VPN 3005 Concentrator - Carnegie Mellon University
Download
Report
Transcript VPN 3005 Concentrator - Carnegie Mellon University
Security Workshop Series:
Authentication and Access Control
For Networks
Jeremy Stieglitz
Cisco Systems, Inc.
[email protected]
Session Number
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
1
Agenda
Security and
Identity Overview
Identity
Technologies
Roadmaps,
& Futures
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
2
The Security Dilemma
Internet
Business
Value
E-Commerce Supply Chain
E-Gov
Customer
Care
Workforce
E-Learning
Optimization
Internet
Corporate Presence
Internet Intranet
Access
Explosion in
E-Business!!
Expanded Access
Heightened Security Risks
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
3
Threats Are More Dangerous;
Easier to Use
Packet Forging/
Spoofing
High
Stealth
Diagnostics
DDOS
Back Sweepers
Doors
Sniffers
Exploiting Known
Hijacking
Vulnerabilities
Sessions
Technical
Knowledge
Required
Password
Cracking
Password
Guessing
Presentation_ID
Sophistication of
Hacker Tools
Disabling
Audits
Self Replicating
Code
Low
Internet
Worms
1980
© 2001, Cisco Systems, Inc. All rights reserved.
1990
2000
4
Threats Driving
Security Awareness
Information Theft
Virus Attacks
Denial of Service
Unauthorized Entry
Data Interception
Unprotected Assets
Internet
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
5
Network Security
Directions and Opportunities
• Security is going Mainstream
Fundamental to e-business - not an afterthought
Integrated into e-business infrastructure
Increasingly less of separate function within IT
• Security is going to Main Street
Every small business will be an e-business
Increased outsourcing of solutions and services
Requires simplification and integration
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
6
Security—
Critical Enabler for E-Business
Customer Care
E-Commerce
Supply Chain
Management
Workforce
Optimization
E-Learning
• Requires defense in depth
• Requires multiple and cohesiveInternet
components
• Integration into e-business infrastructure
• Compatibility with technology initiatives
• Requires comprehensive blueprint
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
7
Network Security Tools
Secure
Connectivity
VPN
Perimeter
Security
Firewalls
Security
Monitoring
Intrusion
Detection
Scanning
Identity
Authentication
Security
Management
Policy
Internet
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
8
Identity Services: Think “AAA”
• Authenticate: Who are you?
• Authorize: What can you do?
• Account: What did you do?
Presentation_ID
© 2002,
2001, Cisco Systems, Inc. All rights reserved.
9
Your Expertise
• The Largest, Most Scalable, Revocable,
Identity Technology in America…
• The State Driver’s License:
Strong binding of ID to digital mechanism
High trust, high assurance, high utility;
Continuous security improvements
Efficient systems for revocation
Universal data sharing; (reciprocity)
Presentation_ID
The future: A PKI Smartcard?
© 2001, Cisco Systems, Inc. All rights reserved.
10
Agenda
Security and
Identity Overview
Identity
Technologies
Roadmaps,
& Futures
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
11
Changing Network Identity
Dynamics
• Not Yesterday’s Dial-up
Networks
VPN, Firewall, Cable, DSL,
Voice, Dial, Wireless, Ethernet
Content, Storage, Cellular, etc.
• Lowband to Broadband
• Always On
• Public wires or airwaves
• Global availability, high
scalability
• WAN/LANs merging
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
12
Identity and AAA+
Dynamics
1. User account management—manage users across an
ever-expanding set of network access points (voice, video,
cable, DSL, wireless, etc. )
2. User authentication—stronger authentication required
to control users accessing corporate resources from public
networks and VPNs
3. User and administration policies—more flexibility to
address different authorization requirements across LANs,
WANs, VPNs, intranets, extranets and B2B exchanges
4. User reporting and tracking—tools to monitor, audit
and log user and administration activity in the network
5. User Session management—track IP-to-ID, user status,
transparent authentication, maximum sessions, user
security (is Fred on the network?), etc.
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
13
AAA in the Network
Win32, NDS, SQL,
ODBC, LDAP, etc.
External
Datastore
Token
server
Telnet
Admin
TACACS+
Access Control
Server
802.1x
Switching
Analog
RADIUS
Voice
Corp Network
PSTN
Wireless LANs
ISDN
NAS
Branch Office
Wireless
Internet VPNs
Wireless LANs
Proxy
AAA
Internet
Intranet/Extranet
DSL
Cable
Business-to-Business
Presentation_ID
Home Telecommuter
© 2001, Cisco Systems, Inc. All rights reserved.
ISP
Gateway
14
Identity Technologies
• Three Major Trends:
Stronger Authentication
Unification via Directory
WANs/LANs Merge
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
15
Identity Technologies- Authentication
“
Strong authentication is the
backbone to secure transactions.
The User Authentication Market will
double from $800 million in 2001 to
$1.7 billion in 3 years.
IDC Report, “Worldwide Security 3As Software Market
Forecast and Analysis, 2000-2004”
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
”
16
Identity Technologies- Authentication
• Three factors (three Ws)
What you Know (pin, password)
What you Have (token, keypair, smartcard)
Who You Are (fingerprint, voice, DNA...)
• “Two-Factor” authentication is common
goal to increase security, better establish
who your users are
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
17
Identity Technologies- Authentication
• Ways to Authenticate to Networks:
Traditional Username/password: (PPP,
L2TP, PPTP, EAP-MD5CHAP, etc.)
One-time passwords: (RSA SecurID,
Secure Computing SafeWord,
Cryptocard, Vasco, etc.)
Public-key certificates & smartcards:
(PKI vendors, Gemplus, Schlumberger...)
Biometrics: (future)
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
18
Public keypairs as Identity Tools
• Public keypairs such as RSA can serve as
“what you have” factor of authentication
• Digitally prove yourself by owning a set of
keys that were exclusively belong to you
• Trust provided by certificates
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
19
Cisco Experience in PKI
• Benefits include:
Potentially Service Provider scalability
Well known, well studied security foundation of publickey cryptography
Increasing leverage across network, enterprise ID
management systems
• Challenges include:
Immature Standards
Evolving market: insource, outsource models
Considerable proprietary, scaling hurdles left
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
20
Identity TechnologiesDirectories
Etc.
Many Users
Internal/External
2000’s
Wireless
Firewall/VPN
1990’s
DHCP/DNS
PC Inventory
Multiple
Sources
of Data
Single
Source
of Data
1980’s
Dial-In
1970’s
Email
Few Users
Internal Only
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
21
Identity TechnologiesDirectories
• User access control in particular can
leverage a central, distributed directory
service for user, group profile information
• A Good Start With LDAP
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
22
Benefits of Directory Integration for
User Authentication Information
• Manageability:
“Single” strategic data source for all users
Ability to replicate Identity service globally, in scale
• Information Sharing
Key resource to manage various external configuration and
user profile requirements
Key ability to link network user with vertical (network) and
horizontal (enterprise application) requirements for user
profiles
• Scalability:
Directory enables true, distributed, three-tiered architecture
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
23
LANs/WANs Merge
• Historically, access control mattered at
“the edge” of the network; the inside of
the network was safe
• Companies need more controls for guests,
contractors, partners, etc.
• Networks don’t look like WANs and LANs
anymore (wireless, cellular, etc)
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
24
The Solution: 802.1x
• Standard set by the Institute of Electrical
and Electronics Engineers (IEEE) 802.1
working group.
• Describes a standard protocol for
controlling LAN access with user
authentication
• Maintains backend communication to an
Authentication (RADIUS) Server.
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
25
How Does It Work?
Client & switch talk 802.1x
Switch speaks to Authentication Server using RADIUS
Users can “login” with either username/pwds, one-time tokens, or PKI
credentials
Authenticated users are granted access, other users are blocked, or
possibly given limited guest access
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
26
Agenda
Security and
Identity Overview
Identity
Technologies
Roadmaps,
& Futures
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
27
Identity Security
Challenges/Opportunities
• Q. How do we extend network User Identity to
include host client state: worms, viruses,
personal firewalls, host-based intrusion
detectoin, etc.?
• Q. What access policies are needed for
controlling more varied users needing
differentiated access (e.g. full time, contractor,
guest, quarantine, etc.)?
• Q. How do we build new network security
capabilities based on real-time user info? (Is
Fred on the network, where is Fred, which user
has this IP address, etc.)
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
28
New Directions in
Identity Management
• Host Integrity: Ability to allow only clean hosts
onto network; quarantine unsafe hosts; “clean
room” facility; protects against viruses, worms,
personal firewalling,etc.
• User Zones: Scalable user-based network
segmentation (e.g. Full Access, Guest,
Contractor, Quarantine, etc.)
• User Session Status: Comprehensive real-time
user location/status information (where is Fred
on the network, who’s using this IP, SIP proxy,
IDS alerts, user quotas, transparent auth., etc.)
Building true user intelligence into the network
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
29
Trends/Predictions
• Security is going Mainstream
Fundamental to E-business – not an afterthought
• Security is going to Mainstreet
Every small business will be an e-business
• Security extends everywhere
The Internet home and the Mobile Office
• The Bar will continue to be raised
Criticality of e-business applications
Increased exposure and regulation
• Comprehensive solutions will win!
Security integrated into voice, video, wireless infrastructures
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
30
My Industry Scorecard
Service
Grade
RADIUS/TACACS+
A
PKI & Stronger
Authentication
C+
User Policy
Standardization
User
Reporting/Auditing
Security Integration
User Handling
Mobility
Scalability
Roadmap
Presentation_ID
C+
B+
B+
C+
B
BA
Notes
Strong vendor interoperability; Vendor
extension model works
Progress is slow
Web vendors, enterprise applications and
network vendors need to address better
directory unification of user profiles
Up and coming: Dedicated solution providers
focusing on user reporting problem
AAA support fairly well flushed through
network access gateway solutions
© 2001, Cisco Systems, Inc. All rights reserved.
No per-user granularity for QOS, DHCP, etc.
DIAMETER will help
LDAP will help
:)
31
Roadmap
“
Once, it was sufficient to protect the perimeter.
Keeping people out was more important than
letting them in, but times have changed. The
3As enable enterprises to open their internal
networks to external access via the Internet
IDC Report, “Worldwide Security 3As Software
Market Forecast and Analysis, 2000-2004”
Presentation_ID
© 2001, Cisco Systems, Inc. All rights reserved.
”
32
Security_N+I_5.01
© 2001, Cisco Systems, Inc.
33
Security_N+I_5.01
© 2000, Cisco Systems, Inc.
34