User-group-based Security Policy for Service Layer Jianjie You Myo Zarny Christian Jacquenet

Slides:



Advertisements
Similar presentations
Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Advertisements

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.
Guide to Network Defense and Countermeasures Second Edition
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Controlling access with packet filters and firewalls.
Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.
Security Awareness: Applying Practical Security in Your World
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Networking Components
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
A Survey on Interfaces to Network Security
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
Uday O. Ali Pabrai, CISSP, CHSS Chief executive, HIPAA Academy Health care & HIPAA Security Remediation.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
Networking Components
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
NW Security and Firewalls Network Security
Chapter 20: Getting from the Office to the Road: VPNs BAI617.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
Semester 3, v Chapter 3: Virtual LANs
 Computer Networking Computer Networking  Networking terminology Networking terminology  Client Server Model Client Server Model  Types of Networks.
– Chapter 5 – Secure LAN Switching
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Module 11: Remote Access Fundamentals
Chapter 8: Virtual LAN (VLAN)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introducing Network Design Concepts Designing and Supporting Computer Networks.
Vic Liu Liang Xia Zu Qiang Speaker: Vic Liu China Mobile Network as a Service Architecture draft-liu-nvo3-naas-arch-01.
April 09, 2008 The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 1 The Demilitarized Zone as an Information Protection.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
Cisco S3C3 Virtual LANS. Why VLANs? You can define groupings of workstations even if separated by switches and on different LAN segments –They are one.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Introducing Network Design Concepts Designing and Supporting Computer Networks.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
NETWORK COMPONENTS BY REYNALDO ZAMORA. HUB Hubs are devices that serve as the central connection for a network. Its job is to send data from one computer.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
ORNL Site Report ESCC July 15, 2013 Susan Hicks David Wantland.
SDN and Beyond Ghufran Baig Mubashir Adnan Qureshi.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
“Enterprise Network Design and Implementation for Airports” Master’s Thesis - Ashraf Ali Department of Computing and Information Sciences This project.
Security fundamentals
Rabobank IPv6 numberplan
Chapter 7. Identifying Assets and Activities to Be Protected
CompTIA Security+ Study Guide (SY0-401)
User-group-based Security Policy for Service Layer
Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-00 Rakesh Kumar Juniper networks.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
“Enterprise Network Design and Implementation for Airports” Master’s Thesis: By Ashraf Ali and advised by professor Nicholas Rosasco Introduction Practical.
Virtual LANs.
CompTIA Security+ Study Guide (SY0-401)
IS4550 Security Policies and Implementation
Virtual Private Network
SurfCFCC Secure Wireless Access For Students, Faculty, and Staff.
Chapter 3 VLANs Chaffee County Academy
Introduction to Network Security
Presentation transcript:

User-group-based Security Policy for Service Layer Jianjie You Myo Zarny Christian Jacquenet Mohamed Boucadair Yizhou Li ) Sumandra Majee draft-you-i2nsf-user-group-based-policy-00 IETF94 Yokohama

Nanjing Beijing Silicon Valley Controller WAN/Internet User: xxx Location: Beijing Network Resource Increasing demands of business mobility, anytime, anywhere collaboration, etc. introducing challenges to network security management and enforcement IETF94 Yokohama 2 Newer Network Paradigms

ACL, VLAN IETF94 Yokohama 3 Traditional Network Access Control Access the network typically from their own static location – from their assigned switch, VLAN, IP subnet, etc. MAC or IP address of the users’ device is often used as a proxy for the user’s identity. As such, filtering (e.g., via ACLs) of the user is usually based on IP or MAC addresses. Authentication of the user by the network, typically takes place only at the ingress switch Network security functions such as firewalls often act only on IP addresses and ports - not on user identity.

ACL, VLAN IETF94 Yokohama 4 Challenges for Traditional NAC Both clients and servers can move and change their IP addresses on a regular basis Need to apply different security policies to the same set of users under different circumstances Implementation of coherent security policy across several network and network security devices is almost impossible.

IETF94 Yokohama 5 UAPC Framework The User-group Aware Policy Control (UAPC) approach is intended to facilitate the consistent enforcement of policies, e.g., whether these terminal devices connect to a wired or a wireless infrastructure, security policies should be enforced consistently based on their user-group identities.

IETF94 Yokohama 6 UAPC Framework Goal: Apply appropriate user-group identity-based network security policies on NSFs throughout the network

IETF94 Yokohama 7 UAPC Functional Entities  Policy Server  Holds user-group placement criteria by which users are assigned to their user- group  Holds rule base of what each user-group has access to  Security Controller  Coordinates various network security-related tasks on NSFs under its domain  Network Security Functions  Packet classification  Policy enforcement  Presents I2NSF Capability Layer APIs

IETF94 Yokohama 8 User Group  Identifier that represents the collective identity of a group of users  Determined by predefined policy criteria (e.g., source IP, geolocation, time of day, device certificate, etc.)  Used in lieu of IP, MAC addresses, etc. Group NameGroup IDGroup Definition R&D10R&D employees R&D BYOD11 Personal devices of R&D employees Sales20Sales employees VIP30VIP employees Workflow40 IP addresses of Workflow resource servers R&D Resource50 IP addresses of R&D resource servers Sales Resource54 IP addresses of Sales resource servers

9 Inter-Group Policy Enforcement Key components 1.User-group-to-user-group access policies – think “firewall rule-base but with user-groups instead of IPs and ports” 2.Sets of NSFs on which individual policies need to be applied IETF94 Yokohama

10 Inter-Group Policy IETF94 Yokohama User using an unregistered device Executive Demilitarized zone (DMZ) General service Common service Limited service Important service Core service Authentication domain Unauthorized user Insecure user Guest Common BYOD user Partner User at office hours User at non-office hours Figure 2: Sample Authorization Rules for User-group Aware Policy Control

11 UAPC Implementation IETF94 Yokohama 1.User-group identification policies and inter-user-group access polices on the Policy Server are managed by the authorized team(s). 2.The user-group-based policies are implemented on the NSFs under the Security Controller’s management. 3.When a given user first comes up on the network, the user is authenticated at the ingress switch. 4.If the authentication is successful, the user is placed in a user-group, as determined by the Policy Server. 5.The user’s subsequent traffic is allowed or permitted based on the user-group ID by the NSFs per the inter-user-group access policies

12 Requirements for I2NSF IETF94 Yokohama Key aspects of the UAPC framework falls within the Service Layer of the I2NSF charter. If the community adopts the approach as one possible framework for the Service Layer, the I2NSF Service Layer MUST support at least the following northbound APIs (NBIs):  The user-group classification policy database on the Policy Server  The inter-user-group access policy rule-base on the Policy Server  The inventory of NSFs under management by the Security Controller.  The list of NSFs on which a given inter-user-group policy is to be implemented by the Security Controller.

Next Steps Solicit comments and suggestions on the mailing list Encourage implementation specific drafts IETF94 Yokohama 13

Thank you! IETF94 Yokohama

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.