the art of applying identity to network access control copyright steve whitson, 2008. this work is...
TRANSCRIPT
![Page 1: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/1.jpg)
The Art of Applying Identity to Network Access Control
Copyright Steve Whitson, 2008.
This work is the intellectual property of the author.
Permission is granted for this material to be shared for non
commercial, educational purposes, provided
that this copyright statement appears on the reproduced
materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or to
republish requires written permission from the author.
![Page 2: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/2.jpg)
The Art of Applying Identity to Network
Access Control
Steve WhitsonNetworking and Telecom
Administrator
California College of the Arts
![Page 3: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/3.jpg)
About CCA
Founded in 1907 Largest regional accredited, independent school of
art, design and crafts in the western US. Two campuses: San Francisco and Oakland 1,600 undergraduate students More than 500 faculty and staff
![Page 4: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/4.jpg)
The Environment Directories, networks, apps, users Legacy email server on an LDAP server (the only place
everyone had an account) Students/faculty originally in legacy LDAP system for email accounts Bought Sun One to migrate all users to a central directory
Staff on an AD domain Expect to continue to maintain the AD for staff use only
Lots of MACs and PCs Staff use MAC and Windows XP Want to move them towards wireless .1X
Cisco Airespace wireless Concerned about DHCP leases running out, users on wireless without encryption Some users could be faculty/staff so policy/audit exposure issue for access to confidential records
![Page 5: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/5.jpg)
The Challenge: Securing an Evolving Wireless Network Limited IT Resources
Small IT Staff - need automation, scaling, geo coverage Need to support more than 2000 daily network users Migratory population of 5 to 1000 people a day depending on time of year and events
Lack of Security Wireless is open, campus is a hot spot Need to lock down wireless with authentication and encryption Can’t authenticate users from multiple directories No easier way to manage campus visitors
Transparency Transition from LDAP-based directory to a single Sun One directory server with no
adverse impact on users Want to move to improved security of wireless .1X later
No robust audit capability
![Page 6: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/6.jpg)
How we went about the solution
Commercial RADIUS servers Cisco Systems, Funk Software, IEA Software, Interlink
Networks and Lucent Technologies Market share: Cisco ACS 24% Microsoft IAS at 23%
Cistron at 12% Funk 11% OpenRADIUS at 10% Radiator at 10% Other products
Free RADIUS Software implementation on hardware Cygwin, Debian, DragonFlyBSD (via NetBSD pkgsrc),
Fedora, FreeBSD, Mac OSX (Leopard Server), Mandriva, NetBSD, OpenBSD, Solaris, Suse, Windows, Ubuntu
![Page 7: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/7.jpg)
Why Identity Engines Ignition®
Support multiple existing directories and migration to a new SunOne directory
Support 802.1X: MSCHAP, TTLS. Terminate MSCHAP on SunOne
Easily integrate with existing wireless network Solution is quick to deploy, no disruption to end
users Allow us to evolve at our own pace and in our
own way Quality support
![Page 8: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/8.jpg)
The Results Authenticate wireless users, hot spot eliminated Accreditation and CALEA compliance SunOne deployment and user auth migration Guest management successful Encryption for privileged users Authenticating VPN users on both our Cisco 5520
ASA firewalls Oakland and San Francisco Accounting knowing who is on our network
![Page 9: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/9.jpg)
Where we go from here Deploy 802.1X port-based authentication
Authenticate wired and wireless access with centralized policy authoring and audit
Segmented virtual networks based on roles Student, faculty, staff
Migrate to a centralized identity infrastructure based on the Sun ONE directory server
Enable discount policy at campus bookstore to a broader community…
VPN integration For Students, Facility and Staff
![Page 10: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/10.jpg)
Recommendation
Of products offered Simple is better After careful consideration we came to the
conclusion that the Identity Engines’ product offered us the best vehicle for simplicity, performance and security
Product support
![Page 11: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/11.jpg)
Chris RadkowskiDirector, Business Development
Identity-centric Access Control for Education Networks
![Page 12: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/12.jpg)
12 © 2008 Identity Engines, Inc. Proprietary and Confidential. http://www.idengines.com
Select Education Customers
![Page 13: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/13.jpg)
13 © 2008 Identity Engines, Inc. Proprietary and Confidential. http://www.idengines.com
What they say“Our environment is very diverse, with many operating systems, NIC cards, etc, and one of our biggest concerns with our 802.1X deployment was the volume of trouble calls that we might experience related to end-point configurations. AutoConnect has worked flawlessly so far – since the rollout we have had zero trouble calls relating to supplicant configuration.”
Mark Redican, Network Operations Center Manager, IET – Communications ResourcesUniversity of California, Davis
“The Guest Manager tool from Identity Engines allows us to provision temporary guest accounts without having to touch the directory. The benefits of this new infrastructure include easing time spent on account management of guests and it has also lessened the work load on the help desk.”
Aaron Smith,
Network Engineer Supervisor
BYU - Idaho
Pat Cronin of Bridgewater State College believes the NAC solution is a good investment because the Identity Engines piece provides the campus the protection it needs and wants.
“We’ve never had the wireless or administrative network go down due to viruses, because we have the appropriate protection.”
Pat CroninAssociate Vice President, Technology, Systems and NetworkingBridgewater State CollegeSource: University Business, March 2008
![Page 14: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/14.jpg)
14 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Comprehensive Access Control forCampus Networks
![Page 15: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/15.jpg)
15 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
University Campus Deployment
![Page 16: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/16.jpg)
16 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Education Drivers
• Security against lost or stolen laptops re-entering the network
• Compliance with CALEA, FERPA, PCI, and DMCA• Differentiated access between students, faculty, and
administration• Asset-to-identity correlation• Granular classroom control for wireless access
driven off of course registration and calendaring• Sophisticated guest management• Automated client configuration• NAC – policy based end-point network access
![Page 17: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/17.jpg)
17 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Higher Education Guest Access
AAA
Visiting Sports Team
Visiting Parent
Community Member (fee-based)
Campus Wireless Network
Research Network
Internet
• Multiple constituencies can be allowed on the network based on their rights• Generates revenue from campus-wide wireless network• Allows for secure (802.1X / VPN) connections or simple web authentication• Sporting and other types of events can be setup in advance with credentials sent
to participants
Guest Admin(s) Guest ManagerUser Directory
(Faculty / Students only)
Library Network
Sports Facilities
Visiting Professor
![Page 18: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/18.jpg)
18 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Ignition Guest Manager™
![Page 19: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/19.jpg)
19 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
AAA
Guest
Contractor
Finance Employee
Internal Network
Finance Network
Internet
Web Auth
802.1X Auth
802.1X Auth
Guest Admin(s) Guest Manager User Directory (Employees only)
RBAC example: Secure wireless
• Authenticate all WLAN Access enabling user audit, differentiated access.• Dynamic VLAN assignment segments traffic with enforcement via ACLs.• Guests can be forced to the Internet only, contractors can be given restricted internal access,
privileged employees can see sensitive areas.• Guest access is fully audited rather than open.
![Page 20: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/20.jpg)
20 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Ignition® Product Ecosystem
Ignition Server™Identity and policy-based
authentication and authorization server
(RADIUS, TACACS+)
Ignition Posture Module™Posture integrationwith XSupplicant
Ignition Portal™Captive portal for guests
and legacy platforms
Auto-configurationof clients for 802.1X
Ignition AutoConnect™
Ignition Reports™Integrated reporting
solution
Ignition Guest Manager™Extensible and
customizable visitor solution
![Page 21: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/21.jpg)
21 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Conclusion
• Identity-based access control is a key component of comprehensive network access strategy
• Guest Management should be considered for both wired and wireless network access
• A standards-based approach is necessary to integrate with disparate network and directory systems and enforce business policies
• Your existing infrastructure can be reused• 802.1X supports a phased rollout—consider external vs. internal
access as a good starting point
![Page 22: The Art of Applying Identity to Network Access Control Copyright Steve Whitson, 2008. This work is the intellectual property of the author. Permission](https://reader036.vdocument.in/reader036/viewer/2022062407/56649d985503460f94a83004/html5/thumbnails/22.jpg)
22 © 2008 Identity Engines, Inc. Proprietary and Confidential. www.idengines.com
Thank you
For more information
• Visit Identity Engines’ Poster SessionApril 1, 2008
1:30 p.m. - 2:30 p.m.
Peacock Court, Lobby Level
• Request a free trial of AutoConnect• Call: 877 433-8660• Visit: www.idengines.com/trial
• Visit us at: www.idengines.com