the art of applying identity to network access control copyright steve whitson, 2008. this work is...
Post on 23-Dec-2015
218 Views
Preview:
TRANSCRIPT
The Art of Applying Identity to Network Access Control
Copyright Steve Whitson, 2008.
This work is the intellectual property of the author.
Permission is granted for this material to be shared for non
commercial, educational purposes, provided
that this copyright statement appears on the reproduced
materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to
republish requires written permission from the author.
The Art of Applying Identity to Network
Access Control
Steve WhitsonNetworking and Telecom
Administrator
California College of the Arts
About CCA
Founded in 1907 Largest regional accredited, independent school of
art, design and crafts in the western US. Two campuses: San Francisco and Oakland 1,600 undergraduate students More than 500 faculty and staff
The Environment Directories, networks, apps, users Legacy email server on an LDAP server (the only place
everyone had an account) Students/faculty originally in legacy LDAP system for email accounts Bought Sun One to migrate all users to a central directory
Staff on an AD domain Expect to continue to maintain the AD for staff use only
Lots of MACs and PCs Staff use MAC and Windows XP Want to move them towards wireless .1X
Cisco Airespace wireless Concerned about DHCP leases running out, users on wireless without encryption Some users could be faculty/staff so policy/audit exposure issue for access to confidential records
The Challenge: Securing an Evolving Wireless Network Limited IT Resources
Small IT Staff - need automation, scaling, geo coverage Need to support more than 2000 daily network users Migratory population of 5 to 1000 people a day depending on time of year and events
Lack of Security Wireless is open, campus is a hot spot Need to lock down wireless with authentication and encryption Can’t authenticate users from multiple directories No easier way to manage campus visitors
Transparency Transition from LDAP-based directory to a single Sun One directory server with no
adverse impact on users Want to move to improved security of wireless .1X later
No robust audit capability
How we went about the solution
Commercial RADIUS servers Cisco Systems, Funk Software, IEA Software, Interlink
Networks and Lucent Technologies Market share: Cisco ACS 24% Microsoft IAS at 23%
Cistron at 12% Funk 11% OpenRADIUS at 10% Radiator at 10% Other products
Free RADIUS Software implementation on hardware Cygwin, Debian, DragonFlyBSD (via NetBSD pkgsrc),
Fedora, FreeBSD, Mac OSX (Leopard Server), Mandriva, NetBSD, OpenBSD, Solaris, Suse, Windows, Ubuntu
Why Identity Engines Ignition®
Support multiple existing directories and migration to a new SunOne directory
Support 802.1X: MSCHAP, TTLS. Terminate MSCHAP on SunOne
Easily integrate with existing wireless network Solution is quick to deploy, no disruption to end
users Allow us to evolve at our own pace and in our
own way Quality support
The Results Authenticate wireless users, hot spot eliminated Accreditation and CALEA compliance SunOne deployment and user auth migration Guest management successful Encryption for privileged users Authenticating VPN users on both our Cisco 5520
ASA firewalls Oakland and San Francisco Accounting knowing who is on our network
Where we go from here Deploy 802.1X port-based authentication
Authenticate wired and wireless access with centralized policy authoring and audit
Segmented virtual networks based on roles Student, faculty, staff
Migrate to a centralized identity infrastructure based on the Sun ONE directory server
Enable discount policy at campus bookstore to a broader community…
VPN integration For Students, Facility and Staff
Recommendation
Of products offered Simple is better After careful consideration we came to the
conclusion that the Identity Engines’ product offered us the best vehicle for simplicity, performance and security
Product support
Chris RadkowskiDirector, Business Development
Identity-centric Access Control for Education Networks
12 © 2008 Identity Engines, Inc. Proprietary and Confidential. http://www.idengines.com
Select Education Customers
13 © 2008 Identity Engines, Inc. Proprietary and Confidential. http://www.idengines.com
What they say“Our environment is very diverse, with many operating systems, NIC cards, etc, and one of our biggest concerns with our 802.1X deployment was the volume of trouble calls that we might experience related to end-point configurations. AutoConnect has worked flawlessly so far – since the rollout we have had zero trouble calls relating to supplicant configuration.”
Mark Redican, Network Operations Center Manager, IET – Communications ResourcesUniversity of California, Davis
“The Guest Manager tool from Identity Engines allows us to provision temporary guest accounts without having to touch the directory. The benefits of this new infrastructure include easing time spent on account management of guests and it has also lessened the work load on the help desk.”
Aaron Smith,
Network Engineer Supervisor
BYU - Idaho
Pat Cronin of Bridgewater State College believes the NAC solution is a good investment because the Identity Engines piece provides the campus the protection it needs and wants.
“We’ve never had the wireless or administrative network go down due to viruses, because we have the appropriate protection.”
Pat CroninAssociate Vice President, Technology, Systems and NetworkingBridgewater State CollegeSource: University Business, March 2008
14 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Comprehensive Access Control forCampus Networks
15 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
University Campus Deployment
16 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Education Drivers
• Security against lost or stolen laptops re-entering the network
• Compliance with CALEA, FERPA, PCI, and DMCA• Differentiated access between students, faculty, and
administration• Asset-to-identity correlation• Granular classroom control for wireless access
driven off of course registration and calendaring• Sophisticated guest management• Automated client configuration• NAC – policy based end-point network access
17 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Higher Education Guest Access
AAA
Visiting Sports Team
Visiting Parent
Community Member (fee-based)
Campus Wireless Network
Research Network
Internet
• Multiple constituencies can be allowed on the network based on their rights• Generates revenue from campus-wide wireless network• Allows for secure (802.1X / VPN) connections or simple web authentication• Sporting and other types of events can be setup in advance with credentials sent
to participants
Guest Admin(s) Guest ManagerUser Directory
(Faculty / Students only)
Library Network
Sports Facilities
Visiting Professor
18 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Ignition Guest Manager™
19 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
AAA
Guest
Contractor
Finance Employee
Internal Network
Finance Network
Internet
Web Auth
802.1X Auth
802.1X Auth
Guest Admin(s) Guest Manager User Directory (Employees only)
RBAC example: Secure wireless
• Authenticate all WLAN Access enabling user audit, differentiated access.• Dynamic VLAN assignment segments traffic with enforcement via ACLs.• Guests can be forced to the Internet only, contractors can be given restricted internal access,
privileged employees can see sensitive areas.• Guest access is fully audited rather than open.
20 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Ignition® Product Ecosystem
Ignition Server™Identity and policy-based
authentication and authorization server
(RADIUS, TACACS+)
Ignition Posture Module™Posture integrationwith XSupplicant
Ignition Portal™Captive portal for guests
and legacy platforms
Auto-configurationof clients for 802.1X
Ignition AutoConnect™
Ignition Reports™Integrated reporting
solution
Ignition Guest Manager™Extensible and
customizable visitor solution
21 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Conclusion
• Identity-based access control is a key component of comprehensive network access strategy
• Guest Management should be considered for both wired and wireless network access
• A standards-based approach is necessary to integrate with disparate network and directory systems and enforce business policies
• Your existing infrastructure can be reused• 802.1X supports a phased rollout—consider external vs. internal
access as a good starting point
22 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Thank you
For more information
• Visit Identity Engines’ Poster SessionApril 1, 2008
1:30 p.m. - 2:30 p.m.
Peacock Court, Lobby Level
• Request a free trial of AutoConnect• Call: 877 433-8660• Visit: www.idengines.com/trial
• Visit us at: www.idengines.com
top related