Identity Management for Networks

Transcription

1 Network Access with Precision through Identity Identity Management for Networks Network Applications Consortium 2007 Spring Conference 25 APR 2007 Sean Convery Identity Engines 2007 Identity Engines, Inc. All Rights Reserved.

2 Who am I? (a.k.a. Full Disclosure) Everyone s background influences their perspective, so here s mine: CTO at venture-funded, network identity management startup, Identity Engines Previously spent seven years at Cisco most recently in the office of the Security CTO within the Security Technology Group (STG) Principal architect of Cisco s original SAFE[1] security architecture Spent a sizable amount of my time at Cisco in security consulting for large enterprises Author of Network Security Architectures[2] Identity Engines, Inc. All Rights Reserved.

3 Agenda Background Identity Management for Networks Considerations and Presenter Questions Identity Engines Overview Identity Engines, Inc. All Rights Reserved.

4 Identity Management (IdM) Defined The set of processes, tools and social contracts surrounding the creation, maintenance, utilization and termination of a digital identity for people or, more generally, for systems and services to enable secure access to an expanding set of systems and applications.[3] Identity Engines, Inc. All Rights Reserved.

5 Key Identity Management Components Provisioning - Initial account creation and attribute / rights association Authentication - Validating a supplied credential against a provisioned account Authorization - Determining and enforcing permissions associated with an account Accounting - Auditing account activity Re-provisioning / De-provisioning - Modifying or removing account attributes or rights including potential deletion of the account Identity Engines, Inc. All Rights Reserved.

6 What Problem are we Solving? Organizations large and small are accessing more data across more different systems These systems need security for any number of reasons It isn t effective to manage each system as a silo Or, to put it another way Identity Engines, Inc. All Rights Reserved.

7 We Want to Change This User Directory Policy policy policy policy Resource System 1 System 2 System Identity Engines, Inc. All Rights Reserved.

8 Into This. User Directory Policy policy Resource System 1 System 2 System Identity Engines, Inc. All Rights Reserved.

9 It Began with Applications Application IdM has numerous challenges Legacy applications Competing standards Widely disparate policies Security at the application and at the data level Central authentication is far more common than authorization Policy is hard to centralize Systems generally involve Provisioning / workflow systems for account creation Access gateways / portals for web apps Custom connectors to legacy apps LDAP[4] user directories to house accounts Identity Engines, Inc. All Rights Reserved.

10 And Deployments Look like This User Directory Policy policy policy policy Resource System 1 System 2 System Identity Engines, Inc. All Rights Reserved.

11 Let s Look at the Network Distributed Traditional perimeter firewall; security only on special purpose devices Expanded threat profile leads to more security devices (IDS, VPN, Basic Host Controls). Legacy RADIUS[5] serves authentication requests but lacks richness for authorization policy. Most access IP rather than user based. Enforcement Authorization Policy Enforcement Authorization Policy Distribution of security continues, with authorization tied closely to enforcement. Lack of flexibility of legacy AAA leads to multiple discreet RADIUS stores and local users configured in enforcement devices. Enforcement The goal: 1. Centralize user authentication through flexible next-generation AAA services. 2. Centralize key elements of the authorization policy creating centralized audit and control. Centralized Enforcement Authorization Policy Authentication Policy Authentication Policy Authentication Policy IdM Phase 1 IdM Phase 2 Authorization Policy Authentication Policy Identity Engines, Inc. All Rights Reserved. Time

12 Networks have the Same Problem policy policy policy WLAN VPN Dial-Up Identity Engines, Inc. All Rights Reserved.

13 Though Without all the Baggage Applications have no ubiquitous authentication protocol Networks have RADIUS There are thousands of applications There are only a handful of network access types across a handful of vendors Policies for applications vary widely Networks often have the same basic policy building blocks (i.e. ACLs) Networks have challenges but they aren t the ones that face IdM for applications Identity Engines, Inc. All Rights Reserved.

14 Agenda Background Identity Management for Networks Considerations and Presenter Questions Identity Engines Overview Identity Engines, Inc. All Rights Reserved.

15 Identity Management for Networks Goals Centralize authentication Centralize audit Authenticate most / all forms of access Enforce consistent policy Leverage existing directory and network investment Identity Engines, Inc. All Rights Reserved.

16 IdM for Networks Taxonomy Client - Device / user attempting to access the network Policy Enforcement Point () - network device that brokers access request and enforces policy result (i.e. WLAN AP, Firewall, VPN gateway, Ethernet switch) Policy Decision Point (PDP) - network device that decides policy for client based on and interaction Policy Information Point () - a source of information in setting policy (i.e. user directory, asset management system) Accounting - Audit destination for client access and network usage Credential - Element offered as proof of identity (i.e. password, certificate, smartcard, biometric) Let s see how the parts fit together Identity Engines, Inc. All Rights Reserved.

17 1. Client Requests Network Access Client connects to the net (perhaps a WLAN AP), is challenged for identity, and sends this information to the Protocols PPP[6] PPPoE[7] 802.1X[8] IPsec[9] SSL VPN HTTP Acct. Client PDP 1 Production Network Identity Engines, Inc. All Rights Reserved.

18 2. Sends Identity to the PDP In some cases the relays information as in the case of the Extensible Authentication Protocol(EAP)[10] may add additional identifying information for the network Protocols TACACS+[11] RADIUS DIAMETER[12] Acct. Client 1 2 PDP Production Network Identity Engines, Inc. All Rights Reserved.

19 3. PDP Queries Relevant s Query includes learning about the client and validating the client s credential Microsoft AD is a very common.edu often have multiple s Protocols LDAP SQL Database Kerberos NIS (Network Information Service) Acct. Client 1 2 PDP 3 Production Network Identity Engines, Inc. All Rights Reserved.

20 4. (s) Respond to PDP Includes: success / failure for credential Client attributes / groups Protocols LDAP SQL Database Kerberos NIS (Network Information Service) Acct. Client 1 2 PDP 4 3 Production Network Identity Engines, Inc. All Rights Reserved.

21 5. PDP Makes Policy Decision Includes: Info from and (s) Contextual information (time, location, etc.) Local policy rules to evaluate against Protocols XACML[13] Proprietary Acct. Client 1 2 PDP Production Network Identity Engines, Inc. All Rights Reserved.

22 6. PDP Informs Includes: Yes / No authentication result Specific authorizations (i.e. ACL to enforce, profile to trigger) This allows security enforcement at first point of connect Protocols TACACS+ RADIUS DIAMETER Acct. Client PDP Production Network Identity Engines, Inc. All Rights Reserved.

23 7. PDP Informs Accounting System can also notify accounting at a later step Includes: Client identifiers Context information Timestamps Authorizations granted Protocols RADIUS Acct. SYSLOG SNMP Acct. 7 Client PDP Production Network Identity Engines, Inc. All Rights Reserved.

24 8. Grants Access Simple yes or no message or a more specific exchange depending on the protocol Protocols PPP PPPoE 802.1X IPsec SSL VPN HTTP Acct. 7 Client PDP Production Network Identity Engines, Inc. All Rights Reserved.

25 9. Client Accesses the Network From this point on only the is involved in the client s activity ensures client only accesses allowable resources Re-authentication timers will trigger this exchange again Protocols IM Web IRC WoW Client Acct. PDP Production Network Identity Engines, Inc. All Rights Reserved.

26 Benefits Supports mix and match of PxP Leverages organization s existing directory investment Integrates easily with existing provisioning / workflow systems Provides centralized audit of network use Access policies are consistently enforced Standards-based Identity Engines, Inc. All Rights Reserved.

27 Agenda Background Identity Management for Networks Considerations and Presenter Questions Identity Engines Overview Identity Engines, Inc. All Rights Reserved.

28 System Availability When all you authenticated was dial-up or VPN, a dusty RADIUS server in the corner of your data center was fine Today s demands require a different approach With authenticated networks, PDP availability is as essential to the network as routing or DNS If your identity infrastructure goes down, so does your network Systems must support HA and and be built for the worst-case load requirements (i.e. mid-day powerbrown-out) Identity Engines, Inc. All Rights Reserved.

29 Authorization Understanding Many existing systems can do basic authentication Authorization is required for all of IdM s most interesting applications Authorization requires: Ability to write rich policies Understanding of capabilities from multiple vendors Identity Engines, Inc. All Rights Reserved.

30 Rich Directory Integration Directory attributes are often inconsistently named across directories Attributes enable rich policies making their use worth the effort Look to attribute / group name mapping Similar to elements of a virtual directory Additionally, intelligent routing among multiple directories is essential Attribute normalization: finance HR PDP LDAP-1 AD LDAP-2 finance HR acct HumRes account EmpSup Identity Engines, Inc. All Rights Reserved.

31 Other Considerations Method s for authenticating the client vary by access type, some systems require specialized clients Automated client deployment techniques are maturing Be very careful when considering merging elements (i.e. /PDP or PDP/) For most organizations the flexibility lost is too great capabilities vary (i.e. an ACL for a Cisco device may not be the same as an ACL for a Juniper device) The IETF is making progress[14] here Directory understanding within networking groups is often light The right PDP can reduce this concern through wizards, etc Identity Engines, Inc. All Rights Reserved.

32 IdM Real World Applications Secure WLAN Most common IdM deployment today Guest management Solves acute problem today while setting up for future applications Endpoint Compliance Identity is the foundation for any robust NAC implementation Phase I Phase II Phase III Guest Management / Secure WLAN Department specific rollout Full Rollout Common IdM customer phasing Identity Engines, Inc. All Rights Reserved.

33 Segment #1 Presenter Questions 1. Do you see any differences in how the authorization policies of networks vs. applications should be engineered, managed, and provisioned? Network policies are broader today due to limitations of the technology and understanding of the business roles. Eventually network policies will be merged with application policies. 2. Are there any advantages or drawbacks in the flow of the access request being sent to the PDP first or the first? PDP first requires basic authorization to route the request from the network edge which may be suboptimal. 3. Do you see declarative authorization interpreting and enforcing more finely grained authorization policies than they support today? Yes though this is as much a challenge for enterprises to understand their roles as it is a technical challenge to support the fine-grained authorization. 4. Should SAML authorization assertions, and requests for authorization assertion, be used in the communication between PDPs and s? If not, what should be used? For networks, SAML will be used in the future but perhaps more for PDP to PDP communication in a federated model than for PDP to communication. In the network space RADIUS has traction simply because it is so ubiquitous Identity Engines, Inc. All Rights Reserved.

34 Segment #1 Presenter Questions 5. How can we meet our need for flexibility to deploy centralized and/or de- centralized approaches within an enterprise and across enterprise customer, supplier, or channel partners using different platforms? Policy portability through XACML and authorization assertions through SAML can address much of this, challenges here are more at the organizational level. 6. Comment on the NAC s best practice of locating the as close to the resource as possible. For networks, it may make more sense to locate the as close to the point of network access as possible to reduce exposure to threats. If you consider the network the resource then our best practices are aligned. 7. Comment on the NAC s best practice of balancing between availability and performance when selecting the location of the PDP. This makes perfect sense, distribution of the PDP may be key depending on the application. 8. Comment on the NAC s best practice of having platform agnostic PAPs and PDPs, loosely coupled with access management product offerings (e.g., WAM products). This allows for the independent evolution of PAP, PDP, and technology, without disrupting the other components. This is the only way this can scale long term, particularly the vendor neutrality between the PDP and the. Standards for access control formats need more attention Identity Engines, Inc. All Rights Reserved.

35 Agenda Background Identity Management for Networks Considerations and Presenter Questions Identity Engines Overview Identity Engines, Inc. All Rights Reserved.

36 Who is Identity Engines? Solutions Headquarters Investors Partners Industry Identity-based Network Access Management Sunnyvale, CA Trinity Ventures, Lightspeed, Horizon Oracle, Novell, Checkpoint Education, Enterprises, Government, Healthcare Analyst Recognition Identity Engines is well positioned to meet this need and could complement Cisco's high profile Network Admission Control (NAC) strategy Robert Whiteley, Forrester By extending Oracle identity management for network access control, Identity Engines is helping to bridge the network and application environments Jon Oltsik, Enterprise Strategy Group. Identity Engines - Major IdM Trends for 2006: Identity Appliances Identity Engines, Inc. All Rights Reserved.

37 Customers across Education, Enterprises and Government Identity Engines, Inc. All Rights Reserved.

38 Comprehensive Solutions for Authenticated Networks Ignition Guest Manager J2EE-based extensible and customizable visitor solution Ignition Portal Captive portal for guests and legacy platforms Ignition AutoConnect Auto-configuration of clients for 802.1X Ignition Server Identity and policy-based authentication and authorization server Identity Engines, Inc. All Rights Reserved.

39 Our Solution in Action Guest Admin(s) Ignition Guest Manager User Directories Event Attendees (Employees only) Internet Temporary Event Network Ignition Server Campus Wireless Network Visiting Vendor Ignition AutoConnect Conference Center Guest User Research Network Contractor Ignition Portal Identity Engines, Inc. All Rights Reserved.

40 Summary and Conclusion Authenticated networks are the emerging reality in networking IdM for networks works by centralizing decision and distributing enforcement Guest access and secure wireless are the high value / low risk early applications Leveraging your existing network and directory should be the norm, not the exception Policy and authorizations for networks and applications should merge over time Identity Engines, Inc. All Rights Reserved.

41 References (1/2) [1] Convery et. al., SAFE: A Security Blueprint for Enterprise Networks Cisco, November 2000 [2] Convery, Network Security Architectures Cisco Press, April 2004 [3] De Clercq et. al., An Introduction to Identity HP, June 2004 [4] Zeilenga, "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map" RFC 4510, June 2006 [5] Rigney et. al., "Remote Authentication Dial In User Service (RADIUS)" RFC 2865 (Obsoletes RFC 2138, 2058), June 2000 [6] Simpson, "The Point-to-Point Protocol (PPP)" RFC 1661, July 1994 [7] Mamakos, "A Method for Transmitting PPP Over Ethernet (PPPoE)" RFC 2516, February Identity Engines, Inc. All Rights Reserved.

42 References (2/2) [8] Jeffree et. al., "Port-Based Network Access Control" IEEE Std 802.1X-2004, November 2004 [9] Kent et. al., "Security Architecture for the Internet Protocol" RFC 2401, November 1998 [10] Aboba et. al., "Extensible Authentication Protocol" RFC 3748, June 2004 [11] Carrel et. al., "The TACACS+ Protocol Version 1.78" draftgrant-tacacs-02.txt, January 1997 [12] Calhoun et. al., "Diameter Base Protocol" RFC 3588, September 2003 [13] OASIS, Extensible Access Control Markup Language, February 2005 [14] Congdon et. al., "RADIUS Filter Rule Attribute" draft-ietf-radextfilter-08.txt, January Identity Engines, Inc. All Rights Reserved.

43 Network Access with Precision through Identity Thank You for your Time! Sean Convery Identity Engines For a written version of much of this presentation, check out: Identity Engines, Inc. All Rights Reserved.