Slides - TERENA Networking Conference 2008
Download
Report
Transcript Slides - TERENA Networking Conference 2008
Massimo Villari
Setting up a security infrastructure at the
University of Messina:
practice and experience
Prof. Ing. Massimo Villari
Center On information Technologies
Development and Their Applications
[email protected]
Massimo Villari
Outline
•
•
•
•
•
•
Research at UNIME
Campus in numbers.
Added services with smart card
The key role of smartcard
Services to cope: Network Infrastructure and Applications
Conclusions
[email protected]
Massimo Villari
Research at UniMe
Mobile Distributed Systems
a research group next
Engineering Faculty at UniME
• Mobile, wireless
• Grid
• Security
• Performance evaluation
• …..
A research center for innovations and their
applications to academy, SME and industrial
world.
[email protected]
Massimo Villari
UniMe in numbers
•
•
•
•
•
38.000 students
2000 employers
1600 teachers
57 departments
11 faculties
[email protected]
Massimo Villari
Services with added
value at UniMe
• web‐based (e‐mail, on‐line registration of his/her examinations, chat,
forum, faq etc.). Many web transactions are carried up through https, a
secure protocol with mutual‐authentication. This method prevents the
phishing phenomena inside the campus.
• ad hoc java‐based application specifically developed for students and
University employers, in order to supply secure communication:
cryptography of e‐mail messages and documents, e‐mail signed in
agreement with Italian national directives from CNIPA . These applications
guarantee an improvement of all the administrative processes.
• user interface for GRID infrastructure; through the strong identification,
the user has a transparent access to distributed computing and storage
resource.
• consolidate service available even at home; the users can consult
electronic books, journal, papers, and newspapers along with VPN ipsec.
[email protected]
Massimo Villari
Services with added
value at UniMe
• Wired/Wireless access mechanisms to gain access to our 802.1x compliant
network infrastructure. The environment developed permits to know where the
guest is and what is its mac_address, its ip_address and physical lease based on
switch port and radio signal AP. Data access log are stored to prevent any
fraudulent use of resources.
• The use of new technology is widely available thanks to the deployment of Totem
and pc‐rooms equipped with all the necessary software and hardware
equipments. This guarantees a widespread involvement of students, even
belonging to Humanistic Faculties.
• real‐time exams recording without any kind of papery document.
• Smart Card used as creditcard in shops and public services (all over Italy), or
through ATM money dispensers. Furthermore, through the Smart Card our
students can access their University data (passed exams, CV,University info, …)
thorough more than 5000 ATM machines all over Italy, belonging to the
UniCredit‐Capitalia group
[email protected]
Massimo Villari
The key role of the smartcard:
UniMe Card
BANK SPONSOR:
Banco di Sicilia
CHIP CARD
32K of
Memory
Person
Identifier
Official Campus
recognizing
document
Asimmetric
Key lenght
2048 bit
[email protected]
Massimo Villari
The key role of the smartcard:
Multifunctionality card
Magnetic strip
Backside
Bank Agreement
(creditcard – ATM)
As BADGE
Employers
check-in/out
Three different bands
As BADGE
Refectory
services
[email protected]
Massimo Villari
The value of the
integration
The services are aimed to:
Bank
Print services
Shops
Restaurant
Copy Office
Bars
City facilities (WiFi,
transport )
…..
Exporting
Strong
Digital
Identity
Campus
[email protected]
Massimo Villari
SCIENZE
MM.FF.NN
INGEGNERIA
FARMACIA
LETTERE E FIL
VETERINARIA
VILLA
PACE
18 KM CIRCA
SCIENZE
FORMAZIONE
SCIENZE
STATISTICHE
ECONOMIA
GIURISPRUDENZA
SCIENZE POLITICHE
POLICLINOCO
UNIVERSITARIO
[email protected]
Massimo Villari
Distributed Campus:
physical and logical mapping
[email protected]
Massimo Villari
Security Infrastructure:
Strong and weak Authentication
[email protected]
Massimo Villari
Network Infrastructure
Is the communication network for data and voice.
able to connect each pole as a large campus.
Compound by two main parts:
•Metropolitan
Campus
Backbone
•MPLS,
•HyperLan,
•WiFi bridge
•Virtual Channels by
ISP
•LANs interconnection for
users, Servers,devices etc.
•Network
Access
Servers
(Switch,
APs….)
[email protected]
Massimo Villari
From the devices representation
towards poles logical view
[email protected]
Massimo Villari
The architecture
is composed by
•Certification Authority,
(Online and Offline).
•Radius Servers.
•LDAP in Master/slave
configuration
•DHCP .
•NAS (Network Access Server)
802.1x with Vlan
features
•Administration Web Server
binding with databases (DB).
•OpenCA
•FreeRadius Servers.
•OpenLDAP
•DHCP linux based (binding
with LDAP).
•NAS (Network Access Server)
802.1x with Vlan features
•LAMP (Linux, Apache, MySql,
PHP)
[email protected]
As much as possible using OpenSource
Software
Massimo Villari
The System
Managing
Control
Access
and Monitoring
Fac Facilities for system administration
It verifies the user credential:
and and monitoring
Access rules and user profiles
A WWeb portal useful for:
are stored into LDAP Master
• user
profiles to (Students,
and distributed
LDAP Slave
Professors, Employers, devices
manages
access
)Itindetified
Users…are
by the
Digital
Identity:
•Definition
of default
profiling
Authentication
to theStrong
physical
•digital
•Import
of data
usercertificate
resources
•Monitoring X509v3
of (Smart
data Card,
log
•802.1x
standard
Crypto
Token,
file)
(wireless/wired
access,
Servers
position•Radius
)
•Weak Authentication
•Login and password
[email protected]
Massimo Villari
Managing and Monitoring
System
The System is aware of
Who does what and where
[email protected]
Massimo Villari
Data distribution:
The paradigm to reduce the faults
[email protected]
Massimo Villari
Certification Authority
and Digital Identity
Digital Identity based on PKI
and certificate X509v3
User Information on
the Certificate
●First and Last Name
●CodiceFiscale
●Text
●Contacts(@-mail, ...)
LDAP
Database maintains all
information and rules of
all users
[email protected]
D
B
Massimo Villari
Application Services related
to Digital Identity
•Encrypted e-mail exchanged
professors and
employers
between
students,
•Publishing of user data on LDAP servers
•Muthual authentication with certificate X509v3
• Single Sign On
[email protected]
Massimo Villari
Application developed to encourage
the use of secure technologies
To enable
TOTEM and
Pc rooms
SSO interface
LDAP
MAIL
PIN
CODE
The System stores login and password
on database for each user.
The application retrieves login and
password encrypted with smartcard.
This model is applicable to any type of
external services as Google, Yahoo,
Jabber that needs weak authentication
[email protected]
Massimo Villari
Application developed to encourage the
use of secure technologies:
Java application
PIN interface
MAIL reader interface
•Sign email
•Verify email signed
•Cript email (file)
•Decrypt email (file)
LDAP interface
In developing Applet version
[email protected]
Massimo Villari
Timeline of the work developed, in
progress and designed.
[email protected]
Massimo Villari
In conclusion….
The architecture is strongly based on smartcard but:
•smartcard:
• represents a simple digital access key (a strong
mechanism to bind user and ID) not a mandatory
device for all the operations.
•guarantees a soft migration towards a full system
integration (Real Single Sign On)
•has the validity of 5 years, to simplify its
managment
However the system can mantains both
authentication methods: Strong and Weak.
[email protected]
A question on wireless
network access
Massimo Villari
An open issue
•EDUROAM is working for inter-operability between the
campus networks.
•In Italy there are at least two main branches:
•GARR is proposing his own solution
•CRUI is thinking to go on its own way
THANK YOU
What is it the right approach/solution to adopt?
[email protected]