Presentation is loading. Please wait.

Presentation is loading. Please wait.

User-group-based Security Policy for Service Layer

Published byJason O’Neal’ Modified over 6 years ago

Similar presentations

Presentation on theme: "User-group-based Security Policy for Service Layer"— Presentation transcript:

1 User-group-based Security Policy for Service Layer
draft-you-i2nsf-user-group-based-policy-02 Presenter: Jianjie You Jianjie You Myo Zarny John Strassner Christian Jacquenet Mohamed Boucadair Yizhou Li ) Sumandra Majee IETF96 Berlin

2 Status of this I-D First presented at IETF 94, Yokohama meeting; The update compared to v-00 Add the AAA server as the part of the framework in i2nsf architecture Add some clarifications Presented again at IETF 95, Buenos Aires meeting; The update compared to v-01 Update the references, and clarify the Actions Add “Security Considerations” IETF96 Berlin

3 Newer Network Paradigms
Network Resource User: xxx WAN/Internet Location: Beijing Network Resource Network Resource Silicon Valley Controller Beijing Nanjing Increasing demands of business mobility, anytime, anywhere collaboration, etc. introducing challenges to network security management and enforcement IETF96 Berlin

4 Traditional Network Access Control
Access the network typically from their own static location – from their assigned switch, VLAN, IP subnet, etc. MAC or IP address of the users’ device is often used as a proxy for the user’s identity. As such, filtering (e.g., via ACLs) of the user is usually based on IP or MAC addresses. Authentication of the user by the network, typically takes place only at the ingress switch Network security functions such as firewalls often act only on IP addresses and ports - not on user identity. ACL, VLAN IETF96 Berlin

5 Challenges for Traditional NAC
Both clients and servers can move and change their IP addresses on a regular basis Need to apply different security policies to the same set of users under different circumstances Implementation of coherent security policy across several network and network security devices is almost impossible. ACL, VLAN IETF96 Berlin

6 UAPC Framework Example
The User-group Aware Policy Control (UAPC) approach is intended to facilitate the consistent enforcement of policies, e.g., security policies should be consistently enforced based on their user-group identities, regardless of whether these terminal devices connect to a wired or a wireless infrastructure. IETF96 Berlin

7 UAPC Framework Example
Goal: Apply appropriate user-group identity-based network security policies on NSFs throughout the network IETF96 Berlin

8 UAPC Functional Entities
Policy Server Holds the user-group criteria, which assigns users to their user-group Holds the rule base, of what each user-group has access to AAA Server Authenticates users, and then performs associated authorization and accounting functions. Security Controller Coordinates various network security-related tasks on a set of NSFs under its administration Network Security Functions Packet classification Policy enforcement Presents I2NSF Capability Layer APIs IETF96 Berlin

9 User Group Identifier that represents the collective identity of a group of users Controlled by one or more policy rules (e.g., source IP, geo-location, time of day, device certificate, etc.) Group Name Group ID Group Definition R&D 10 R&D employees R&D BYOD 11 Personal devices of R&D employees Sales 20 Sales employees VIP 30 VIP employees Workflow 40 IP addresses of Workflow resource servers R&D Resource 50 IP addresses of R&D resource servers Sales Resource 54 IP addresses of Sales resource servers IETF96 Berlin

10 Inter-Group Policy Enforcement
Key components User-group-to-user-group access policies – think “firewall rule-base but with user-groups instead of IPs and ports” Sets of NSFs on which individual policies need to be applied Destination Group Source Group Workflow Group R&D Resource Group Sales Resource Group R&D group Permit Deny R&D BYOD group Traffic-rate Sales group VIP user group Traffic-mark IETF96 Berlin

11 Inter-Group Policy IETF96 Berlin
User using an unregistered device Executive Demilitarized zone (DMZ) General service Common service Limited service Important service Core service Authentication domain Unauthorized user Insecure user Guest Common BYOD user Partner User at office hours User at non-office hours Figure 2: Sample Authorization Rules for User-group Aware Policy Control IETF96 Berlin

12 UAPC Implementation User-group identification policies and inter-user-group access polices on the Policy Server are managed by the authorized user(s)/team(s). The user-group-based policies are implemented on the NSFs under the Security Controller’s management. When a given user first logs onto the network, the user is authenticated at the ingress switch. If the authentication is successful, the user is placed in a user-group, as determined by the Policy Server. The user’s subsequent traffic is allowed or permitted based on the user-group ID by the NSFs per the inter-user-group access policies IETF96 Berlin

13 Requirements for I2NSF Key aspects of the UAPC framework falls within the Service Layer of the I2NSF charter. If the community adopts the approach as one possible framework for the Service Layer, the I2NSF Service Layer MUST support at least the following northbound APIs (NBIs): The user-group classification policy database on the Policy Server The inter-user-group access policy rule-base on the Policy Server The inventory of NSFs under management by the Security Controller. The list of NSFs on which a given inter-user-group policy is to be implemented by the Security Controller. IETF96 Berlin

14 Next Steps Solicit comments and suggestions on the mailing list
For detailed implementation, please refer to draft-you-i2nsf-user-group-policy-capability-00 Accepted as WG doc? IETF96 Berlin

15 Thank you! IETF96 Berlin

Download ppt "User-group-based Security Policy for Service Layer"

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Controlling access with packet filters and firewalls.

Controlling access with packet filters and firewalls.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Networking Components

Networking Components
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
© Wiley Inc. 2006. All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 8: Virtual LANs (VLANs)

© Wiley Inc All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 8: Virtual LANs (VLANs)
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Networking Components

Networking Components
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Chapter 8: Virtual LAN (VLAN)

Chapter 8: Virtual LAN (VLAN)

Similar presentations

Ads by Google