Presentation is loading. Please wait.

Presentation is loading. Please wait.

User-group-based Security Policy for Service Layer Jianjie You Myo Zarny Christian Jacquenet

Published byBartholomew Gray Modified over 8 years ago

Similar presentations

Presentation on theme: "User-group-based Security Policy for Service Layer Jianjie You Myo Zarny Christian Jacquenet"— Presentation transcript:

1 User-group-based Security Policy for Service Layer Jianjie You (youjianjie@huawei.com) Myo Zarny (myo.zarny@gs.com) Christian Jacquenet (christian.jacquenet@orange.com) Mohamed Boucadair (mohamed.boucadair@orange.com) Yizhou Li (liyizhou@huawei.com ) Sumandra Majee (S.Majee@f5.com) draft-you-i2nsf-user-group-based-policy-00 IETF94 Yokohama

2 Nanjing Beijing Silicon Valley Controller WAN/Internet User: xxx Location: Beijing Network Resource Increasing demands of business mobility, anytime, anywhere collaboration, etc. introducing challenges to network security management and enforcement IETF94 Yokohama 2 Newer Network Paradigms

3 ACL, VLAN IETF94 Yokohama 3 Traditional Network Access Control Access the network typically from their own static location – from their assigned switch, VLAN, IP subnet, etc. MAC or IP address of the users’ device is often used as a proxy for the user’s identity. As such, filtering (e.g., via ACLs) of the user is usually based on IP or MAC addresses. Authentication of the user by the network, typically takes place only at the ingress switch Network security functions such as firewalls often act only on IP addresses and ports - not on user identity.

4 ACL, VLAN IETF94 Yokohama 4 Challenges for Traditional NAC Both clients and servers can move and change their IP addresses on a regular basis Need to apply different security policies to the same set of users under different circumstances Implementation of coherent security policy across several network and network security devices is almost impossible.

5 IETF94 Yokohama 5 UAPC Framework The User-group Aware Policy Control (UAPC) approach is intended to facilitate the consistent enforcement of policies, e.g., whether these terminal devices connect to a wired or a wireless infrastructure, security policies should be enforced consistently based on their user-group identities.

6 IETF94 Yokohama 6 UAPC Framework Goal: Apply appropriate user-group identity-based network security policies on NSFs throughout the network

7 IETF94 Yokohama 7 UAPC Functional Entities  Policy Server  Holds user-group placement criteria by which users are assigned to their user- group  Holds rule base of what each user-group has access to  Security Controller  Coordinates various network security-related tasks on NSFs under its domain  Network Security Functions  Packet classification  Policy enforcement  Presents I2NSF Capability Layer APIs

8 IETF94 Yokohama 8 User Group  Identifier that represents the collective identity of a group of users  Determined by predefined policy criteria (e.g., source IP, geolocation, time of day, device certificate, etc.)  Used in lieu of IP, MAC addresses, etc. Group NameGroup IDGroup Definition R&D10R&D employees R&D BYOD11 Personal devices of R&D employees Sales20Sales employees VIP30VIP employees Workflow40 IP addresses of Workflow resource servers R&D Resource50 IP addresses of R&D resource servers Sales Resource54 IP addresses of Sales resource servers

9 9 Inter-Group Policy Enforcement Key components 1.User-group-to-user-group access policies – think “firewall rule-base but with user-groups instead of IPs and ports” 2.Sets of NSFs on which individual policies need to be applied IETF94 Yokohama

10 10 Inter-Group Policy IETF94 Yokohama User using an unregistered device Executive Demilitarized zone (DMZ) General service Common service Limited service Important service Core service Authentication domain Unauthorized user Insecure user Guest Common BYOD user Partner User at office hours User at non-office hours Figure 2: Sample Authorization Rules for User-group Aware Policy Control

11 11 UAPC Implementation IETF94 Yokohama 1.User-group identification policies and inter-user-group access polices on the Policy Server are managed by the authorized team(s). 2.The user-group-based policies are implemented on the NSFs under the Security Controller’s management. 3.When a given user first comes up on the network, the user is authenticated at the ingress switch. 4.If the authentication is successful, the user is placed in a user-group, as determined by the Policy Server. 5.The user’s subsequent traffic is allowed or permitted based on the user-group ID by the NSFs per the inter-user-group access policies

12 12 Requirements for I2NSF IETF94 Yokohama Key aspects of the UAPC framework falls within the Service Layer of the I2NSF charter. If the community adopts the approach as one possible framework for the Service Layer, the I2NSF Service Layer MUST support at least the following northbound APIs (NBIs):  The user-group classification policy database on the Policy Server  The inter-user-group access policy rule-base on the Policy Server  The inventory of NSFs under management by the Security Controller.  The list of NSFs on which a given inter-user-group policy is to be implemented by the Security Controller.

13 Next Steps Solicit comments and suggestions on the mailing list Encourage implementation specific drafts IETF94 Yokohama 13

14 Thank you! IETF94 Yokohama

Download ppt "User-group-based Security Policy for Service Layer Jianjie You Myo Zarny Christian Jacquenet"

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.

Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Controlling access with packet filters and firewalls.

Controlling access with packet filters and firewalls.
Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.

Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Networking Components

Networking Components
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Similar presentations

Ads by Google