Download Slides - TERENA Networking Conference 2010

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts

Computer security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wireless security wikipedia , lookup

Computer network wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Peering wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Distributed firewall wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Peer-to-peer wikipedia , lookup

Transcript 
Why Identity
Management is hard
Alan Dekok, CTO
Terena 2010 - June 2
This is your network
http://www.flickr.com/photos/teseum/1268565258/
Confidential - © Mancala Networks 2010
2
This is the network you want
http://www.flickr.com/photos/martin_addison/4184287103/
Confidential - © Mancala Networks 2010
3
Why IDM is hard

Secure systems require:

Knowledge


Requirements


Network policies and procedures
Enforcement


Inventory, monitoring, etc.
Firewalls, IDS, etc.
If any piece is missing, the system falls over

And so does your network
Confidential - © Mancala Networks 2010
4
Vendors are warlords

Knowledge?


Requirements?


Locked up in proprietary systems
Need to be expressed in the vendors language
Enforcement?

Go ask someone else.
Your network is a battleground.
And you are losing.
Confidential - © Mancala Networks 2010
5
Vendor Product Integration
http://www.flickr.com/photos/13965522@N00/2658439548/
Confidential - © Mancala Networks 2010
6
What makes IDM hard
Identity management is...
WHO is on your network
WHICH rules apply to them
WHAT they are doing
HOW to stop bad behavior
In direct conflict with vendor goals.
Confidential - © Mancala Networks 2010
7
What you can do about it

Own your network.

Know everything about the network.

Set global network control

Enforce it across all sites and services.
Demand this from the vendors.
Confidential - © Mancala Networks 2010
8
Better vendor integration
http://www.flickr.com/photos/carbonnyc/2536483214/
Confidential - © Mancala Networks 2010
9
Without IDM, what happens?

No database of MAC / IP?

No idea who is on your network

No policy capability?

No way of expressing what should happen.

No enforcement of policies?

No punishment for bad behavior
Configuring all of this is expensive
Confidential - © Mancala Networks 2010
10
Similar to driving...
No car registration, anyone can drive!
Versus: licensed drivers and vehicles
No government control, drive anywhere!
Versus: Common policies and requirements
No enforcement, go steal a car!
Versus: Ubiquitous policing and enforcement
Confidential - © Mancala Networks 2010
11
How to get IDM
Demand access to data
Knowledge is power!
Demand inter-operability
Simpler, cheaper, better
Demand security!
Ignoring security is so 1990’s.
It’s your network, not theirs.
Confidential - © Mancala Networks 2010
12
FreeRADIUS as an example
All data is stored in databases
Policy language to express any security system
Policy enforcement when user logs in
It has taken ~10 years to develop this system
No equivalent for DNS or DHCP.
Confidential - © Mancala Networks 2010
13
IDM Examples


Unknown person on the network?
 Now: They can still do DHCP
 Versus: Maybe kick them off of the network.
 Or inform the administrator.
User manually enters an IP address?
 Now: They can still access network resources
 Versus: Deny them access to network resources?
 Maybe kick them off of the network.
 Or inform the administrator.
Confidential - © Mancala Networks 2010
14
Network evolution



Open networks

Anyone can get access

No policies or enforcement
Hard shell networks

Login checking for access

Minimal policies or enforcement
Defence in depth

Continuous access checking

Detailed policies, extensive enforcement
For every location, service, switch port, ...
Confidential - © Mancala Networks 2010
15
Barriers to IDM
http://www.flickr.com/photos/tcp909/132665279/
Confidential - © Mancala Networks 2010
16
Open Standards

The network is built on open standards

We need open data formats, too.

We need open policy languages


Perl or Python are a start
We need integrated systems

Real-time feeds between services
Confidential - © Mancala Networks 2010
17
Demand freedom
All data is stored in databases
No restrictions on what you can do with it
Complex policies to build any security system
Integration of systems
Network Management is
Identity Management
Confidential - © Mancala Networks 2010
18
When everyone works together
http://www.flickr.com/photos/maynard/2325890069/
Confidential - © Mancala Networks 2010
19
Related documents
Competitive Analysis - Green Technology Asia Pte Ltd
Competitive Analysis - Green Technology Asia Pte Ltd
User Defined Tag 1 - DA Document Manager
User Defined Tag 1 - DA Document Manager
What is the Patient Safety Communication System? It is a system
What is the Patient Safety Communication System? It is a system
Customer Spend Profile
Customer Spend Profile
When you wake up one morning …
When you wake up one morning …
RECEIVE AND TRANSMIT INFORMATION
RECEIVE AND TRANSMIT INFORMATION
Databases at Risk - ESG - Enterprise Strategy Group
Databases at Risk - ESG - Enterprise Strategy Group
Sales and Marketing Executive Why you`ll be so
Sales and Marketing Executive Why you`ll be so
best practice clinical note taking
best practice clinical note taking
Marketing Mobile Money: Top 3 Challenges
Marketing Mobile Money: Top 3 Challenges
Mancala GUI
Mancala GUI