IF-MAP Use Cases: Real-Time CMDB, and More

Transcription

1 IF-MAP Use Cases: Real-Time CMDB, and More Richard Kagan EVP / General Manager Orchestration Systems Business Unit

2 IF-MAP: A Powerful New Standard IF-MAP = Interface to Metadata Access Points An open protocol standard published (free) by the Trusted Computing Group Available since April, 2008 Version 2.0 released August, 2010 Pub/sub database - Like Facebook for IP devices and systems Supports a wide array of applications: Multi-Vendor Network Security (NAC) Compliance Management Asset Management Smart Grid Network Automation / Cloud Computing Could do for data sharing what IP did for connectivity

3 The Integration Challenge Supply Chain Mgmt Smart Grid CMDB AAA SIEM Network Location Switches Routers ERP Building Controls Factory Controls Infrastructure Management Network Security DNS, DHCP Asset Mgmt IPAM CRM HR Applications SNMP, Syslog, Netflow Custom Integration API s, Scripts Complex Costly Brittle High Maintenance 2010 Infoblox Inc. All Rights Reserved.

4 From Integration to Orchestration with IF-MAP Supply Chain Mgmt Smart Grid CMDB SIEM Switches AAA Routers Network Location ERP Building Controls Factory Controls Infrastructure Management Network Security DNS, DHCP Asset Mgmt IPAM CRM HR IF-MAP Protocol (Publish, Subscribe, Search) Applications IF-MAP Server Automatically aggregates, correlates, and distributes data to and from different systems, in real time 2010 Infoblox Inc. All Rights Reserved.

5 IF-MAP Doesn t Replace Existing Systems & Applications It Enables Them to Easily Share Data Network Security Physical Security Network Location Provisioning, Visualization & Analytics (Management) IF-MAP Server Decisions (Control) Sensors & Actuators

6 IF-MAP Protocol Overview

7 IF-MAP Components IF-MAP Client(s) IF-MAP Server employeeattribute = active User Name = John Doe distinguishedname = C=US, O=myco, OU=people, CN=12534 Department = Sales failed-login-attempts = 3, login-status = allowed role = access-finance-serverallowed 3 MAP Client Operations: Publish Subscribe Search 3 MAP Server Objects: Identifiers Links Metadata

8 IF-MAP Access Operations Publish: Tell others that <metadata > Clients store metadata into MAP for others to see Example: Authentication server publishes when a user logs in (or out) Search: Tell me if match(metadata pattern) Clients retrieve published metadata associated with a particular identifier and linked identifiers Example: An application can request the current physical location of the user Subscribe: Tell me when match(metadata pattern) Clients request asynchronous results for searches that match when others publish new metadata Example: Tell me when any user s status goes from employee to terminated

9 IF-MAP Server Objects Identifiers Links All objects are represented by unique identifiers Connote relationships between pairs of identifiers Metadata Attributes attached to Identifiers or Links Typical Data Types: Identifiers: Identity, IP address, MAC address, Session ID, Device Metadata: AAA info (authenticated, role, capabilities/policies) Device info (AV running, OS level, screen size, etc.) Event info (unauthorized access attempt, etc.), Layer 2 info (port, VLAN), location, etc. Many others, plus user-defined

10 Basic Components of MAP Content Identifiers Metadata Link

11 IF-MAP Use cases

12 CMDB Objectives Provide an up-to-date repository of IT assets, configuration, and state Automate reporting and compliance Enable dynamic reconfiguration Better utilize assets Minimize downtime 12

13 Typical CMDB Discovery Process MANAGED NETWORK DISCOVERY SENSORS / AGENTS Discovery Results Discovery Engine Topology Builder - Discoveries take: ~2 Hrs to 24 hrs - Some devices and configurations are never discovered - Discoveries create extensive network loads CMDB CMDB

14 IF-MAP for CMDB IF-MAP Can Address Many Shortcomings of Conventional CMDBs Real-Time CMDB enabled by IF-MAP CMDB Federation (CMDBf) enabled by IF-MAP - Share data across independent CMDBs - Increase Scalability 14

15 Use Case: Real-Time CMDB MANAGED NETWORK MAC = 00:11:22: 33:44:55 IP-MAC DISCOVERY SENSORS / AGENTS Infoblox DHCP Server Publish IP= IP= IP-MAC Discovery Engine Topology Builder CMDB SERVER Discovery Results Update CMDB Invoke Discovery CMDB MAP Client Infoblox MAP Server MAP Database MAC = 00:11:AA: 33:44:55 IP-MAC MAC = 00:11:11: 33:44:55 IP=

16 Use Case Solution for Policy-Based Remote Access User= John Windows 802.1X Client 00:11:22:33:44:55 1- Endpoint plugs-in 2- SW sends EAP Start 3- Supplicant sends credentials 9- SW opens port Endpoint requests DHCP 14- Endpoint generates traffic Infobox HA Pair DHCP/DNS Appliance 11-DHCP sends MAC-IP metadata to MAP identity = John MAP Database Accessrequestmac MAC = 00:11:22: 33:44:55 IP-MAC Cisco 3750 Switch 8- UAC sends RADIUS accept to SW Juniper SSG Firewall 4- SW sends RADIUS Credential to UAC 13- UAC activates L3 access on FW. Private Applications Juniper IC 4000 UAC 5- UAC does Auth. Lookup IF-MAP 6- UAC publishes To MAP Infobox HA Pair MAP Server 7- UAC subscribes to MAP 12-MAP sends IP- MAC to UAC AAA Authenticatedas CHANGE? CHANGE! Accessrequest = 113:3 Capability = access-privateapplications IP=

17 Use Case Integrated Network / Physical Security Solution Secure Zone 1 Zone 2 location = Zone 12 MAP Database Access Request Hirsch System (Physical Sensor) Publish: John in Zone 1 Publish: John in Zone 2 identity = John authenticated Cisco 3750 Switch Juniper SSG Firewall Policy Violation: Access Cut Off Classified Network Grants Access Request Juniper IC 4000 UAC Appliance Infoblox MAP Server Publish: John is Authenticated; Session ID 113:3 Subscribe: Changes to Session 113:3 Subscription Update: John in Zone 2 Publish (delete): John is Authenticated Hirsch UAC Employee Card MAP publishes Subscribes grants reader updates system (John) requests connects leaves access publishes firewall UAC to the to enters Zone the the for about to update policy the 1, access MAP zone to while corporate the update classified to the server to 1 location the to still MAP block the to MAP logged the network server access change MAP in CHANGE? CHANGE! Accessrequest = 113:3

18 Use Case: Federated IF-MAP Servers for UK EDUROAM Service Enables login at remote universities / research centers using home login credentials Serves 1.9 million users across 850 locations Enabled today using RADIUS Proxy Service provider (JANET) maintains database of roaming activity Univ A JANET Univ B Bbaker, Roaming from University D OK! Radius Server Radius Server Radius proxy Radius Server Radius Server Univ C Roaming Users Jsmith@univB.edu Bbaker@univD.edu Univ D

19 IF-MAP Federation for Next Gen EDUROAM Service Local RADIUS servers replaced by RADSEC servers RADSEC servers communicate directly no need for proxy JANET no longer sees RADIUS transactions, no view of roaming activity IF-MAP Federation provides a solution: -Local RADSEC servers publish user/location data to local MAP server -JANET s central MAP server subscribes to changes on university MAP servers Univ A Univ B Jjames, Roaming from University B OK! RADSEC IF-MAP Client Jjames@ Jjames@ univb.edu univb.edu JANET Local IF-MAP Server RADSEC RADSEC RADSEC Univ C Local IF-MAP Server Central IF-MAP Server Federation Subscriptions Local IF-MAP Server Univ D

20 Infoblox NIOS Appliances Support IF-MAP Publishes DHCP lease information to any compliant IF-MAP server Other systems can subscribe to updates Infoblox NIOS Appliance (DNS, DHCP, IPAM) Enables real-time orchestration IF-MAP DHCP Lease Information (IP, MAC, Start, Duration, etc.) IF-MAP Server

21 Infoblox Orchestration Server (IBOS) Provides Robust IF-MAP Infrastructure Fully compliant with TCG standard Proven interoperability with other IF-MAP compliant products Unique Infoblox capabilities IF-MAP 2.0 compliant Lossless HA Fine-grained client authorization Data browser, extensive logging IF-MAP Federation Custom Identifiers Infoblox Orchestration Server Network Security Physical Security Network Location IF-MAP Client Systems

22 Resources Documentation & Freeware 3 minute video on IF-MAP on Orchestration/IF-MAP Solutions page on infoblox.com IF-MAP community Web site Includes links to open source IF-MAP servers and other resources Information about Infranet Controller: us/en/products-services/security/uac/#overview Complete protocol specs, information on TPM, TNC, Trusted Storage and related topics Infoblox IF-MAP Starter Kit (FREE) VMware IF-MAP appliance Client simulator Open-source client stacks (PERL, java, C++) Open-source SNMP-MAP Bridge

23 Calling All Innovators! Announcing the IF-MAP Innovation Awards The Goal: Demonstrate innovative uses of IF-MAP The Awards: 1st Prize: 5,000 GBP 2 nd Prize: 3,000 GBP 3 rd Prize: 2,000 GBP Proposals due 30 June, 2011 Submissions due 1 March, 2012 Offered to all students, faculty & researchers on the JANET (UK) Network Winners announced at Networkshop 2012 Questions: MAPinnovations@infoblox.com