1 / 20

Roles Based Network Access Controls

Roles Based Network Access Controls. James R. Clifford Los Alamos National Laboratory. Outline. Problem: Control foreign national access to sensitive data 700+ FN in 25 organizations, 80 buildings, 12 technical areas Solution Create separate network with minimal sensitive data

jersey
Télécharger la présentation

Roles Based Network Access Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Roles Based Network Access Controls James R. Clifford Los Alamos National Laboratory

  2. Outline • Problem: Control foreign national access to sensitive data • 700+ FN in 25 organizations, 80 buildings, 12 technical areas • Solution • Create separate network with minimal sensitive data • Implementation • Deployment and Support • Lessons Learned • Future Directions

  3. Direction • “Further, the Laboratory is now developing a segregated unclassified computer network for utilization by our foreign national employees. This network will allow for greater control over what types and how information can be accessed while still allowing for important scientific research to be accomplished.” - LANL Director Michael Anastasio - Testimony to House Energy and Commerce Committee on September 28, 2008

  4. LANL Network 2008 Turquoise Visitor Green Open Network Scientific Collaboration (segmented) I-2 1 GE Internet 10GE ESNet On-site visitor access Public Internet presence Yellow Network (Unclassified-Protected) Restricted Subnets Limited amounts of and tight controls on presence of sensitive information Central Services General User Slide 4

  5. Design • Create a new “Open Collaboration Enclave” (OCE) using VPN overlay • Connect new OCE network with a firewall • Add “Radius server on steroids” • Define roles and resource policies • Add remote web and VPN solution

  6. LANL Network 2009 Turquoise Visitor Green Open Network Scientific Collaboration (segmented) I-2 1 GE Internet 10GE ESNet On-site visitor access Public Internet presence Yellow Network (Unclassified-Protected) Central Services General User Limited amounts of and tight controls on presence of sensitive information OCE Slide 6

  7. OCE Network Components RADIUS, LDAP Syslog, Mgt Yellow Network Infranet Controller Internet Desktops Printers VPN Netscreen FW Customer LANs SSL Portal Slide 7

  8. Firewall Policy • PERMIT policy except for OCE to Yellow • Core policy allows DNS, AD, backups - 140 rules • Rules include: protocol, destination IP address, port(s) • Includes services required for user logins • Role based policy rule • Default DENY OCE to yellow • Web captive portal sets up roles based firewall policy • Users must be able to login so they can run browser • Assumes a single user client system

  9. Infranet Controller - RADIUS on Steroids • Uses existing RADIUS and LDAP services • Can also use MS Active Directory • Users get roles based on directory information • Can also use network location, host integrity • Resource Policy (firewall) rules are based on Roles

  10. LDAP Example • dn: employeeNumber=123456,ou=people,dc=lanl,dc=gov • cn: Edward Crane • departmentNumber: ABC-1 • employeeNumber: 123456 • employeeType: Employee • lanlRole: Juniper RO Administrator • lanlRole: Remote VPN • lanlRole: Basic Network

  11. Role Mapping Example

  12. Resource Access Policy Example

  13. Role Member Management • HR Data determines Employee and organization role data • Basic Network Role created when user gets a network account • Import role data from resource owner, e.g. High Performance Computing • Users may select roles within business rules, e.g. Remote VPN • Ad hoc role management • Uses lanlRole attribute value • Role owner (and delegates) use web page to add/remove members • Directory updates are in real time • Roles removed when person terminates

  14. Resource Access Policy Management • Resources in list determined by the role/resource owner • Managed as a text file by network operations • Access Control Tester,tcp://datawarehouse.lanl.gov:http,https • Converted to XML • Host names and ports checked and converted • XML imported into Infranet Controller

  15. Remote Access: ssl-portal • https://ssl-portal.lanl.gov • Portal page has bookmarks, web browsing and SSL VPN • Features depend on user roles • SSL VPN tunnels land in the OCE network • Terminal sessions and file access using SSL tunnels are being evaluated

  16. Surveillance • Watch for users accessing unauthorized resources • Uses existing information: • HR data • Host registration information • Resource access policies • Logs • Router flows

  17. Deployment and Support • Project started in mid-October • 500 VPN boxes and firewall deployed by early January • Found many IP ACL problems, performance, reliability • 4 Divisions selected for early adoption (30% of total) of access controls in January • Fleshed out Basic Network and Employee roles • Set up project issue tracking system • Full access control enabled over 2 weeks in mid March • Remote access enforced in early April • On-going support turned over to operations in May • VPN box adds and removes • Resource policy changes • User help questions

  18. Lessons Learned • Solution is expensive to support • Not leveraging solution, unfamiliar (but powerful) technology used for 1 project • VPN boxes on users’ desks add unnecessary complexity • Transition was disruptive to customers • Short schedule left shortened deployment and testing time • Resources people need to do their job was not well understood • Some network services not well supported • Project skill shortage • Customers not well informed

  19. What’s Next • Access policy federation between firewall and ssl-portal • PF-NET • Terminal sessions for remote access • Single / reduced signon for remote users • Network re-architecture project • Eliminate desktop VPN boxes • 802.1x and MAC authentication • Desktop agent for host integrity check • VLAN assignment and roles based access • Firewall and proxy consolidatation • Etc.

  20. Questions?

More Related