SALSA-FWNASALSA-FWNAActivity UpdateActivity Update

Kevin Miller • Duke UniversityKevin Miller • Duke Universitykevin.miller@duke.edukevin.miller@duke.edu

Internet2 Member MeetingInternet2 Member MeetingMay 2005May 2005

Federated Wireless Auth VisionFederated Wireless Auth Vision

Enable members of one institution to Enable members of one institution to authenticate to the wireless network authenticate to the wireless network at another institution using their at another institution using their home credentials.home credentials.– Reduce the need for guest IDsReduce the need for guest IDs– Simplify authentication when roamingSimplify authentication when roaming

The “roaming scholar” problemThe “roaming scholar” problem

Wired network roaming comes “free”Wired network roaming comes “free”

FederationsFederations

Goals of federationsGoals of federations– Establish trust between entitiesEstablish trust between entities– Make assertions about identities Make assertions about identities

(authenticate) and release attributes(authenticate) and release attributes– Protect user privacy through opaque Protect user privacy through opaque

user handles and controlled attribute user handles and controlled attribute releaserelease

FederationsFederations

All are relevant to FWNAAll are relevant to FWNA– Need to create/reuse trust between sitesNeed to create/reuse trust between sites

Could take many forms (hierarchical, Could take many forms (hierarchical, central, 1-way, …)central, 1-way, …)Shibboleth is a candidateShibboleth is a candidate

– Visited sites may want attributes about Visited sites may want attributes about visiting users (e.g. type of user, mobile visiting users (e.g. type of user, mobile number)number)

– Control release of user informationControl release of user information

Potential FederationsPotential Federations

Decentralized SchoolDecentralized SchoolSchool SystemsSchool Systems– State schools, local school districts, etc.State schools, local school districts, etc.

Regional consortia: GigaPoP / *RENRegional consortia: GigaPoP / *RENNational consortia: Internet2National consortia: Internet2International: EduRoamInternational: EduRoamGovernment: ESNet, NSF, NASAGovernment: ESNet, NSF, NASAIndustryIndustry

Use CasesUse Cases

““Simple” Roaming within FederationSimple” Roaming within Federation– Among Peer InstitutionsAmong Peer Institutions– Local Federation (Conference Guests)Local Federation (Conference Guests)– Sensor NetsSensor Nets– Municipal NetworksMunicipal Networks– VoIPVoIP

Inter-Federation RoamingInter-Federation RoamingShared TenancyShared TenancyCommercial RoamingCommercial Roaming

FWNA Project PlanFWNA Project Plan

Work divided in two phasesWork divided in two phasesPhase 1: RADIUS HierarchyPhase 1: RADIUS Hierarchy– Initial solution to the problemInitial solution to the problem– Modeled after current Eduroam networkModeled after current Eduroam network– Develop knowledge of relevant technologyDevelop knowledge of relevant technology– Learn capabilities and drawbacks of hierarchyLearn capabilities and drawbacks of hierarchy

Relatively straightforwardRelatively straightforward– Exchange RADIUS keysExchange RADIUS keys– Interface to existing authn systems using basic Interface to existing authn systems using basic

RADIUS mechanismRADIUS mechanism

FWNA Phase 2FWNA Phase 2

Phase 2: RADIUS + FederationPhase 2: RADIUS + Federation– Develop technically superior solution that Develop technically superior solution that

enables attribute releaseenables attribute releaseIdentify and address other concerns Identify and address other concerns regarding FWNA implementationregarding FWNA implementation

infrastructureinfrastructuresecuritysecurityauthorizationauthorizationdiagnosticsdiagnosticsusabilityusability

– Requires developmentRequires development– May not be solved by FWNA itselfMay not be solved by FWNA itself

Framing the SolutionFraming the Solution

802.1x802.1x– Often used with WPA or WPA2 (802.11i) Often used with WPA or WPA2 (802.11i)

for edge encryptionfor edge encryption– Or middlebox access controllerOr middlebox access controller

EAP authenticationEAP authentication– Exact EAP type selected by home Exact EAP type selected by home

institution, deployed on client machinesinstitution, deployed on client machines– Establish client-to-home trust for Establish client-to-home trust for

purpose of transporting credentialspurpose of transporting credentials

Beyond authentication…Beyond authentication…

In many cases today, once authenticated In many cases today, once authenticated all users obtain same level of serviceall users obtain same level of service

FWNA is about identity discoveryFWNA is about identity discovery

We must be able to separately provision We must be able to separately provision services from authn and attributes:services from authn and attributes:– Technical setup (IP address, QoS, ACL, etc..)Technical setup (IP address, QoS, ACL, etc..)– Access policyAccess policy– BillingBilling

Other Areas of InvestigationOther Areas of Investigation

Real Time DiagnosticsReal Time Diagnostics– Determining cause of authn failureDetermining cause of authn failure– Requires additional inter-domain data Requires additional inter-domain data

exchangeexchange

Access Point RoamingAccess Point Roaming– Will cause re-authentication back to Will cause re-authentication back to

home server (additional delay)home server (additional delay)– Mitigated by 802.11i pre-authenticationMitigated by 802.11i pre-authentication

FWNA Project MilestonesFWNA Project Milestones

Phase 1Phase 1– Core RADIUS Server: Core RADIUS Server: EstablishedEstablished– Experimentation: OngoingExperimentation: Ongoing

Phase 2Phase 2– Technical plan: OngoingTechnical plan: Ongoing– Experimentation: TBDExperimentation: TBD

Join the FWNA GroupJoin the FWNA Group

Project website:Project website:http://security.internet2.edu/fwnahttp://security.internet2.edu/fwna

Biweekly Conference CallsBiweekly Conference Calls– Thursday 11am-12pm: May 19Thursday 11am-12pm: May 19– 866-411-0013, 0184827866-411-0013, 0184827

salsa-fwna @ internet2 listsalsa-fwna @ internet2 list– ““subscribe salsa-fwna” to sympa @ subscribe salsa-fwna” to sympa @

internet2internet2

SALSA-NetAuthSALSA-NetAuthActivity UpdateActivity Update

Kevin Miller • Duke UniversityKevin Miller • Duke Universitykevin.miller@duke.edukevin.miller@duke.edu

Internet2 Member MeetingInternet2 Member MeetingMay 2005May 2005

SALSA-NetAuth Road MapSALSA-NetAuth Road Map

Version 0.9 published 25 April 05Version 0.9 published 25 April 05““Strategies” Document – Final Version PublishedStrategies” Document – Final Version Published– Taxonomy of some approaches for automating technical Taxonomy of some approaches for automating technical

policy enforcementpolicy enforcement

““Futures” DocumentsFutures” Documents– Architecture document: Draft 02 Published 25 April 05Architecture document: Draft 02 Published 25 April 05

A proposed architecture for integrating network policy A proposed architecture for integrating network policy enforcementenforcementDraft 03 Will Be Published SoonDraft 03 Will Be Published Soon

““Prerequisites” Document – On HoldPrerequisites” Document – On Hold– A reference to systems and services necessary to deploy A reference to systems and services necessary to deploy

NetAuth systemsNetAuth systems

SALSA-FWNA Subgroup – Group ActiveSALSA-FWNA Subgroup – Group Active– To investigate the visiting scholar problemTo investigate the visiting scholar problem

NetAuth TimelineNetAuth Timeline

SALSA-NetAuth Activity Timeline

5/04 6/04 7/04 8/04 9/04 10/04 11/04 12/04 1/05 2/05 3/05 4/05 5/05 6/05

Group

Prerequisites

Strategies

Future

Architecture

Components

FWNA

Document Complete

Group Active

Group Active

Draft 02 Released

On Hold

Pre-Draft

NetAuth Road MapNetAuth Road Map

NetAuth still focused on document NetAuth still focused on document developmentdevelopment

Engaging other players in the space Engaging other players in the space (Cisco NAC, Microsoft NAP, TNC) (Cisco NAC, Microsoft NAP, TNC)

Encouraging and/or Developing for Encouraging and/or Developing for these effortsthese efforts

Strategies DocumentStrategies Document

Draft 3 became final versionDraft 3 became final version– Published 20 April 2005Published 20 April 2005

Edited by Eric Gauthier (Boston Edited by Eric Gauthier (Boston University) and Phil Rodrigues (New University) and Phil Rodrigues (New York University)York University)

May return to draft stage after wider May return to draft stage after wider analysis and vettinganalysis and vetting

Strategies DocumentStrategies Document

Taxonomy of mechanisms for Taxonomy of mechanisms for automating network policy automating network policy enforcementenforcement– For example: NetReg, Perfigo, etc.For example: NetReg, Perfigo, etc.– Provides a starting point for discussions Provides a starting point for discussions

on improving the processon improving the process– References free and commercial References free and commercial

systemssystems

Lifecycle of Network AccessLifecycle of Network Access

Registration is the Registration is the initial stateinitial state

DetectionDetection

IsolationIsolation

NotificationNotification

RemediationRemediation

I solation

Notification Remediation

Detection

NetAuth PrerequisitesNetAuth Prerequisites

Currently on holdCurrently on holdThe Strategies document assumes certain The Strategies document assumes certain underlying components (systems, underlying components (systems, software)software)The Prerequisites would be a reference to The Prerequisites would be a reference to sites interested in establishing network sites interested in establishing network policy enforcementpolicy enforcement– May evolve as a reference to EDUCAUSE May evolve as a reference to EDUCAUSE

Effective Practices, RESNET presentations, and Effective Practices, RESNET presentations, and some additional material as necessarysome additional material as necessary

– Will be covered in Futures documentsWill be covered in Futures documents

Futures DocumentsFutures Documents

Originally targeted as a single Originally targeted as a single documentdocument– Too complexToo complex

Current goal is to outline each in a Current goal is to outline each in a separate document:separate document:– ArchitectureArchitecture– ComponentsComponents– DeploymentDeployment

Futures DocumentsFutures Documents

How would we design a NetAuth How would we design a NetAuth system if we could do it again?system if we could do it again?Focused on interoperability and Focused on interoperability and modularizationmodularizationLeveraging the taxonomy from the Leveraging the taxonomy from the Strategies document to define a Strategies document to define a unified architectureunified architectureBuilding text and images to Building text and images to understand the spaceunderstand the space

Futures DocumentsFutures Documents

Example implementations from the Example implementations from the architecture will demonstrate better architecture will demonstrate better ways of achieving policy ways of achieving policy enforcementenforcement

Cognizant of vendor/commercial Cognizant of vendor/commercial activity in this spaceactivity in this space– Trusted Computing Group TNCTrusted Computing Group TNC– Cisco NACCisco NAC– Microsoft NAPMicrosoft NAP

Future Architecture DocumentFuture Architecture Document

Draft 02 published 25 April 2005Draft 02 published 25 April 2005

Draft 03 will be published soonDraft 03 will be published soon

Edited by Kevin Amorin (Harvard), Edited by Kevin Amorin (Harvard), Eric Gauthier (Boston University)Eric Gauthier (Boston University)

Future Architecture DocumentFuture Architecture Document

Two major themesTwo major themes

WorkflowWorkflow– Conceptual modelConceptual model– How a ‘network’ may determine and How a ‘network’ may determine and

enforce policy complianceenforce policy compliance

State DiagramState Diagram– Mapping of states and transitionsMapping of states and transitions– Summation of above workflowSummation of above workflow

Future Architecture WorkflowFuture Architecture Workflow

Transitions through states can be Transitions through states can be triggered by various eventstriggered by various events– ConnectionsConnections– DisruptionsDisruptions– Change in endpoint network stackChange in endpoint network stack– Active scanningActive scanning– Passive detectionPassive detection

Event detection causes a policy decisionEvent detection causes a policy decision– Possible enforcement actionPossible enforcement action– Transition to next stateTransition to next state

Policy EvaluationPolicy Evaluation

Can be applied in Can be applied in any stateany state

Host can move Host can move from “final” state from “final” state to policy state due to policy state due to external actionto external action

Detection

Take Enforcement Action and return to Policy Decision

Remediation

Notification

Isolation

PolicyEnforcement

Applied

Network Transitions

to New State

Network Transitions to a fully compliant or non-compliant final

state.

Policy Action:None Required

Policy Action: Move to new state

Policy Action:EnforcementAction Required

External Event Occurs – Policy Decision Check

Required

Workflow Diagram

Policy Decision

Lookup to Policy

Repository

Detection

Future Architecture WorkflowFuture Architecture Workflow

Process orientedProcess oriented

A drill down of state transitions in A drill down of state transitions in future NetAuth systemsfuture NetAuth systems

Iterative policy decisionsIterative policy decisions

Policy compliance/non-compliance Policy compliance/non-compliance determined by summation of policy determined by summation of policy decisionsdecisions– Based on local criteriaBased on local criteria

Future Architecture StatesFuture Architecture States

The network cycles through various The network cycles through various well-defined states while determining well-defined states while determining policy compliancepolicy compliance

Transitions between states are Transitions between states are defined by the workflow abovedefined by the workflow above

Provides a taxonomy of these statesProvides a taxonomy of these states

Represents the lifecycle of an Represents the lifecycle of an endpoint during policy determinationendpoint during policy determination

State TransitionsState Transitions

Any Policy Any Policy Determination Determination State can move to State can move to “Final” State“Final” State

External events External events cause transition cause transition back to back to Determination Determination StateState

Future Components DocumentFuture Components Document

Pre-draft stagePre-draft stage

What are the components the What are the components the comprise a NetAuth system?comprise a NetAuth system?

How do these components:How do these components:– CommunicateCommunicate– InteroperateInteroperate– ModularizeModularize

Application to use-casesApplication to use-cases

Why Develop Futures Why Develop Futures Documents?Documents?

NetAuth systems are complexNetAuth systems are complexThere are a mix of commercial and There are a mix of commercial and open-souce offeringsopen-souce offeringsComplexity is obscuring our Complexity is obscuring our understanding of how they workunderstanding of how they workAs ‘Strategies’ provided a baseline As ‘Strategies’ provided a baseline for the current deployments, this for the current deployments, this effort will help us analyze future effort will help us analyze future systemssystems

FWNA InteractionsFWNA Interactions

We (will) deploy NetAuth systems to We (will) deploy NetAuth systems to federated environments (like FWNA)federated environments (like FWNA)– To ensure endpoint policy complianceTo ensure endpoint policy compliance

What if the home institution policies What if the home institution policies vary from the visited institution?vary from the visited institution?

How do we notify the user if they are How do we notify the user if they are a guest?a guest?– Identifiers may be opaqueIdentifiers may be opaque

FWNA InteractionsFWNA Interactions

Understanding NetAuth in a Understanding NetAuth in a federated environment is a challengefederated environment is a challenge– Deployment constraintsDeployment constraints– Policy enforcement consequencesPolicy enforcement consequences

We can’t understand how NetAuth We can’t understand how NetAuth works in a federated environment works in a federated environment until we have a consistent taxonomy until we have a consistent taxonomy to discuss themto discuss them

Join the NetAuth GroupJoin the NetAuth Group

All documents available fromAll documents available fromhttp://security.internet2.edu/netauthhttp://security.internet2.edu/netauth

Biweekly Conference CallsBiweekly Conference Calls– Thursday 12pm-1pm (EDT): May 12, May 26Thursday 12pm-1pm (EDT): May 12, May 26– 866-411-0013, 0122644866-411-0013, 0122644

salsa-netauth @ internet2 listsalsa-netauth @ internet2 list– ““subscribe salsa-netauth” to sympa @ subscribe salsa-netauth” to sympa @

internet2internet2