salsa-fwna activity update kevin miller duke university [email protected] internet2 member...
TRANSCRIPT
SALSA-FWNASALSA-FWNAActivity UpdateActivity Update
Kevin Miller • Duke UniversityKevin Miller • Duke [email protected]@duke.edu
Internet2 Member MeetingInternet2 Member MeetingMay 2005May 2005
Federated Wireless Auth VisionFederated Wireless Auth Vision
Enable members of one institution to Enable members of one institution to authenticate to the wireless network authenticate to the wireless network at another institution using their at another institution using their home credentials.home credentials.– Reduce the need for guest IDsReduce the need for guest IDs– Simplify authentication when roamingSimplify authentication when roaming
The “roaming scholar” problemThe “roaming scholar” problem
Wired network roaming comes “free”Wired network roaming comes “free”
FederationsFederations
Goals of federationsGoals of federations– Establish trust between entitiesEstablish trust between entities– Make assertions about identities Make assertions about identities
(authenticate) and release attributes(authenticate) and release attributes– Protect user privacy through opaque Protect user privacy through opaque
user handles and controlled attribute user handles and controlled attribute releaserelease
FederationsFederations
All are relevant to FWNAAll are relevant to FWNA– Need to create/reuse trust between sitesNeed to create/reuse trust between sites
Could take many forms (hierarchical, Could take many forms (hierarchical, central, 1-way, …)central, 1-way, …)Shibboleth is a candidateShibboleth is a candidate
– Visited sites may want attributes about Visited sites may want attributes about visiting users (e.g. type of user, mobile visiting users (e.g. type of user, mobile number)number)
– Control release of user informationControl release of user information
Potential FederationsPotential Federations
Decentralized SchoolDecentralized SchoolSchool SystemsSchool Systems– State schools, local school districts, etc.State schools, local school districts, etc.
Regional consortia: GigaPoP / *RENRegional consortia: GigaPoP / *RENNational consortia: Internet2National consortia: Internet2International: EduRoamInternational: EduRoamGovernment: ESNet, NSF, NASAGovernment: ESNet, NSF, NASAIndustryIndustry
Use CasesUse Cases
““Simple” Roaming within FederationSimple” Roaming within Federation– Among Peer InstitutionsAmong Peer Institutions– Local Federation (Conference Guests)Local Federation (Conference Guests)– Sensor NetsSensor Nets– Municipal NetworksMunicipal Networks– VoIPVoIP
Inter-Federation RoamingInter-Federation RoamingShared TenancyShared TenancyCommercial RoamingCommercial Roaming
FWNA Project PlanFWNA Project Plan
Work divided in two phasesWork divided in two phasesPhase 1: RADIUS HierarchyPhase 1: RADIUS Hierarchy– Initial solution to the problemInitial solution to the problem– Modeled after current Eduroam networkModeled after current Eduroam network– Develop knowledge of relevant technologyDevelop knowledge of relevant technology– Learn capabilities and drawbacks of hierarchyLearn capabilities and drawbacks of hierarchy
Relatively straightforwardRelatively straightforward– Exchange RADIUS keysExchange RADIUS keys– Interface to existing authn systems using basic Interface to existing authn systems using basic
RADIUS mechanismRADIUS mechanism
FWNA Phase 2FWNA Phase 2
Phase 2: RADIUS + FederationPhase 2: RADIUS + Federation– Develop technically superior solution that Develop technically superior solution that
enables attribute releaseenables attribute releaseIdentify and address other concerns Identify and address other concerns regarding FWNA implementationregarding FWNA implementation
infrastructureinfrastructuresecuritysecurityauthorizationauthorizationdiagnosticsdiagnosticsusabilityusability
– Requires developmentRequires development– May not be solved by FWNA itselfMay not be solved by FWNA itself
Framing the SolutionFraming the Solution
802.1x802.1x– Often used with WPA or WPA2 (802.11i) Often used with WPA or WPA2 (802.11i)
for edge encryptionfor edge encryption– Or middlebox access controllerOr middlebox access controller
EAP authenticationEAP authentication– Exact EAP type selected by home Exact EAP type selected by home
institution, deployed on client machinesinstitution, deployed on client machines– Establish client-to-home trust for Establish client-to-home trust for
purpose of transporting credentialspurpose of transporting credentials
Beyond authentication…Beyond authentication…
In many cases today, once authenticated In many cases today, once authenticated all users obtain same level of serviceall users obtain same level of service
FWNA is about identity discoveryFWNA is about identity discovery
We must be able to separately provision We must be able to separately provision services from authn and attributes:services from authn and attributes:– Technical setup (IP address, QoS, ACL, etc..)Technical setup (IP address, QoS, ACL, etc..)– Access policyAccess policy– BillingBilling
Other Areas of InvestigationOther Areas of Investigation
Real Time DiagnosticsReal Time Diagnostics– Determining cause of authn failureDetermining cause of authn failure– Requires additional inter-domain data Requires additional inter-domain data
exchangeexchange
Access Point RoamingAccess Point Roaming– Will cause re-authentication back to Will cause re-authentication back to
home server (additional delay)home server (additional delay)– Mitigated by 802.11i pre-authenticationMitigated by 802.11i pre-authentication
FWNA Project MilestonesFWNA Project Milestones
Phase 1Phase 1– Core RADIUS Server: Core RADIUS Server: EstablishedEstablished– Experimentation: OngoingExperimentation: Ongoing
Phase 2Phase 2– Technical plan: OngoingTechnical plan: Ongoing– Experimentation: TBDExperimentation: TBD
Join the FWNA GroupJoin the FWNA Group
Project website:Project website:http://security.internet2.edu/fwnahttp://security.internet2.edu/fwna
Biweekly Conference CallsBiweekly Conference Calls– Thursday 11am-12pm: May 19Thursday 11am-12pm: May 19– 866-411-0013, 0184827866-411-0013, 0184827
salsa-fwna @ internet2 listsalsa-fwna @ internet2 list– ““subscribe salsa-fwna” to sympa @ subscribe salsa-fwna” to sympa @
internet2internet2
SALSA-NetAuthSALSA-NetAuthActivity UpdateActivity Update
Kevin Miller • Duke UniversityKevin Miller • Duke [email protected]@duke.edu
Internet2 Member MeetingInternet2 Member MeetingMay 2005May 2005
SALSA-NetAuth Road MapSALSA-NetAuth Road Map
Version 0.9 published 25 April 05Version 0.9 published 25 April 05““Strategies” Document – Final Version PublishedStrategies” Document – Final Version Published– Taxonomy of some approaches for automating technical Taxonomy of some approaches for automating technical
policy enforcementpolicy enforcement
““Futures” DocumentsFutures” Documents– Architecture document: Draft 02 Published 25 April 05Architecture document: Draft 02 Published 25 April 05
A proposed architecture for integrating network policy A proposed architecture for integrating network policy enforcementenforcementDraft 03 Will Be Published SoonDraft 03 Will Be Published Soon
““Prerequisites” Document – On HoldPrerequisites” Document – On Hold– A reference to systems and services necessary to deploy A reference to systems and services necessary to deploy
NetAuth systemsNetAuth systems
SALSA-FWNA Subgroup – Group ActiveSALSA-FWNA Subgroup – Group Active– To investigate the visiting scholar problemTo investigate the visiting scholar problem
NetAuth TimelineNetAuth Timeline
SALSA-NetAuth Activity Timeline
5/04 6/04 7/04 8/04 9/04 10/04 11/04 12/04 1/05 2/05 3/05 4/05 5/05 6/05
Group
Prerequisites
Strategies
Future
Architecture
Components
FWNA
Document Complete
Group Active
Group Active
Draft 02 Released
On Hold
Pre-Draft
NetAuth Road MapNetAuth Road Map
NetAuth still focused on document NetAuth still focused on document developmentdevelopment
Engaging other players in the space Engaging other players in the space (Cisco NAC, Microsoft NAP, TNC) (Cisco NAC, Microsoft NAP, TNC)
Encouraging and/or Developing for Encouraging and/or Developing for these effortsthese efforts
Strategies DocumentStrategies Document
Draft 3 became final versionDraft 3 became final version– Published 20 April 2005Published 20 April 2005
Edited by Eric Gauthier (Boston Edited by Eric Gauthier (Boston University) and Phil Rodrigues (New University) and Phil Rodrigues (New York University)York University)
May return to draft stage after wider May return to draft stage after wider analysis and vettinganalysis and vetting
Strategies DocumentStrategies Document
Taxonomy of mechanisms for Taxonomy of mechanisms for automating network policy automating network policy enforcementenforcement– For example: NetReg, Perfigo, etc.For example: NetReg, Perfigo, etc.– Provides a starting point for discussions Provides a starting point for discussions
on improving the processon improving the process– References free and commercial References free and commercial
systemssystems
Lifecycle of Network AccessLifecycle of Network Access
Registration is the Registration is the initial stateinitial state
DetectionDetection
IsolationIsolation
NotificationNotification
RemediationRemediation
I solation
Notification Remediation
Detection
NetAuth PrerequisitesNetAuth Prerequisites
Currently on holdCurrently on holdThe Strategies document assumes certain The Strategies document assumes certain underlying components (systems, underlying components (systems, software)software)The Prerequisites would be a reference to The Prerequisites would be a reference to sites interested in establishing network sites interested in establishing network policy enforcementpolicy enforcement– May evolve as a reference to EDUCAUSE May evolve as a reference to EDUCAUSE
Effective Practices, RESNET presentations, and Effective Practices, RESNET presentations, and some additional material as necessarysome additional material as necessary
– Will be covered in Futures documentsWill be covered in Futures documents
Futures DocumentsFutures Documents
Originally targeted as a single Originally targeted as a single documentdocument– Too complexToo complex
Current goal is to outline each in a Current goal is to outline each in a separate document:separate document:– ArchitectureArchitecture– ComponentsComponents– DeploymentDeployment
Futures DocumentsFutures Documents
How would we design a NetAuth How would we design a NetAuth system if we could do it again?system if we could do it again?Focused on interoperability and Focused on interoperability and modularizationmodularizationLeveraging the taxonomy from the Leveraging the taxonomy from the Strategies document to define a Strategies document to define a unified architectureunified architectureBuilding text and images to Building text and images to understand the spaceunderstand the space
Futures DocumentsFutures Documents
Example implementations from the Example implementations from the architecture will demonstrate better architecture will demonstrate better ways of achieving policy ways of achieving policy enforcementenforcement
Cognizant of vendor/commercial Cognizant of vendor/commercial activity in this spaceactivity in this space– Trusted Computing Group TNCTrusted Computing Group TNC– Cisco NACCisco NAC– Microsoft NAPMicrosoft NAP
Future Architecture DocumentFuture Architecture Document
Draft 02 published 25 April 2005Draft 02 published 25 April 2005
Draft 03 will be published soonDraft 03 will be published soon
Edited by Kevin Amorin (Harvard), Edited by Kevin Amorin (Harvard), Eric Gauthier (Boston University)Eric Gauthier (Boston University)
Future Architecture DocumentFuture Architecture Document
Two major themesTwo major themes
WorkflowWorkflow– Conceptual modelConceptual model– How a ‘network’ may determine and How a ‘network’ may determine and
enforce policy complianceenforce policy compliance
State DiagramState Diagram– Mapping of states and transitionsMapping of states and transitions– Summation of above workflowSummation of above workflow
Future Architecture WorkflowFuture Architecture Workflow
Transitions through states can be Transitions through states can be triggered by various eventstriggered by various events– ConnectionsConnections– DisruptionsDisruptions– Change in endpoint network stackChange in endpoint network stack– Active scanningActive scanning– Passive detectionPassive detection
Event detection causes a policy decisionEvent detection causes a policy decision– Possible enforcement actionPossible enforcement action– Transition to next stateTransition to next state
Policy EvaluationPolicy Evaluation
Can be applied in Can be applied in any stateany state
Host can move Host can move from “final” state from “final” state to policy state due to policy state due to external actionto external action
Detection
Take Enforcement Action and return to Policy Decision
Remediation
Notification
Isolation
PolicyEnforcement
Applied
Network Transitions
to New State
Network Transitions to a fully compliant or non-compliant final
state.
Policy Action:None Required
Policy Action: Move to new state
Policy Action:EnforcementAction Required
External Event Occurs – Policy Decision Check
Required
Workflow Diagram
Policy Decision
Lookup to Policy
Repository
Detection
Future Architecture WorkflowFuture Architecture Workflow
Process orientedProcess oriented
A drill down of state transitions in A drill down of state transitions in future NetAuth systemsfuture NetAuth systems
Iterative policy decisionsIterative policy decisions
Policy compliance/non-compliance Policy compliance/non-compliance determined by summation of policy determined by summation of policy decisionsdecisions– Based on local criteriaBased on local criteria
Future Architecture StatesFuture Architecture States
The network cycles through various The network cycles through various well-defined states while determining well-defined states while determining policy compliancepolicy compliance
Transitions between states are Transitions between states are defined by the workflow abovedefined by the workflow above
Provides a taxonomy of these statesProvides a taxonomy of these states
Represents the lifecycle of an Represents the lifecycle of an endpoint during policy determinationendpoint during policy determination
State TransitionsState Transitions
Any Policy Any Policy Determination Determination State can move to State can move to “Final” State“Final” State
External events External events cause transition cause transition back to back to Determination Determination StateState
Future Components DocumentFuture Components Document
Pre-draft stagePre-draft stage
What are the components the What are the components the comprise a NetAuth system?comprise a NetAuth system?
How do these components:How do these components:– CommunicateCommunicate– InteroperateInteroperate– ModularizeModularize
Application to use-casesApplication to use-cases
Why Develop Futures Why Develop Futures Documents?Documents?
NetAuth systems are complexNetAuth systems are complexThere are a mix of commercial and There are a mix of commercial and open-souce offeringsopen-souce offeringsComplexity is obscuring our Complexity is obscuring our understanding of how they workunderstanding of how they workAs ‘Strategies’ provided a baseline As ‘Strategies’ provided a baseline for the current deployments, this for the current deployments, this effort will help us analyze future effort will help us analyze future systemssystems
FWNA InteractionsFWNA Interactions
We (will) deploy NetAuth systems to We (will) deploy NetAuth systems to federated environments (like FWNA)federated environments (like FWNA)– To ensure endpoint policy complianceTo ensure endpoint policy compliance
What if the home institution policies What if the home institution policies vary from the visited institution?vary from the visited institution?
How do we notify the user if they are How do we notify the user if they are a guest?a guest?– Identifiers may be opaqueIdentifiers may be opaque
FWNA InteractionsFWNA Interactions
Understanding NetAuth in a Understanding NetAuth in a federated environment is a challengefederated environment is a challenge– Deployment constraintsDeployment constraints– Policy enforcement consequencesPolicy enforcement consequences
We can’t understand how NetAuth We can’t understand how NetAuth works in a federated environment works in a federated environment until we have a consistent taxonomy until we have a consistent taxonomy to discuss themto discuss them
Join the NetAuth GroupJoin the NetAuth Group
All documents available fromAll documents available fromhttp://security.internet2.edu/netauthhttp://security.internet2.edu/netauth
Biweekly Conference CallsBiweekly Conference Calls– Thursday 12pm-1pm (EDT): May 12, May 26Thursday 12pm-1pm (EDT): May 12, May 26– 866-411-0013, 0122644866-411-0013, 0122644
salsa-netauth @ internet2 listsalsa-netauth @ internet2 list– ““subscribe salsa-netauth” to sympa @ subscribe salsa-netauth” to sympa @
internet2internet2