• No results found

User-group-based Security Policy for Service Layer

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "User-group-based Security Policy for Service Layer"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

User-group-based Security Policy

for Service Layer

Jianjie You ([email protected]) Myo Zarny ([email protected])

Christian Jacquenet ([email protected]) Mohamed Boucadair ([email protected]) Yizhou Li ([email protected] )

Sumandra Majee ([email protected])

(2)

Nanjing Beijing Silicon Valley Controller WAN/Internet User: xxx Location: Beijing Network Resource Network Resource Network Resource

Increasing demands of business mobility, anytime, anywhere collaboration, etc. introducing challenges to network security management and enforcement

(3)

ACL, VLAN

Traditional Network Access Control

• Access the network typically from their own

static location – from their assigned switch, VLAN, IP subnet, etc.

• MAC or IP address of the users’ device is often used as a proxy for the user’s identity. As such, filtering (e.g., via ACLs) of the user is usually based on IP or MAC addresses.

• Authentication of the user by the network, typically takes place only at the ingress switch

• Network security functions such as firewalls often act only on IP addresses and ports - not on user identity.

(4)

ACL, VLAN

Challenges for Traditional NAC

• Both clients and servers can move and

change their IP addresses on a regular basis

• Need to apply different security policies to

the same set of users under different circumstances

• Implementation of coherent security policy

across several network and network security devices is almost impossible.

(5)

UAPC Framework

Smartphone Tablet Laptop Devices PC Access Networks 3G/LTE Public WiFi ADSL AP ... Enterprise HQ Data Center ...

Multi-technology network High security across the entire network

PDP

(policy, security, management)

The User-group Aware Policy Control (UAPC) approach is intended to facilitate the consistent enforcement of policies, e.g., whether these terminal devices connect to a wired or a wireless infrastructure, security policies should be enforced consistently based on their user-group identities.

(6)

UAPC Framework

Goal: Apply appropriate user-group identity-based network

security policies on NSFs throughout the network

Wireless User Wired User Remote User Policy Server Site 1 Site 2 Site 3 Security Controller Step 2 Network Security Functions Network Security Functions Orchestrator Step 1 Step 4 Step 3 Step 4

(7)

UAPC Functional Entities

Policy Server

 Holds group placement criteria by which users are assigned to their user-group

 Holds rule base of what each user-group has access to

Security Controller

 Coordinates various network security-related tasks on NSFs under its domain

Network Security Functions

 Packet classification  Policy enforcement

(8)

User Group

 Identifier that represents the collective identity of a group of users

 Determined by predefined policy criteria (e.g., source IP, geolocation,

time of day, device certificate, etc.)

 Used in lieu of IP, MAC addresses, etc.

Group Name Group ID Group Definition

R&D 10 R&D employees

R&D BYOD 11 Personal devices of R&D

employees

Sales 20 Sales employees

VIP 30 VIP employees

Workflow 40 IP addresses of Workflow

resource servers

R&D Resource 50 IP addresses of R&D

resource servers

Sales Resource 54 IP addresses of Sales

(9)

Inter-Group Policy Enforcement

Key components

1. User-group-to-user-group access policies – think “firewall rule-base but

with user-groups instead of IPs and ports”

2. Sets of NSFs on which individual policies need to be applied

Destination Group Source Group Workflow Group R&D Resource Group Sales Resource Group

R&D group Permit Permit Deny

R&D BYOD group Permit Deny Deny

Sales group Permit Deny Permit

(10)

Inter-Group Policy

User using an unregistered device Executive Demilitarized zone (DMZ) General service Common service Limited service Important service Core service Authentication domain Unauthorized user Insecure user

Guest Common BYOD user

Partner

User at office hours User at non-office hours

(11)

UAPC Implementation

Wireless User Wired User Remote User Policy Server Site 1 Site 2 Site 3 Security Controller Step 2 Network Security Functions Network Security Functions Orchestrator Step 1 Step 4 Step 3 Step 5

1. User-group identification policies and inter-user-group access polices on the Policy Server are managed by the authorized team(s).

2. The user-group-based policies are implemented on the NSFs under the Security Controller’s management.

3. When a given user first comes up on the network, the user is authenticated at the ingress switch.

4. If the authentication is successful, the user is placed in a user-group, as determined by the Policy Server.

5. The user’s subsequent traffic is allowed or permitted based on the user-group ID by the NSFs per the inter-user-group access policies

(12)

Requirements for I2NSF

Key aspects of the UAPC framework falls within the Service Layer of the I2NSF charter. If the community adopts the approach as one possible framework for the Service Layer, the I2NSF Service Layer MUST support at least the following northbound APIs (NBIs):

 The user-group classification policy database on the Policy Server  The inter-user-group access policy rule-base on the Policy Server  The inventory of NSFs under management by the Security Controller.

 The list of NSFs on which a given inter-user-group policy is to be implemented by the Security Controller.

(13)

Next Steps

Solicit comments and suggestions on the

mailing list

(14)

References

Download now ( PDF - 14 Page - 725.11 KB )

Related documents

The NEXT Downtown Living Tour St. Louis First to Pilot Disaster- Preparedness Program 50 to 70% Energy Savings with Roberts Tower

With more than one million cars traversing roads in five nations, environmental issues fueled the concern of Enterprise Rent-A-Car Chairman and CEO Andy

Brain regions concerned with the identification of deceptive soccer moves by higher-skilled and lower-skilled players

Higher-skilled players showed significantly greater activation than lower-skilled players in a subset of AON areas; and lower-skilled males in turn showed greater activation

Fingerprints

Information such as pattern type, friction ridges, flexion creases, major ridge deviations, sequence, and how the two compare to the exemplar print are considered.. E—Evaluation:

Installation Guide. Websense Web Security Websense Web Filter

– RADIUS Agent, alone or with one of the above agents Linux (See footnote 1.) Š Policy Broker Š Policy Database Š Policy Server Š Filtering Service Š User Service Š Network Agent

Herbs Magickal and Otherwise

Chondrus crispus Planet: Moon Element: Water Description: Seaweed Part Used: Whole plant Uses: Money, luck, protection Ivy Hedera sp. Planet: Saturn Element: Water

> Please fill your survey to be eligible for a prize draw. Only contact info is required for prize draw Survey portion is optional

SiteMinder Policy Rule or Rule Group Users or Groups In a Directory Response or Response Group = Allows or denies access to resource User, Groups Exclusions, Roles + + Action

Policy and the Windows Server 2003 Group Policy Management Console

• Local Computer Policy: As mentioned earlier, each Windows 2000, Windows XP, or Windows Server 2003 computer has a local Group Policy object which has many settings in common

SENIOR RESEARCH. Topic: Healthcare System Comparison: A Case of Switzerland and Thailand. NAME: Nirin Sriurairuttana ID:

MOPH The Healthcare Accreditation Institute Health Facilitiees National Institute for Emergency Medicine Thai Health Promotion Foundation Central Administration