP SQL Database Kerberos NIS (Network Information Service) Acct. Client 1 2 PDP 4 3 Production Network Identity Engines, Inc. All Rights Reserved.

21 5. PDP Makes Policy Decision Includes: Info from and (s) Contextual information (time, location, etc.) Local policy rules to evaluate against Protocols XACML[13] Proprietary Acct. Client 1 2 PDP Production Network Identity Engines, Inc. All Rights Reserved.

22 6. PDP Informs Includes: Yes / No authentication result Specific authorizations (i.e. ACL to enforce, profile to trigger) This allows security enforcement at first point of connect Protocols TACACS+ RADIUS DIAMETER Acct. Client PDP Production Network Identity Engines, Inc. All Rights Reserved.

23 7. PDP Informs Accounting System can also notify accounting at a later step Includes: Client identifiers Context information Timestamps Authorizations granted Protocols RADIUS Acct. SYSLOG SNMP Acct. 7 Client PDP Production Network Identity Engines, Inc. All Rights Reserved.

24 8. Grants Access Simple yes or no message or a more specific exchange depending on the protocol Protocols PPP PPPoE 802.1X IPsec SSL VPN HTTP Acct. 7 Client PDP Production Network Identity Engines, Inc. All Rights Reserved.

25 9. Client Accesses the Network From this point on only the is involved in the client s activity ensures client only accesses allowable resources Re-authentication timers will trigger this exchange again Protocols IM Web IRC WoW Client Acct. PDP Production Network Identity Engines, Inc. All Rights Reserved.

26 Benefits Supports multiple vendor s gear Doesn t require new inline deployment Leverages organization s existing directory investment Integrates easily with existing provisioning / workflow systems Provides centralized audit of network use Access policies are consistently enforced Standards-based Identity Engines, Inc. All Rights Reserved.

27 Agenda Background Identity Management for Networks Considerations Identity Engines Overview Identity Engines, Inc. All Rights Reserved.

28 System Availability When all you authenticated was dial-up or VPN, a dusty RADIUS server in the corner of your data center was fine Today s demands require a different approach With authenticated networks, PDP availability is as essential to the network as routing or DNS If your identity infrastructure goes down, so does your network Systems must support HA and and be built for the worst-case load requirements (i.e. mid-day powerbrown-out) Identity Engines, Inc. All Rights Reserved.

29 Authorization Understanding Many existing systems can do basic authentication Authorization is required for all of IdM s most interesting applications Authorization requires: Ability to write rich policies Understanding of capabilities from multiple vendors Identity Engines, Inc. All Rights Reserved.

30 Rich Directory Integration Directory attributes are often inconsistently named across directories Attributes enable rich policies making their use worth the effort Look to attribute / group name mapping Similar to elements of a virtual directory Additionally, intelligent routing among multiple directories is essential Attribute normalization: finance HR PDP LDAP-1 AD LDAP-2 finance HR acct HumRes account EmpSup Identity Engines, Inc. All Rights Reserved.

31 Other Considerations Method s for authenticating the client vary by access type, some systems require specialized clients Automated client deployment techniques are maturing Be very careful when considering merging elements (i.e. /PDP or PDP/) For most organizations the flexibility lost is too great capabilities vary (i.e. an ACL for a Cisco device may not be the same as an ACL for a Juniper device) The IETF is making progress[14] here Directory understanding within networking groups is often light The right PDP can reduce this concern through wizards, etc Identity Engines, Inc. All Rights Reserved.

32 IdM Real World Applications Secure WLAN Most common IdM deployment today Guest management Solves acute problem today while setting up for future applications Endpoint Compliance Identity is the foundation for any robust NAC implementation Phase I Phase II Phase III Guest Management / Secure WLAN Department specific rollout Full Rollout Common IdM customer phasing Identity Engines, Inc. All Rights Reserved.

33 Role-based Authorizations Guest Admin(s) Guest Manager User Directory (Employees only) Guest Internet AAA Internal Network Contractor Finance Network Finance Employee All network access is authenticated enabling user audit and differentiated access Enforcement techniques vary per (ACLs, VLANs, VPN profiles are common) Guests can be forced to the Internet only, contractors can be given specific internal access, privileged employees can see restricted areas Identity Engines, Inc. All Rights Reserved.

34 Agenda Background Identity Management for Networks Considerations Identity Engines Overview Identity Engines, Inc. All Rights Reserved.

35 Who is Identity Engines? Solutions Headquarters Investors Partners Industry Identity-based Network Access Management Sunnyvale, CA Trinity Ventures, Lightspeed, Horizon Oracle, Novell, Checkpoint Education, Enterprises, Government, Healthcare Analyst Recognition Identity Engines is well positioned to meet this need and could complement Cisco's high profile Network Admission Control (NAC) strategy Robert Whiteley, Forrester By extending Oracle identity management for network access control, Identity Engines is helping to bridge the network and application environments Jon Oltsik, Enterprise Strategy Group. Identity Engines - Major IdM Trends for 2006: Identity Appliances Identity Engines, Inc. All Rights Reserved.

36 Customers across Education, Enterprises and Government Identity Engines, Inc. All Rights Reserved.

37 Comprehensive Solutions for Authenticated Networks Ignition Guest Manager J2EE-based extensible and customizable visitor solution Ignition Portal Captive portal for guests and legacy platforms Ignition AutoConnect Auto-configuration of clients for 802.1X Ignition Server Identity and policy-based authentication and authorization server Identity Engines, Inc. All Rights Reserved.

38 Our Solution in Action Guest Admin(s) Ignition Guest Manager User Directories Event Attendees (Employees only) Internet Temporary Event Network Ignition Server Campus Wireless Network Visiting Vendor Ignition AutoConnect Conference Center Guest User Research Network Contractor Ignition Portal Identity Engines, Inc. All Rights Reserved.

39 Summary and Conclusion Authenticated networks are the emerging reality in networking IdM for networks works by centralizing decision and distributing enforcement Guest access and secure wireless are the high value / low risk early applications Leveraging your existing network and directory should be the norm, not the exception Just because your box speaks RADIUS, doesn t make it a full-featured PDP RADIUS is a protocol not a product Look for elements of the PDP described earlier Identity Engines, Inc. All Rights Reserved.

40 References (1/2) [1] Convery et. al., SAFE: A Security Blueprint for Enterprise Networks Cisco, November 2000 [2] Convery, Network Security Architectures Cisco Press, April 2004 [3] De Clercq et. al., An Introduction to Identity HP, June 2004 [4] Zeilenga, "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map" RFC 4510, June 2006 [5] Rigney et. al., "Remote Authentication Dial In User Service (RADIUS)" RFC 2865 (Obsoletes RFC 2138, 2058), June 2000 [6] Simpson, "The Point-to-Point Protocol (PPP)" RFC 1661, July 1994 [7] Mamakos, "A Method for Transmitting PPP Over Ethernet (PPPoE)" RFC 2516, February Identity Engines, Inc. All Rights Reserved.

41 References (2/2) [8] Jeffree et. al., "Port-Based Network Access Control" IEEE Std 802.1X-2004, November 2004 [9] Kent et. al., "Security Architecture for the Internet Protocol" RFC 2401, November 1998 [10] Aboba et. al., "Extensible Authentication Protocol" RFC 3748, June 2004 [11] Carrel et. al., "The TACACS+ Protocol Version 1.78" draftgrant-tacacs-02.txt, January 1997 [12] Calhoun et. al., "Diameter Base Protocol" RFC 3588, September 2003 [13] OASIS, Extensible Access Control Markup Language, February 2005 [14] Congdon et. al., "RADIUS Filter Rule Attribute" draft-ietf-radextfilter-08.txt, January Identity Engines, Inc. All Rights Reserved.

42 Network Access with Precision through Identity Thank You for your Time! Sean Convery Identity Engines For a written version of much of this presentation, check out: Identity Engines, Inc. All Rights Reserved.