IP Filtering is Obsolete Where do we go from here?

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.
Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.
1 7 th CACR Information Workshop Vulnerabilities of Multi- Application Systems April 25, 2001 MAXIMUS.
Openid Connect
Shibboleth: An Introduction
Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.
John Douglass, Developer Ron Hutchins, Dir. Engineering Herbert Baines, Dir. InfoSec.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
| 1 Open Access Advancing Text and Data Mining Libraries & Publishers working together to support Researchers What is Text Mining?
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Copyright JNT Association 20051Optional Copyright JNT Association The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.
Holly Eggleston, UCSD Beyond the IP Address: Shibboleth and Electronic Resources InCommon Library/Shibboleth Project.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
ORNL Site Report ESCC July 15, 2013 Susan Hicks David Wantland.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Internet Basics 10/23/2012. What is the Internet? It’s a world-wide network of computer networks. It grows hourly and involves national governments, communities,
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
RA21 Problem Statement Access to STM content and resources is traditionally managed via IP address recognition. For the past 20 years, this has provided.
Tom Barton, Senior Director for Integration, University of Chicago
Resource Access for the 21th Century a NISO-STM Initiative
Secure Single Sign-On Across Security Domains
Federated Identity Management at Virginia Tech
LIGO Identity and Access Management
Mechanisms of Interfederation
Student IT induction.
California State University CSUconnect Federation
Data and Applications Security Developments and Directions
SaaS Application Deep Dive
David P. Reed MIT CFP Draft May 2007
Your Key to Privacy, Security, and Access to Services
UKSG Authentication technology update
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Resource Access for the 21th Century a NISO-STM Initiative
South African Identity Federation
Shibboleth Implementation in EZproxy
Azure AD Application Proxy
Internet Basics.
ESA Single Sign On (SSO) and Federated Identity Management
Authentication and Access:
OpenID Connect Working Group
Access and Information Protection Product Overview October 2013
Linking Users, Resources, & Data Driven Decisions with OpenAthens
GALILEO Approach and implementation
GALILEO & OpenAthens: 21st Century Authentication for GALILEO Participating Libraries Christopher Holly Director of SaaS Innovation, EBSCO
GALILEO & OpenAthens: 21st Century Authentication for GALILEO Participating Libraries Christopher Holly Director of SaaS Innovation, EBSCO
JSTOR as a Shibboleth Target
GALILEO Approach and implementation
Federated Environments and Incident Response: The Worst of Both Worlds
System Center Marketing
Patient Access to Electronic Medical Records
Adding institution support in SFX for Shibboleth SSO
IT Next – Transformation Program
Presentation transcript:

IP Filtering is Obsolete Where do we go from here? Rich Wenger, E-Resource Systems Manager MIT Library

TOC In the beginning… The march of technology Playing games Two broad goals A way forward

In the beginning.. Early days of the internet No portable devices Static IP addresses Unspoken assumptions

The march of technology Portable PCs, laptops, tablets, smart phones DHCP – non-static IP addresses Off-campus users

Playing games Virtualization at multiple levels Pretending that nothing had changed VPN and proxy servers

Bottom line The assumption that an IP address = a physical location = an authenticated, authorized user is false. IP filtering is about where a user is (which is completely obscured by proxy servers and VPNs), not who the user is.

Bottom line IP filtering Conflates IP address with location and identity. Creates proprietary portals, the opposite of modern Discovery practices. Is a maintenance nightmare. Is unsecure and easily exploitable. “Without IP filtering, Scihub could not exist”* * Atypon presentation on Piracy at SSP conference in Boston, June 2017

Two areas of concern We need to: Improve the user experience. Respond to the security problems.

Improving the user experience The point of referral for authentication must be located at the providers’ sites, not in our portals. Affiliation defaults must be preserved across browser sessions. All devices must be robustly supported.

Security We need to: Focus on who the patron is, not where they are. Use institutional credentials. Arrest the proliferation of resource-specific userids and passwords. Support SSO across all devices.

A way forward Federated Identity Management, robustly implemented by providers and subscribers. SAML-based systems Ex. Shibboleth, OpenAthens, etc. Federated metadata. Authentication referral at the point of need. Use of institutional credentials. Support for affiliation at multiple institutions.

FIM FIM has been available for many years, but its uptake has been halting and sporadic. Providers and subscribers were/are each waiting for the other to take the initiative. SAML-based systems are becoming ubiquitous, but the quality of implementations varies widely.

RA21 Initiative RA21, a convergence of efforts by STM Scientific, Technical, and Medical publishers PDR Pharma Documentation Ring URA Universal Resource Access

RA21 Initiative RA21 SAML-based Federated ID Management. Authentication at the point of need. Collaboration on a set of recommended best practices for providers and subscribers. Open process.

RA21 Addresses issues important to academic libraries Privacy Walk-ins Protection of personally-identifying history and usage data Uneven quality of some providers’ SAML implementations

RA21 Improved user experience Authentication at the point of need Single Sign On (SSO) Comprehensive device support Support for multiple institutional affiliations

RA21 Simplified technical environment More granular control Federated metadata No need to maintain IP ranges with providers Reduced dependence on proxy servers

RA21 Challenges Gaining library management’s attention to this issue Getting buy-in and support from campus IT Resisting fragmentation of effort

RA21 Participants Steering Committee Participants

Case study Improve the user experience of students and researchers https://scholarlykitchen.sspnet.org/2015/11/13/dismantl ing-the-stumbling-blocks-that-impede-researcher-access- to-e-resources/

A way forward A goal to work toward, NOT an abrupt change Dual stack support for the foreseeable future Libraries need to get involved If we do this carefully and well, it should be minimally disruptive to users.

Finis Rich Wenger rwenger@mit.edu Phone 617-253-0035

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.