Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 Roles Based Network Access Controls James R. Clifford Los Alamos.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 Roles Based Network Access Controls James R. Clifford Los Alamos."— Presentation transcript:

1 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 Roles Based Network Access Controls James R. Clifford Los Alamos National Laboratory

2 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 2 Outline Problem: Control foreign national access to sensitive data 700+ FN in 25 organizations, 80 buildings, 12 technical areas Solution Create separate network with minimal sensitive data Implementation Deployment and Support Lessons Learned Future Directions

3 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 3 Direction “Further, the Laboratory is now developing a segregated unclassified computer network for utilization by our foreign national employees. This network will allow for greater control over what types and how information can be accessed while still allowing for important scientific research to be accomplished.” - LANL Director Michael Anastasio - Testimony to House Energy and Commerce Committee on September 28, 2008

4 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 4 LANL Network 2008 Restricted Subnets Limited amounts of and tight controls on presence of sensitive information Open Network Turquoise Visitor Green Internet ESNe t I-2 1 GE 10GE Central Services Yellow Network (Unclassified-Protected) General User Scientific Collaboration (segmented) Public Internet presence On-site visitor access

5 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 5 Design Create a new “Open Collaboration Enclave” (OCE) using VPN overlay Connect new OCE network with a firewall Add “Radius server on steroids” Define roles and resource policies Add remote web and VPN solution

6 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 6 LANL Network 2009 Limited amounts of and tight controls on presence of sensitive information Open Network Turquoise Visitor Green Internet ESNe t I-2 1 GE 10GE Central Services General User Yellow Network (Unclassified-Protected) OCE Scientific Collaboration (segmented) Public Internet presence On-site visitor access

7 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 7 OCE Network Components Internet RADIUS, LDAP Syslog, Mgt Infranet Controller Netscreen FW Yellow Network VPN SSL Portal Customer LANs Desktops Printers

8 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 8 Firewall Policy PERMIT policy except for OCE to Yellow Core policy allows DNS, AD, backups - 140 rules Rules include: protocol, destination IP address, port(s) Includes services required for user logins Role based policy rule Default DENY OCE to yellow Web captive portal sets up roles based firewall policy Users must be able to login so they can run browser Assumes a single user client system

9 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 9 Infranet Controller - RADIUS on Steroids Uses existing RADIUS and LDAP services Can also use MS Active Directory Users get roles based on directory information Can also use network location, host integrity Resource Policy (firewall) rules are based on Roles

10 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 10 LDAP Example dn: employeeNumber=123456,ou=people,dc=lanl,dc=gov cn: Edward Crane departmentNumber: ABC-1 employeeNumber: 123456 employeeType: Employee lanlRole: Juniper RO Administrator lanlRole: Remote VPN lanlRole: Basic Network

11 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 11 Role Mapping Example

12 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 12 Resource Access Policy Example

13 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 13 Role Member Management HR Data determines Employee and organization role data Basic Network Role created when user gets a network account Import role data from resource owner, e.g. High Performance Computing Users may select roles within business rules, e.g. Remote VPN Ad hoc role management Uses lanlRole attribute value Role owner (and delegates) use web page to add/remove members Directory updates are in real time Roles removed when person terminates

14 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 14 Resource Access Policy Management Resources in list determined by the role/resource owner Managed as a text file by network operations Access Control Tester,tcp://datawarehouse.lanl.gov:http,https Converted to XML Host names and ports checked and converted XML imported into Infranet Controller

15 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 15 Remote Access: ssl-portal https://ssl-portal.lanl.gov Portal page has bookmarks, web browsing and SSL VPN Features depend on user roles SSL VPN tunnels land in the OCE network Terminal sessions and file access using SSL tunnels are being evaluated

16 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 16 Surveillance Watch for users accessing unauthorized resources Uses existing information: HR data Host registration information Resource access policies Logs Router flows

17 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 17 Deployment and Support Project started in mid-October 500 VPN boxes and firewall deployed by early January Found many IP ACL problems, performance, reliability 4 Divisions selected for early adoption (30% of total) of access controls in January Fleshed out Basic Network and Employee roles Set up project issue tracking system Full access control enabled over 2 weeks in mid March Remote access enforced in early April On-going support turned over to operations in May VPN box adds and removes Resource policy changes User help questions

18 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 18 Lessons Learned Solution is expensive to support Not leveraging solution, unfamiliar (but powerful) technology used for 1 project VPN boxes on users’ desks add unnecessary complexity Transition was disruptive to customers Short schedule left shortened deployment and testing time Resources people need to do their job was not well understood Some network services not well supported Project skill shortage Customers not well informed

19 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 19 What’s Next Access policy federation between firewall and ssl-portal PF-NET Terminal sessions for remote access Single / reduced signon for remote users Network re-architecture project Eliminate desktop VPN boxes 802.1x and MAC authentication Desktop agent for host integrity check VLAN assignment and roles based access Firewall and proxy consolidatation Etc.

20 Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 20 Questions?

Download ppt "Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 Roles Based Network Access Controls James R. Clifford Los Alamos."

Similar presentations

Operated by Los Alamos National Security, LLC for the U.S. Department of Energys NNSA U N C L A S S I F I E D Slide 1 Review and Release Safebox Frances.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energys NNSA U N C L A S S I F I E D Slide 1 Review and Release Safebox Frances.
Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Mike Bayne 15 September 2011

Mike Bayne 15 September 2011
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited.

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited.
Secure Computing Network

Secure Computing Network
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Understanding Active Directory

Understanding Active Directory
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Chapter 11: Dial-Up Connectivity in Remote Access Designs

Chapter 11: Dial-Up Connectivity in Remote Access Designs

Similar presentations

Ads by Google