RADIUS Grows Up. Identity Management for Networks Secure IT Sean Convery Identity Engines

Transcription

1 Network Access with Precision through Identity RADIUS Grows Up Identity Management for Networks Secure IT 2007 Sean Convery Identity Engines 2007 Identity Engines, Inc. All Rights Reserved.

2 Who am I? (a.k.a. Full Disclosure) Everyone s background influences their perspective, so here s mine: CTO at venture-funded, network identity management startup, Identity Engines Previously spent seven years at Cisco most recently in the office of the Security CTO within the Security Technology Group (STG) Principal architect of Cisco s original SAFE[1] security architecture Spent a sizable amount of my time at Cisco in security consulting for large enterprises Author of Network Security Architectures[2] Identity Engines, Inc. All Rights Reserved.

3 Agenda Background Identity Management for Networks Considerations Use Cases Identity Engines, Inc. All Rights Reserved.

4 Identity Management (IdM) Defined The set of processes, tools and social contracts surrounding the creation, maintenance, utilization and termination of a digital identity for people or, more generally, for systems and services to enable secure access to an expanding set of systems and applications.[3] Identity Engines, Inc. All Rights Reserved.

5 Key Identity Management Components Provisioning - Initial account creation and attribute / rights association Authentication - Validating a supplied credential against a provisioned account Authorization - Determining and enforcing permissions associated with an account Accounting - Auditing account activity Re-provisioning / De-provisioning - Modifying or removing account attributes or rights including potential deletion of the account Identity Engines, Inc. All Rights Reserved.

6 What Problem are we Solving? Organizations large and small are accessing more data across more different systems These systems need security for any number of reasons It isn t effective to manage each system as a silo Or, to put it another way Identity Engines, Inc. All Rights Reserved.

7 We Want to Change This User Directory Policy policy policy policy Resource System 1 System 2 System Identity Engines, Inc. All Rights Reserved.

8 Into This. User Directory Policy policy Resource System 1 System 2 System Identity Engines, Inc. All Rights Reserved.

9 It Began with Applications Application IdM has numerous challenges Legacy applications Competing standards Widely disparate policies Security at the application and at the data level Authentication is far more common than authorization Policy is hard to centralize Major vendors are attempting to solve this problem Oracle, Microsoft, Sun, HP, Novell, CA, etc. Systems generally involve Provisioning / workflow systems for account creation access gateways / portals for web apps custom connectors to legacy apps LDAP[4] user directories to house accounts Identity Engines, Inc. All Rights Reserved.

10 And Deployments Look like This User Directory Policy policy policy policy Resource System 1 System 2 System Identity Engines, Inc. All Rights Reserved.

11 Let s Look at the Network Distributed Traditional perimeter firewall; security only on special purpose devices Expanded threat profile leads to more security devices (IDS, VPN, Basic Host Controls). Legacy RADIUS[5] serves authentication requests but lacks richness for authorization policy. Most access IP rather than user based. Enforcement Authorization Policy Enforcement Authorization Policy Distribution of security continues, with authorization tied closely to enforcement. Lack of flexibility of legacy AAA leads to multiple discreet RADIUS stores and local users configured in enforcement devices. Enforcement The goal: 1. Centralize user authentication through flexible next-generation AAA services. 2. Centralize key elements of the authorization policy creating centralized audit and control. Centralized Enforcement Authorization Policy Authentication Policy Authentication Policy Authentication Policy IdM Phase 1 IdM Phase 2 Authorization Policy Authentication Policy Identity Engines, Inc. All Rights Reserved. Time

12 Networks have the Same Problem policy policy policy WLAN VPN Dial-Up Identity Engines, Inc. All Rights Reserved.

13 Though Without all the Baggage Applications have no common authentication protocol Networks have RADIUS There are thousands of applications There are only a handful of network access types across a handful of vendors Policies for applications vary widely Networks often have the same basic policy building blocks (i.e. ACLs) Networks have challenges but they aren t the ones that typically plague IdM for applications Identity Engines, Inc. All Rights Reserved.

14 Agenda Background Identity Management for Networks Considerations Use Cases Identity Engines, Inc. All Rights Reserved.

15 Identity Management for Networks Goals Centralize authentication Centralize audit Authenticate most / all forms of access Enforce consistent policy Leverage existing directory and network investment Identity Engines, Inc. All Rights Reserved.

16 IdM for Networks Taxonomy Client - Device / user attempting to access the network Policy Enforcement Point () - network device that brokers access request and enforces policy result (i.e. WLAN AP, Firewall, VPN gateway, Ethernet switch) Policy Decision Point (PDP) - network device that decides policy for client based on and interaction Policy Information Point () - a source of information in setting policy (i.e. user directory, asset management system) Accounting - Audit destination for client access and network usage Credential - Element offered as proof of identity (i.e. password, certificate, smartcard, biometric) Let s see how the parts fit together Identity Engines, Inc. All Rights Reserved.

17 1. Client Requests Network Access Client connects to the net (perhaps a WLAN AP), is challenged for identity, and sends this information to the Protocols PPP[6] PPPoE[7] 802.1X[8] IPsec[9] SSL VPN HTTP Acct. Client PDP 1 Production Network Identity Engines, Inc. All Rights Reserved.

18 2. Sends Identity to the PDP In some cases the relays information as in the case of the Extensible Authentication Protocol(EAP)[10] may add additional identifying information for the network Protocols TACACS+[11] RADIUS DIAMETER[12] Acct. Client 1 2 PDP Production Network Identity Engines, Inc. All Rights Reserved.

19 3. PDP Queries Relevant s Query includes learning about the client and validating the client s credential Microsoft AD is a very common.edu often have multiple s Protocols LDAP SQL Database Kerberos NIS (Network Information Service) Acct. Client 1 2 PDP 3 Production Network Identity Engines, Inc. All Rights Reserved.

20 4. (s) Respond to PDP Includes: success / failure for credential Client attributes / groups Protocols LDAP SQL Database Kerberos NIS (Network Information Service) Acct. Client 1 2 PDP 4 3 Production Network Identity Engines, Inc. All Rights Reserved.

21 5. PDP Makes Policy Decision Includes: Info from and (s) Contextual information (time, location, etc.) Local policy rules to evaluate against Protocols XACML[13] Proprietary Acct. Client 1 2 PDP Production Network Identity Engines, Inc. All Rights Reserved.

22 6. PDP Informs Includes: Yes / No authentication result Specific authorizations (i.e. ACL to enforce, profile to trigger) This allows security enforcement at first point of connect Protocols TACACS+ RADIUS DIAMETER Acct. Client PDP Production Network Identity Engines, Inc. All Rights Reserved.

23 7. PDP Informs Accounting System can also notify accounting at a later step Includes: Client identifiers Context information Timestamps Authorizations granted Protocols RADIUS Acct. SYSLOG SNMP Acct. 7 Client PDP Production Network Identity Engines, Inc. All Rights Reserved.

24 8. Grants Access Simple yes or no message or a more specific exchange depending on the protocol Protocols PPP PPPoE 802.1X IPsec SSL VPN HTTP Acct. 7 Client PDP Production Network Identity Engines, Inc. All Rights Reserved.

25 9. Client Accesses the Network From this point on only the is involved in the client s activity ensures client only accesses allowable resources Re-authentication timers will trigger this exchange again Protocols IM Web IRC WoW Client Acct. PDP Production Network Identity Engines, Inc. All Rights Reserved.

26 Benefits Supports multiple vendor s gear Doesn t require new inline deployment Leverages organization s existing directory investment Integrates easily with existing provisioning / workflow systems Provides centralized audit of network use Access policies are consistently enforced Standards-based Identity Engines, Inc. All Rights Reserved.

27 Agenda Background Identity Management for Networks Considerations Use Cases Identity Engines, Inc. All Rights Reserved.

28 System Availability When all you authenticated was dial-up or VPN, a dusty RADIUS server in the corner of your data center was fine Today s demands require a different approach With authenticated networks, PDP availability is as essential to the network as routing or DNS If your identity infrastructure goes down, so does your network Systems must support HA and and be built for the worst-case load requirements (i.e. mid-day powerbrown-out) Identity Engines, Inc. All Rights Reserved.

29 Authorization Understanding Many existing systems can do basic authentication Authorization is required for all of IdM s most interesting applications Authorization requires: Ability to write rich policies Understanding of capabilities from multiple vendors Identity Engines, Inc. All Rights Reserved.

30 Rich Directory Integration Directory attributes are often inconsistently named across directories Attributes enable rich policies making their use worth the effort Look to attribute / group name mapping Similar to elements of a virtual directory Additionally, intelligent routing among multiple directories is essential Attribute normalization: student faculty PDP LDAP-1 AD LDAP-2 student faculty students staff undergrad admin Identity Engines, Inc. All Rights Reserved.

31 Other Considerations Method s for authenticating the client vary by access type, some systems require specialized clients Automated client deployment techniques are maturing Be very careful when considering merging elements (i.e. /PDP or PDP/) For most organizations the flexibility lost is too great capabilities vary (i.e. an ACL for a Cisco device may not be the same as an ACL for a Juniper device) The IETF is making progress[14] here Directory understanding within networking groups is often light The right PDP can reduce this concern through wizards, etc Identity Engines, Inc. All Rights Reserved.

32 Agenda Background Identity Management for Networks Considerations Use Cases Identity Engines, Inc. All Rights Reserved.

33 IdM Real World Applications Secure WLAN Most common IdM deployment today Guest management Solves acute problem today while setting up for future applications Endpoint Compliance Identity is the foundation for any robust NAC implementation Phase I Phase II Phase III Guest Management / Secure WLAN Department specific rollout Full Rollout Common IdM customer phasing Identity Engines, Inc. All Rights Reserved.

34 Role-based Authorizations Guest Admin(s) Guest Manager User Directory (Employees only) Guest Internet AAA Internal Network Contractor Finance Network Finance Employee All network access is authenticated enabling user audit and differentiated access Enforcement techniques vary per (ACLs, VLANs, VPN profiles are common) Guests can be forced to the Internet only, contractors can be given basic internal access, privileged employees can see restricted areas Identity Engines, Inc. All Rights Reserved.

35 Higher Education Guest Access Visiting Sports Team Guest Admin(s) Guest Manager User Directory (Faculty / Students only) Internet AAA Sports Facilities Campus Wireless Network Visiting Parent Library Network Community Member (fee-based) Research Network Visiting Professor Multiple constituencies can be allowed on the network based on their rights Generates revenue from campus-wide wireless network Allows for secure (802.1X / VPN) connections or simple web authentication Sporting and other types of events can be setup in advance with credentials sent to participants Identity Engines, Inc. All Rights Reserved.

36 Endpoint Compliance Integration Posture checking on guests is problematic Most modern OSs have FW enabled making scanning useless Downloadable agents are tough from a privacy / trust perspective and--increasingly--an OS user rights perspective Until we get standards deployed around compliance notification, inline IPS is best for most organizations Long-term contractors can be treated more like employees, complete with mandated endpoint security software Guest Inline IPS Internet Registered User L3 L3 Campus Network Privileged Network Privileged User Common WLAN Network Identity Engines, Inc. All Rights Reserved.

37 IdM for Networks.edu Applications Smart classrooms Granular AAA policies can allow specific segments of the network to be inaccessible to specific groups of students at specific times Role-based authorizations Segment faculty and students dynamically Authenticated dorm networks All dorm net access passes through authentication layer Allows user correlation to traffic statistics Library enforcement Students with overdue books are flagged in the directory and granted a lower class of service until books are returned Identity Engines, Inc. All Rights Reserved.

38 University Case Study (1/2) Mid-size university has all wireless traffic passing through an inline gateway for authentication All wireless traffic is in the clear (this is common in most universities) Gateways are getting oversubscribed because network infrastructure is far faster Primary goal is to improve throughput without buying large quantities of gateways Secondary goal to differentiate between students and faculty on a shared access medium like WLAN Visitor L3 L3 Campus Network Student Inline Wireless Gateway Common WLAN Faculty Network Identity Engines, Inc. All Rights Reserved.

39 University Case Study (2/2) 802.1X is deployed and users who authenticate successfully get direct access Performance and security are improved providing an incentive for compliance Users who fail 802.1X are placed on a VLAN which forces traffic through the existing wireless gateway Only legacy and non-compliant machines are sent through gateway, reducing throughput requirements Visitor / Non compliant machine Inline Wireless Gateway Student 802.1X Auth L3 L3 Campus Network Faculty Network Faculty 802.1X Auth Common WLAN Network Identity Engines, Inc. All Rights Reserved.

40 Summary and Conclusion Authenticated networks are the emerging reality in networking IdM for networks works by centralizing decision and distributing enforcement Guest access and secure wireless are the high value / low risk early applications Leveraging your existing network and directory should be the norm, not the exception Just because your box speaks RADIUS, doesn t make it a full-featured PDP RADIUS is a protocol not a product Look for elements of the PDP described earlier Identity Engines, Inc. All Rights Reserved.

41 References (1/2) [1] Convery et. al., SAFE: A Security Blueprint for Enterprise Networks Cisco, November 2000 [2] Convery, Network Security Architectures Cisco Press, April 2004 [3] De Clercq et. al., An Introduction to Identity HP, June 2004 [4] Zeilenga, "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map" RFC 4510, June 2006 [5] Rigney et. al., "Remote Authentication Dial In User Service (RADIUS)" RFC 2865 (Obsoletes RFC 2138, 2058), June 2000 [6] Simpson, "The Point-to-Point Protocol (PPP)" RFC 1661, July 1994 [7] Mamakos, "A Method for Transmitting PPP Over Ethernet (PPPoE)" RFC 2516, February Identity Engines, Inc. All Rights Reserved.

42 References (2/2) [8] Jeffree et. al., "Port-Based Network Access Control" IEEE Std 802.1X-2004, November 2004 [9] Kent et. al., "Security Architecture for the Internet Protocol" RFC 2401, November 1998 [10] Aboba et. al., "Extensible Authentication Protocol" RFC 3748, June 2004 [11] Carrel et. al., "The TACACS+ Protocol Version 1.78" draftgrant-tacacs-02.txt, January 1997 [12] Calhoun et. al., "Diameter Base Protocol" RFC 3588, September 2003 [13] OASIS, Extensible Access Control Markup Language, February 2005 [14] Congdon et. al., "RADIUS Filter Rule Attribute" draft-ietf-radextfilter-08.txt, January Identity Engines, Inc. All Rights Reserved.

43 Network Access with Precision through Identity Thank You for your Time! Sean Convery Identity Engines Identity Engines, Inc. All Rights Reserved.