Security Aspects of Active Directory

Download Report

Transcript Security Aspects of Active Directory

Directory Enabled Networking
with Active Directory
Austin Wilson
Microsoft Corporation
What is Directory Enabled
Networking?
 Policy-based management of network
resources and provisioning of services
 Directory is central as it serves to bind
information about users, applications and
network infrastructure
 It is the comprehensive term that includes all
technologies needed to make directorybased control of networks a reality
 Directory enabled networking and policybased networking are synonymous
DEN vs. Directory Enabled
Networking
 DEN - the standard - is distinct from
directory enabled networking
 Directory enabled networking is more
than just DEN
 DEN provides a foundation
 Information model
 Directory schema (LDAP)
 Many implementation issues and other
standards for directory-enabled
networking are outside the scope of DEN
Overview
Vision of Directory Enabled Networking
 Harness the power of directory services
for network management and services
 Policy-based networking: simpler quality
of service, configuration, and security
administration
 Common information model and schema
for network elements and services
 Interoperable network services and
management solutions
Overview
Vision of Directory Enabled Networking
Management
App B
Management
App A
Directory
Service
Management
App C
Interoperability provided via Directory Service
Overview
Vision of Directory Enabled Networking
Directory
Service
Server
Switch
Firewall
ERP DB
Overview
Directory Enabled Networks
 Logical division of labor
 Directory provides point of resource
discovery and defines bindings
 Networks provide end-to-end connectivity
 Policy-based network management
 Enables unification of network services
and management applications
 Defines and distributes policy and
bindings
 Enables personalized network services
Standards
DEN Progress Report
 DEN Ad Hoc Working Group formed: Dec 97
 DEN spec finished and submitted to DMTF
for further development: Sep 98
 DEN framework is an integral part of
Common Information Model (CIM)
 DEN spec incorporated into CIM model in
phases
 Physical model integrated in CIM v2.1: Oct 98
(application, device, system and physical)
 Logical model integrated in CIM v2.2: Jun 99
(network and services)
 Policy model: work-in-progress jointly between
DMTF/IETF
Applications
Dir Enabled Networking at Work
 Physical infrastructure management
 Static configuration of network devices
 Asset tracking
 Device and topology discovery
 Performance and fault management
 Network service management
 Quality of Service (QoS)
 Remote access and VPN
 IP security
 IP address management
 Firewalls
QoS (with RSVP and DiffServ)
NetMeeting
Client
Policy: “Yes, you may have Priority Gold”
or “No, you may not have Priority now”
Service Level Agreement:
PHB = EF; TokenBucket = TB2
(e.g. equiv to virtual leased line)
Data Store
RSVP-enabled
campus network
Policy
server
Differentiated
service
network(s)
RSVP-enabled
campus network
NetMeeting
Client
Client: “May I have Priority, Please”
VPN (L2TP/IPSec Voluntary Tunnel)
Win2000
MS Active
Directory
Server
Internet
Auth/Authz
Server
NAS
Edge
Router
Edge
Router
Radius
proxy
Legend:
IPSec
L2TP
MS IAS
Server
MS Active
Directory
Server
Architecture
Policy-based Networking
Policy
Repository
LDAP
Directory
Policy
Management
Console
LDAP
Policy
Proxy
SNMP
Policy
Decision
Point
COPS
Policy Enforcement Points
Policy
Decision
Point
Architecture Components
Directory
 Directory stores a variety of information
 User data
 Authentication and access rights
 User profiles
 Infrastructure data
 Static/start-up configuration for devices (e.g.,
routers, switches)
 Server information (e.g., name server)
 Policies
 Conditions, actions, policy rules
Architecture Components
Policy Management Console
 Policies express business rules
 Discipline-specific, perhaps even device-specific
 QoS policies, remote access policies, IP security
policies, firewall policies, etc.
 Policy console
 Provides an abstraction of rules to create policies
 Used to define and edit policies
 Validates policies
 When appropriate, the policy UI is unified with the
UI that manages the entities that are the subjects
of the policy (e.g., users, computers, devices)
Architecture Components
Policy Decision Point
 PDP generally takes the form of policy servers
 Makes policy selection, gets policy from directory
 Makes policy decisions
 Detects and resolves policy conflicts
 Distributes policy actions based on its decision to
enforcement points



Access/deny
Traffic shaping parameters for a QoS policy
Address filters for a firewall policy
 May propagate policies to other servers
 Monitors usage and effectiveness of policy
enforcement
Architecture Components
Policy Enforcement Point
 Network node in the direct path of traffic
flow (router, switch, remote access
server, firewall)
 Policy enforcement point
 Requests policy-based decisions
 Optionally caches policy decisions for
future use
 Processes traffic per policy decision
 Relays events to policy decision point
Architecture Variations
Two-tiered Architecture
Policy
Repository
LDAP
Directory
LDAP
Packets in
Packets out
Policy Decision Point &
Policy Enforcement Point
Policy
Management
Console
Architecture Variations
Two-tiered Architecture
 Device considerations
 Requires smarter network devices (LDAP enabled)
 Direct LDAP interactions with directory
 Firewall/security
 LDAP typically not allowed across firewall
 Need for encryption on some attributes can force
large number of SSL/TLS connections
 Global knowledge
 Lacks global view of network state to make
decisions like simultaneous usage control
 Loading
 Increased directory load
 Faster decision making and traffic processing
Architecture Variations
Three-tiered Architecture
Policy
Repository
LDAP
Directory
LDAP
Policy
Server
COPS
Packets in
Packets out
Policy Enforcement Point
Policy
Management
Console
Architecture Variations
Three-tiered Architecture
 Device considerations
 Network devices can be simple
 Devices can be schema independent
 Firewall/security
 Servers typically in data center, can be secured
 Existing PEP-PDP protocols are “firewall friendly”
(DHCP, RADIUS, COPS)
 Global knowledge
 Has global view of network state to make decisions
like simultaneous usage control
 Loading
 Lower directory load – less servers than devices
 Slower remoted decision making
Architecture
Additional Considerations
 Policy distribution protocols (SNMP, COPS,
RADIUS)
 Support for legacy devices
 Use policy proxy to translate policy actions for
legacy devices
 End-host participation
 Dynamic state information
 Need data store for volatile information
 Missing LDAP features
 Change notification
 Multiple-object transactions
Active Directory
Data and Policy Store
 Salient features:
 LDAP v3: for interoperability
 Tightly integrated security (Kerberos)
 DNS: backbone, integrated
 Hierarchical namespace
 Multi-master replication and updates
 Dynamically extensible schema
 Global Catalog for efficient search
 Directory synch services
 Scale: millions of objects
 Programming and scripting API (ADSI)
Microsoft Active Directory
Windows Users
• Account info
• Privileges
• Profiles
• Policy
Other
Directories
• White pages
• E-Commerce
Other NOS
• User registry
• Security
• Policy
E-Mail Servers
• Mailbox info
• Address book
Active
Directory
Windows Clients
• Mgmt profile
• Network info
• Policy
Windows Servers
• Mgmt profile
• Network info
• Services
• Printers
• File shares
• Policy
Network Devices
• Configuration
• QoS policy
• Security policy
Management
Focal Point For:
• Users & resources
• Security
• Delegation
• Policy
Applications
• Server config
• Single Sign-On
• App-specific
directory info
• Policy
Internet
Firewall Services
• Configuration
• Security Policy
• VPN policy
Group Policy
Policy Decision Point
 Group Policy
 Extensible policy framework to apply policy to
groups of computers/users
 Policies stored in Group Policy Object (GPO) in
Active Directory
 GPO can be bound to AD containers: Sites,
Domains, OUs


Inheritance order: S,D,OU
Scope further filtered by security groups
 APIs for services to invoke policy selection
process (GetGPOList)
 Can be used to push device configurations
from Active Directory
Policy Enforcement Point
 Alternatives
 Host network gear on Windows 2000 when
possible to take advantage of full platform
functionality
 PBX devices, VoIP gateway/gatekeeper
 Use embedded Windows 2000 as control
OS on devices if possible
 Implement secure LDAP client in device
OS starting from Open Source version
Summary
 DEN specification from the DMTF is not
yet final – standards are a lengthy and
laborious process
 Active Directory services are available
and can be leveraged for addressing
network management needs today
 Compelling value proposition for endcustomers – manageability and reduced
TCO of network infrastructures
 Enterprises are planning for deployment
of directory-enabled networks. Integrate
with Active Directory services now!