Network Architecture for Automatic Security and Policy Enforcement Internet2 Members Meeting Fall 2005 Eric Gauthier ~ Boston University Kevin Amorin ~

Slides:



Advertisements
Similar presentations
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Advertisements

1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
SALSA-NetAuth SALSA-FWNA BoF Kevin Miller Duke University Internet2 Member Meeting May 2005.
Icarus: A Revolution in Distributed Security Management Rob Bird, University of Florida Gregory Marchwinski, Red Lambda Inc.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Internet Protocol Security (IPSec)
Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.
Office of Information Technologies CAMP: Bridging Security and Identity Management Christopher Misra 14 February 2008 Tempe, AZ Protecting Network Assets.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Norman SecureSurf Protect your users when surfing the Internet.
Windows 2003 and 802.1x Secure Wireless Deployments.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Active Security Infrastructure Stuart Kenny Trinity College Dublin.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Remedies Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) for secure data transmission over an insecure networktunneling protocolsIPSecSecure.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Selecting the Right Network Access Protection Architecture
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011 Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
SALSA-FWNA Activity Update Kevin Miller Duke University Internet2 Member Meeting May 2005.
SALSA-NetAuth Joint Techs Vancouver, BC July 2005.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Distributed systems – Part 2  Bluetooth 4 Anila Mjeda.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Module 8: Configuring Network Access Protection
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
(CISCO) Self-Defending Networks Ben Sangster. Agenda (CISCO) Self-Defending Network Concept Why do we need SDN’s? Foundation of the CSDN? Endpoint Protection.
Virtual Private Ad Hoc Networking Jeroen Hoebeke, Gerry Holderbeke, Ingrid Moerman, Bard Dhoedt and Piet Demeester 2006 July 15, 2009.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
NAC-NAP Interoperability
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Module 6: Network Policies and Access Protection.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
An Active Security Infrastructure for Grids Stuart Kenny*, Brian Coghlan Trinity College Dublin.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.
ORNL Site Report ESCC July 15, 2013 Susan Hicks David Wantland.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Creating the Network Design Designing and Supporting Computer Networks – Chapter.
Securing the Network Perimeter with ISA 2004
Configuring and Troubleshooting Routing and Remote Access
Security in Networking
2018 Real Cisco Dumps IT-Dumps
Securing Cloud-Native Applications Jason Schmitt CEO
Shifting from “Incident” to “Continuous” Response
Protecting Network Assets
Network Access Control
Presentation transcript:

Network Architecture for Automatic Security and Policy Enforcement Internet2 Members Meeting Fall 2005 Eric Gauthier ~ Boston University Kevin Amorin ~ Harvard University

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Overview Why “Automate Security and Policy Enforcement”? Internet2 : SALSA-Netauth Strategies Architecture Case Study: Boston University Case Study: Harvard University Components SALSA-Netauth: Upcoming work

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Why “Automate Security and Policy Enforcement”? From the SALSA-Netauth document Strategies for Automating Network Policy Enforcement: “The major security challenge facing university residential networks and other large-scale end-user networks is the thousands of privately owned and unmanaged computers directly connected to an institution's relatively open, high-speed Internet connections. Security policy enforcement is often lax due to a lack of central control over end-user computers and an inability to tie the actions of these computers to particular individuals. A few times a year there are surge events, including the predictable start of each semester and the unpredictable and increasingly frequent reactions to large-scale security incidents, that require massive support intervention. If these challenges are allowed to evolve unchecked, the result is the presence of thousands of unsecured computers that are prone to mass infection by malware or wide-scale compromise by increasingly unsophisticated attackers. Malware and attackers often specifically seek to harness large numbers of unsecured hosts for use in distributed file sharing, spam, and/or attack networks. The presence of these malicious overlay networks has been known for some time, but the full realization of fast, always-on Internet access has increased their size and potential for harm.”

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Why “Automate Security and Policy Enforcement”? Only automated approaches can scale and respond rapidly to large-scale incidents. Preventative policy enforcement reduces risk:  overall number of security vulnerabilities  the success of any particular attack technique. Automated remediation systems have a positive impact on a large number of hosts with a relatively small time investment from computing staff.

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Internet2 : SALSA-Netauth Internet2 formed a working group under SALSA to address this problem in May 2004 Charter: The SALSA-NetAuth Working Group will consider the data requirements, implementation, integration, and automation technologies associated with understanding and extending network security management related to: 1. Authorized network access (keyed by person and/or system) 2. Style and behavior of transit traffic (declarative and passive) 3. Forensic support for investigation of abuse

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Internet2 : SALSA-Netauth Strategies for Automating Network Policy Enforcement (completed) Architecture for Automating Network Policy (draft 4) Components Framework for Policy-based Admission Control (draft 1) FWNA More…

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Strategies for Automating Network Policy Enforcement There is a growing “Common Process” Consisting of Five Elements:  Registration  Detection  Isolation  Notification  Remediation

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Architecture for Automating Network Policy “This architecture is intended as a framework to develop standardized mechanisms and detailed descriptions of how to directly implement policy enforcement using existing devices and as a guide for the development of new interoperable solutions. This framework is intended to be flexible, extensible, interoperable with existing infrastructure, and provide the necessary hooks to accommodate upcoming technologies such as federated authentication and authorization schemes.”

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Architecture for Automating Network Policy At a very high level, network usage translates into allowing or blocking various sets of network flows. Filtering can be relatively simple, such as allowing all flows, or can be extraordinarily complex, such as the case of inline application proxies which make per-flow decisions based on application layer content Network and the host can be modeled in states with policies applied in each state.

10

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Transition Events include such things as: Connections Network Disruptions Host Stack Changes Scanners Agents Flows Services Rules

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Case Study: Boston University Updated version of Southwestern University’s NetReg v2.0 (registration) Isolation networks with customizable web pages (isolation/notification) Initial post-registration quarantine (isolation/notification/remediation) Custom one-time agent (remediation) Sensors to detect subsequent infection and policy violations (detection)

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Case Study: Boston University L2 Init: None. L2 Negotiation: None. L3 Init:  Netreg/DHCP “tricks” to assign host to either a “compliant” network or isolation network L3 Negotiation: None. Service Init: None. Service Negotiation: None

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Case Study: Harvard University PacketFence v1.5 Initial registration isolation with “skip” period for “roaming scholars” (registration/isolation) Scanning at registration and periodic intervals (detection) Sensors to detection infection (detection) Each violation has a list of associated actions ( /log/isolate/external script) and remediation content (local content/remote URL) (notification/remediation)

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Case Study: Harvard University L2 Init:  Initial host ARP will trigger a policy decision L2 Negotiation:  If the device is inline, a policy decision will trigger an iptables addition. If device is passive, ARP manipulation will overwrite host gateway. L3 Init: None. L3 Negotiation: None. Service Init: None. Service Negotiation: None

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, SALSA-Netauth: “Components” “Components” Document  A review of how commonly used systems fit into this architecture  Mechanisms to create interoperability between these components  Case studies of existing deployments

Internet2 Members Meeting: September 20th, Components

18 Use Case: PacketFence

19 Use Case: NetReg

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Other Vendor Work Network Admission Control (NAC)  Cisco only end-to-end  Phase 2 switch/AP support? (Q1,Q2,Q3,Q )  Windows CTA Required (Guests) What about open networks (Columbia)?  Many different moving parts  How does clean access fit in?

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Other Vendor Work Trusted Network Connect (TNC)  Vendor operability  TNC Client required  Slow moving  Very focused on proving Integrity IM-T, IM-PEP currently not defined  May not encompass all of Network Admission

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, SALSA-Netauth: Upcoming Complete Architecture Document Draft 2 of Components Document Vendor Discussions Reference Model? Federated Wireless Network Authentication (FWNA).

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, SALSA-Netauth: FWNA Enable members of one institution to authenticate to the wireless network at another institution using their home credentials. Often called the “roaming scholar” problem in HiEd. Wired networks handled as well.

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, SALSA-Netauth: FWNA In many cases today, once authenticated, all users obtain same level of service FWNA is about identity discovery We must be able to separately provision services from authentication and attributes:  Technical setup (IP address, QoS, ACL, etc..)  Access policy  Billing

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, SALSA-Netauth: FWNA 802.1x  Often used with WPA or WPA2 (802.11i)  Or middlebox access controller EAP authentication  Exact EAP type selected by home institution, deployed on client machines Phase 1: “Simple” RADIUS peering  Integration with existing authn backend  EduRoam

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Thanks! Internet2 / Educause for supporting the SALSA-Netauth working group (join us!) Kevin Miller, Chris Misra, Phil Rodrigues and the entire Netauth working group

Eric Gauthier Kevin Amorin Internet2 Members Meeting: September 20th, Questions? Eric Gauthier ~ Kevin Amorin ~ NetAuth

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.