if-map use cases: real-time cmdb, and more - jisc · if-map use cases: real-time cmdb, and more...
TRANSCRIPT
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP Use Cases: Real-Time CMDB, and More
Richard Kagan EVP / General Manager Orchestration Systems Business Unit
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP: A Powerful New Standard
IF-MAP = Interface to Metadata Access Points
An open protocol standard published (free) by the Trusted Computing Group – Available since April, 2008 – Version 2.0 released August, 2010
Pub/sub database - Like Facebook for IP devices and systems
Supports a wide array of applications: – Multi-Vendor Network Security (NAC) – Compliance Management – Asset Management – Smart Grid – Network Automation / Cloud Computing
Could do for data sharing what IP did for connectivity
© 2010 Infoblox Inc. All Rights Reserved.
• Complex
• Costly
• Brittle
• High Maintenance
Applications
Management
Supply Chain Mgmt
Smart Grid CRM
HR
ERP
CMDB
SIEM
Asset Mgmt
IPAM Infrastructure
Network Security
DNS, DHCP
AAA Switches Routers
Building Controls
Factory Controls Network
Location
The Integration Challenge
SNMP, Syslog, Netflow
Custom Integration – API’s, Scripts
© 2010 Infoblox Inc. All Rights Reserved.
IF-MAP Server
Applications
Management
Supply Chain Mgmt
Smart Grid CRM
HR
ERP
CMDB
SIEM
Asset Mgmt
IPAM Infrastructure
Network Security
DNS, DHCP
AAA Switches Routers
Building Controls
Factory Controls Network
Location
IF-MAP Protocol
(Publish, Subscribe,
Search)
From Integration to Orchestration with IF-MAP
Automatically aggregates, correlates, and distributes data to and from different systems, in real time
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP Doesn’t Replace Existing Systems & Applications – It Enables Them to Easily Share Data
Decisions (Control)
Sensors & Actuators
… Network Security
Physical Security
Provisioning, Visualization &
Analytics (Management)
IF-MAP Server
Network Location
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP Components
IF-MAP Server IF-MAP Client(s)
3 MAP Client Operations: Publish Subscribe Search
User Name = John Doe
Department = Sales
distinguished-name =
C=US, O=myco, OU=people, CN=12534
employee-attribute = active
role = access-finance-server-
allowed
failed-login-attempts = 3, login-status =
allowed
3 MAP Server Objects: Identifiers Links Metadata
© 2009 Infoblox Inc. All Rights Reserved.
Publish:
– Clients store metadata into MAP for others to see Example: Authentication server publishes when a user logs in (or out)
Search:
– Clients retrieve published metadata associated with a particular identifier and linked identifiers Example: An application can request the current physical location of the user
Subscribe:
– Clients request asynchronous results for searches that match when others publish new metadata Example: Tell me when any user’s status goes from “employee” to
“terminated”
Tell others that…<metadata…>
Tell me when…match(metadata pattern)
Tell me if…match(metadata pattern)
IF-MAP Access Operations
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP Server Objects
Identifiers All objects are represented by unique identifiers
Links Connote relationships between pairs of identifiers
Metadata Attributes attached to Identifiers or Links
Typical Data Types: – Identifiers: Identity, IP address, MAC address, Session ID, Device – Metadata:
– AAA info (authenticated, role, capabilities/policies) – Device info (AV running, OS level, screen size, etc.) – Event info (unauthorized access attempt, etc.), – Layer 2 info (port, VLAN), location, etc. – Many others, plus user-defined
© 2009 Infoblox Inc. All Rights Reserved.
CMDB Objectives
Provide an up-to-date repository of IT assets, configuration, and state
Automate reporting and compliance Enable dynamic reconfiguration Better utilize assets Minimize downtime
12
© 2009 Infoblox Inc. All Rights Reserved.
CMDB
Discovery Engine
Topology Builder
MANAGED NETWORK
Typical CMDB Discovery Process
CMDB
Dis
cove
ry R
esul
ts
DISCOVERY SENSORS / AGENTS
- Discoveries take: ~2 Hrs to 24 hrs
- Some devices and configurations are never discovered
- Discoveries create extensive network loads
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP for CMDB
IF-MAP Can Address Many Shortcomings of Conventional CMDBs
Real-Time CMDB enabled by IF-MAP CMDB Federation (CMDBf) enabled by IF-MAP
- Share data across independent CMDBs - Increase Scalability
14
© 2009 Infoblox Inc. All Rights Reserved.
Use Case: Real-Time CMDB
MA
P D
atab
ase
IP= 10.0.1.57
IP= 10.0.1.17
MAC = 00:11:11:33:44:55
IP-MAC
CMDB
Discovery Engine
Topology Builder
DISCOVERY SENSORS / AGENTS
IP= 10.0.1.55
MAC = 00:11:22:33:44:55
IP-MAC
MAC = 00:11:AA:33:44:55
IP-MAC
MAP Client
MANAGED NETWORK
Infoblox MAP Server
Infoblox DHCP Server
CMDB SERVER
Invoke Discovery
Dis
cove
ry R
esul
ts
Update CMDB
Publish
10.0.1.57
© 2009 Infoblox Inc. All Rights Reserved.
Use Case – Solution for Policy-Based Remote Access
Cisco 3750 Switch Infobox HA Pair
DHCP/DNS Appliance
Juniper IC 4000 UAC
User= John Windows 802.1X Client
00:11:22:33:44:55
Private Applications
AAA
Juniper SSG Firewall
Infobox HA Pair MAP Server
identity =
John
Access-request = 113:3
MAP Database
Authenticated-as
Capability = access-private-
applications
MAC = 00:11:22:33:44:55
IP= 192.0.2.7
IP-MAC
1- Endpoint plugs-in 2- SW sends EAP Start 3- Supplicant sends credentials
4- SW sends RADIUS Credential to UAC
5- UAC does Auth. Lookup
8- UAC sends RADIUS accept to SW
9- SW opens port
10- Endpoint requests DHCP
12-MAP sends IP-MAC to UAC
13- UAC activates L3 access on FW.
14- Endpoint generates traffic
192.0.2.7
Access-request-
mac
6- UAC publishes To MAP
7- UAC subscribes to MAP
11-DHCP sends MAC-IP metadata to MAP
IF-MAP
CHANGE? CHANGE!
© 2009 Infoblox Inc. All Rights Reserved.
11- UAC updates firewall policy to block access 12- UAC publishes the update to the MAP 1- Employee (John) enters zone 1 2- Hirsch system publishes to the MAP server 3- Employee requests for access to the network 4- UAC publishes to the MAP server 5- UAC Subscribes to the MAP server 6- UAC grants access to the corporate network 7- Employee connects to the classified network 8- Employee leaves Zone 1, while still logged in
Subscription Update: John in Zone 2
9- Card reader publishes the update to the MAP 10- MAP updates UAC about the location change
Use Case – Integrated Network / Physical Security Solution
Juniper IC 4000 UAC Appliance
Infoblox MAP Server
Hirsch System (Physical Sensor)
Publish: John in Zone 1
Publish: John is Authenticated; Session ID 113:3 Subscribe: Changes to Session 113:3
identity = John
location = Zone 1
Access-request =
113:3
Secure Zone 1
Classified Network
Juniper SSG Firewall
Cisco 3750 Switch
Publish: John in Zone 2
location = Zone 2
Publish (delete): John is Authenticated
Access Request
Grants Access Request
Zone 2 MAP Database
authenticated
Policy Violation: Access Cut Off
CHANGE? CHANGE!
© 2009 Infoblox Inc. All Rights Reserved.
• Enables login at remote universities / research centers using home login credentials
• Serves 1.9 million users across 850 locations
• Enabled today using RADIUS Proxy
• Service provider (JANET) maintains database of roaming activity
Univ A
Univ B
Univ D
Univ C
Radius Server
Radius Server
Radius Server
Radius Server
Radius proxy
OK!
JANET
Use Case: Federated IF-MAP Servers for UK EDUROAM Service
Roaming Users
Bbaker, Roaming from University D
© 2009 Infoblox Inc. All Rights Reserved.
Univ A
Univ B
Univ D
Univ C
RADSEC Jjames, Roaming from University B
• Local RADIUS servers replaced by RADSEC servers RADSEC servers communicate directly – no need for proxy JANET no longer sees RADIUS transactions, no view of roaming activity
• IF-MAP Federation provides a solution: -Local RADSEC servers publish user/location data to local MAP server -JANET’s central MAP server subscribes to changes on university MAP servers
JANET
RADSEC RADSEC
RADSEC
IF-MAP Federation for Next Gen EDUROAM Service
Local IF-MAP Server
Local IF-MAP Server
Local IF-MAP Server
Central IF-MAP Server
IF-MAP Client
Federation Subscriptions
© 2009 Infoblox Inc. All Rights Reserved.
Infoblox NIOS Appliances Support IF-MAP
Publishes DHCP lease information to any compliant IF-MAP server
Other systems can subscribe to updates
Enables real-time orchestration
IF-MAP Server
Infoblox NIOS Appliance
(DNS, DHCP, IPAM)
DHCP Lease Information
(IP, MAC, Start, Duration, etc.)
IF-MAP
© 2009 Infoblox Inc. All Rights Reserved.
Infoblox Orchestration Server (IBOS) Provides Robust IF-MAP Infrastructure
Fully compliant with TCG standard
Proven interoperability with other IF-MAP compliant products
Unique Infoblox capabilities – IF-MAP 2.0 compliant – Lossless HA – Fine-grained client authorization – Data browser, extensive logging – IF-MAP Federation – Custom Identifiers
IF-MAP Client Systems
Infoblox Orchestration
Server
Network Security Physical Security Network Location
…
© 2009 Infoblox Inc. All Rights Reserved.
Resources – Documentation & Freeware
3 minute video on IF-MAP on Orchestration/IF-MAP Solutions page on infoblox.com
www.if-map.org – IF-MAP community Web site – Includes links to open source IF-MAP servers and other resources
www.juniper.com – Information about Infranet Controller:
us/en/products-services/security/uac/#overview
www.trustedcomputinggroup.org – Complete protocol specs, information on TPM, TNC, Trusted Storage and related
topics
Infoblox IF-MAP Starter Kit (FREE) – VMware IF-MAP appliance – Client simulator – Open-source client stacks (PERL, java, C++) – Open-source SNMP-MAP Bridge
© 2009 Infoblox Inc. All Rights Reserved.
Calling All Innovators!
Announcing the IF-MAP Innovation Awards The Goal: Demonstrate innovative uses of IF-MAP The Awards:
– 1st Prize: 5,000 GBP – 2nd Prize: 3,000 GBP – 3rd Prize: 2,000 GBP
Proposals due 30 June, 2011 Submissions due 1 March, 2012 Offered to all students, faculty & researchers on the
JANET (UK) Network Winners announced at Networkshop 2012 Questions: [email protected]