NetReg-Projectx - Information Security and Policy

Download Report

Transcript NetReg-Projectx - Information Security and Policy

NetReg
Net·Reg - /'net-rej/ noun
A web-based registration application
for the management of system,
network and contact information.
Unify RDM, Security Contacts and
DHCP MAC Registration Applications
• Each application manages information about
related and overlapping entities
• One Stop Shop for Registration for Network
access, Security Contacts, and Restricted Data
• All three existing applications need
enhancements
Existing Application: Restricted Data
Management (RDM)
Data Owner
Registers RDM
Systems
RDM
System name, IP address
Type of Data, quantity
Security plan, etc.
Existing Application: Security Contacts
Primary IT
Contact
Security Contacts App
Creates Role
Contact Role name, Dept
Owner, contact information
List of Maintainers
Email address
Add IP Address Entities
IP Address Entity
Address
Range
CIDR block (subnet)
Subdomain
Existing Application: DHCP MAC Registration
Individual DHCP
Registrant
DHCP MAC Registration
Registers MAC
address.
Requests Fixed
DHCP, Dynamic
DNS
System Entity
MAC address
Fixed DHCP? Then IP address
Dynamic DNS? Then hostname
IP Address Entity
Address
Range
CIDR block (subnet)
Subdomain
Hostmaster
DHCP
Service
New Application: NetReg
NetReg
Individual DHCP
Registers System,
Contact Role (CR) name, Dept
Registrant
MAC address
List of Members
Email address
Primary IT
Delegated Group(s)
Creates Role
Contact
Data Owner
Registers RDM
System
Systems: add, edit,
remove, bulk upload
System Entity
MAC address
IP Addr Assignment?
RDM type?
Hostmaster
DHCP
Service
IP Addr Entity: claim,
abandon, transfer
IP Address Entity
IPv4 and IPv6
Address, Range
CIDR block (subnet)
Subdomain
NetReg Goals
• Promote Campus DHCP service
• Improve information management
• Improve data integrity
• 100 % coverage for notifications
• Good authorization platform
– Required for future services
Promote Campus DHCP service
•
•
•
•
•
Role-based Management
Bulk upload of System Entity data
Notes field
Transfer MAC address mechanism
Greater use of DHCP
– Future: Option 82 - Location with lease
information
– Future: IP source guard – requires the use of
DHCP
Improved Management
• Unified application
– Integrate RDM with Security Contacts
• Role-based
• Allow multiple profiles, multiple Contact
Roles, per user
Data Integrity
• Automatic checks for changes that effect
Authorization or Notification
–
–
–
–
–
–
Expired CalNet UIDs
Contact Roles with no active members
Stale MAC addresses
Network moves
Job changes
Re-organizations
• Appropriate follow-through
100% Coverage
• Really is ‘100% Coverage without any overlap’
• Quickly, easily translate an IP address to a
responsible party for notification
• Responsible party related to organizational
structure for security reporting
Authorization
• Is this person authorized to create this
department’s Contact Role?
• Does this IP address entity belong with this
Contact Role?
• When was this IP address associated with this
Contact Role?
• Future services require good authorization
Proposals
Contact Roles
• Two kinds of Contact Role (CR), Department and
Group.
– Group CR created by Department CR
• Department Contact Role tied to organizational
structure for security reports
– Dept CR at a node in organizational structure, any level.
– Only one Dept CR per node in org structure.
• Groups Contact Roles allow for different IT
management styles within departments
– Group CR has Dept CR parent.
• Group CRs cannot create additional Group CRs.
Organizational Structure
Contact Roles
DCR1
DCR2
DCR3
DCR4
DCR5
GCR3A
GCR3B
GCR5A
GCR5B
Contact Roles, con’t.
• Member of Dept CR can be member of Group
CR, and vice-versa.
• Dept CR has read-only access to child Group
CR information
• Group CR has read-only access to parent Dept
CR information?
• Dept CR can configure whether it sees
notifications to Group CRs, or not
IP Address Entities
• CRs claim, abandon, request, transfer IP
Address Entities.
• IP Address Entities claimed by only one
Contact Role (CR)
– E.g., CR1 claims CIDR block (subnet), transfers
individual addresses to CR2
• Notifications match IP Address by longest
prefix match.
• CIDR blocks as defined in networks.local.
Actions upon IP Address Entities
NetReg
Network
Holding Area
Allocated
CIDR blocks
Assigned IP
addresses
Unallocated
CIDR blocks,
unassigned IP
addresses
Dept CR 1
Data feed
Claim
Abandon
Request
Transfer
Dept CR 2
Group CR 2A
IP Address Entities, con’t.
• Claim/Abandon by Dept CR only,
Requests/Transfers by any CR
• Subdomain claims potentially create collisions.
– IP Address claimed by Address by one CR and
another CR by Subdomain
Relationship of Data Owner to
Contact Role?
• Does the Data Owner ask the Contact Role to
mark a System as having restricted data?
• Is the Data Owner a member of the Contact
Role? In order to marks System as having
sensitive data.
• Is the Data owner a different kind of Role with
a relationship to the Contact Role?
NetReg Application
1. CalNet Authenticate
2. Select Profile, if more than one
3. NetReg Main Menu
NetReg: Main menu
• Manage Contact Roles
• Manage IP Address Entities
• Manage System Entities
NetReg: Contact Info
• Manage Contact Role
– View – default
• Members, Email address, Dept ID and name, or Parent
CR
– Members – list, add, remove
– Email address – view, edit, send test message
– Delegated groups
• Add
• Remove
• Transfer IP Address(es) to/from
NetReg: IP Address Entities
• Manage Network information
– View – default
– Search – Claim
– Request
– Transfer
– Abandon
NetReg: System Info
• Manage Systems
– View – Default
• View, detail view – DHCP lease, location, ARP cache information
– Search
– Edit
•
•
•
•
•
–
–
–
–
Name
Notes
MAC address – list, edit, add, remove
RDM type - if >0 then RDM sub-system
IP assignment type – DHCP – dynamic, DHCP – fixed, Static, and
appropriate follow-on fields.
Add
Transfer
Remove
Bulk Upload
Other Issues?
Feedback to Saskia Etling,
[email protected]