salsa-netauth joint techs vancouver, bc july 2005
TRANSCRIPT
![Page 1: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/1.jpg)
SALSA-NetAuth
Joint TechsVancouver, BC
July 2005
![Page 2: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/2.jpg)
Agenda
NetAuth background NetAuth Strategies Document NetAuth Architecture Documents Applicability to federated network access
environments What do we do next?
![Page 3: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/3.jpg)
SALSA-NetAuth Charter
The SALSA-NetAuth Working Group will consider the data requirements, implementation, integration, and automation technologies associated with understanding and extending network security management related to:
1. Authorized network access (keyed by person and/or system)
2. Style and behavior of transit traffic (declarative and passive)
3. Forensic support for investigation of abuse
![Page 4: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/4.jpg)
SALSA-NetAuth Working Group:Initial activities Investigation of requirements and implementations of network
database and registration services in support of network security management; - Complete, Strategies Document
Investigation of extensions to these services to proactively detect and prevent unauthorized or malicious network activity. – Strategies Document, Architecture Documents
Analysis and proposal toward a pilot and eventual implementation to support network access to visiting scientists among federated institutions. – In Progress – Architecture Documents
Analysis of security applications that may result from extending these implementations. – Overarching all activities
![Page 5: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/5.jpg)
SALSA-NetAuth Working Group:Roadmap
Outlines the activities of the SALSA-NetAuth working group and all related sub-groups.
Reflects the overall direction of the working group(s) and maintain consistency between the various efforts SALSA-NetAuth Working Group Roadmap
Christopher Misra, 25 April 2005 http://security.internet2.edu/netauth/#Docs
![Page 6: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/6.jpg)
SALSA-NetAuth Working Group:Initial Deliverables
Investigation of extensions to these services to proactively detect and prevent unauthorized or malicious network activity.
Strategies for Automating Network Policy Enforcement Eric Gauthier, Phil Rodrigues, 20 April 2005 Final draft 200504 http://security.internet2.edu/netauth/#Docs
![Page 7: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/7.jpg)
Strategies for Automating Network Policy Enforcement
“(A) Structure and summary of approaches for automating technical policy enforcement as a condition for network access in colleges and universities” Host isolation into specialized networks Conditional network access Initial document Not the final answer
![Page 8: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/8.jpg)
Strategies for Automating Network Policy Enforcement Preventative policy enforcement reduces
Total number of technical security vulnerabilities The success of a particular piece of malware or attack
technique. Isolation networks separate compromised and
infected hosts Minimize the spread of infection Block external access from attackers.
Automated remediation systems have a positive impact on a large number of hosts with a relatively small time investment from computing staff.
![Page 9: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/9.jpg)
Strategies for Automating Network Policy Enforcement
The Common Process Five steps
Registration Detection Isolation Notification Remediation
Not necessarily in this order.
![Page 10: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/10.jpg)
What direction are we focusing current and future energies?
Architecture document(s) How do we make NetAuth a designed
infrastucture versus organic We need a model to analyze these systems How do we apply NetAuth systems to federated
environments? (like FWNA/eduRoam) What components implement this architecture
![Page 11: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/11.jpg)
Architecture Document
A framework to develop standardized mechanisms and detailed descriptions of how to directly implement policy enforcement using existing devices
NetAuth Architecture for Automating Network Policy Enforcement Kevin Amorin, Eric Gauthier, July 2005 Draft 03 http://security.internet2.edu/netauth/#Docs
![Page 12: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/12.jpg)
Architecture Document – Draft 03
To detail a policy enforcement architecture for network access.
For analysis in both intra-campus and federated environments
A guide for the development of new interoperable solutions.
Draft 04 out hopefully by mid-August
![Page 13: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/13.jpg)
Architecture Document – Draft 03
Intended to be flexible, extensible, and interoperable with existing infrastructure
Provide the necessary hooks to accommodate upcoming technologies such as federated authentication and authorization schemes. Shibboleth, etc.
How networks can implement network access policies even when network configurations and policies change dynamically
![Page 14: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/14.jpg)
PolicyDeterminationProcess
Detection
Take Enforcement Action and return to Policy Decision
Remediation
Notification
Isolation
PolicyEnforcement
Applied
Network Transitions
to New State
Network Transitions to a fully compliant or non-compliant final
state.
Policy Action:None Required
Policy Action: Move to new state
Policy Action:EnforcementAction Required
External Event Occurs – Policy Decision Check
Required
Workflow Diagram
Policy Decision
Lookup to Policy
Repository
Detection
Policy determination is how the network determines whether or not a host is in compliance with network access policy
![Page 15: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/15.jpg)
NetworkStatesTo implement network policy, hosts and networks should move through these states
Each time that a new state is entered, the network should follow the policy determination process
L2Init L2Negotiation
Offline
L3NegotiationL3Init
ServiceInit ServiceNegotiation
During the Policy Determination Process, follow the Policy Decision Process whenever
a new state is entered (see figure 1).
Transition Events can cause the network to move from a final
state back to any state within the Policy Determination Process.
Layer 2 – Datalink
Layer 3 - Network
Layer 4 – Layer 7Services
Host Changes Network Changes
Policy Determination Process:Network States
Non-Compliant Hosts Compliant HostsPolicy Class
Initial State
DeterminationProcess
![Page 16: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/16.jpg)
Components Document
How do we apply the above model to physical (and virtual) network components
Develop use cases and deployment scenarios
Understand interoperability of devices Initial framework for possible code
encouragement/development. Work in progress
![Page 17: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/17.jpg)
How can you help?
Participate in the NetAuth Working group is open to all members of the
Educause / Internet2 community. Contribute to future documents
This documents are still the beginning of what we hope to accomplish.
![Page 18: SALSA-NetAuth Joint Techs Vancouver, BC July 2005](https://reader035.vdocuments.mx/reader035/viewer/2022081809/56649e805503460f94b8437d/html5/thumbnails/18.jpg)
Homepage http://security.internet2.edu/netauth/index.html Draft charter Mailing list
Additional contacts Steve Olshansky Charles Yun Christopher Misra
SALSA-NetAuth Working Group:Volunteers needed