Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Filtering is Obsolete Where do we go from here?

Published byMaud Jefferson Modified over 6 years ago

Similar presentations

Presentation on theme: "IP Filtering is Obsolete Where do we go from here?"— Presentation transcript:

1 IP Filtering is Obsolete Where do we go from here?
Rich Wenger, E-Resource Systems Manager MIT Library

2 TOC In the beginning… The march of technology Playing games
Two broad goals A way forward

3 In the beginning.. Early days of the internet No portable devices
Static IP addresses Unspoken assumptions

4 The march of technology
Portable PCs, laptops, tablets, smart phones DHCP – non-static IP addresses Off-campus users

5 Playing games Virtualization at multiple levels
Pretending that nothing had changed VPN and proxy servers

6 Bottom line The assumption that an IP address = a physical location = an authenticated, authorized user is false. IP filtering is about where a user is (which is completely obscured by proxy servers and VPNs), not who the user is.

7 Bottom line IP filtering
Conflates IP address with location and identity. Creates proprietary portals, the opposite of modern Discovery practices. Is a maintenance nightmare. Is unsecure and easily exploitable. “Without IP filtering, Scihub could not exist”* * Atypon presentation on Piracy at SSP conference in Boston, June 2017

8 Two areas of concern We need to: Improve the user experience.
Respond to the security problems.

9 Improving the user experience
The point of referral for authentication must be located at the providers’ sites, not in our portals. Affiliation defaults must be preserved across browser sessions. All devices must be robustly supported.

10 Security We need to: Focus on who the patron is, not where they are.
Use institutional credentials. Arrest the proliferation of resource-specific userids and passwords. Support SSO across all devices.

11 A way forward Federated Identity Management, robustly implemented by providers and subscribers. SAML-based systems Ex. Shibboleth, OpenAthens, etc. Federated metadata. Authentication referral at the point of need. Use of institutional credentials. Support for affiliation at multiple institutions.

12 FIM FIM has been available for many years, but its uptake has been halting and sporadic. Providers and subscribers were/are each waiting for the other to take the initiative. SAML-based systems are becoming ubiquitous, but the quality of implementations varies widely.

13 RA21 Initiative RA21, a convergence of efforts by
STM Scientific, Technical, and Medical publishers PDR Pharma Documentation Ring URA Universal Resource Access

14 RA21 Initiative RA21 SAML-based Federated ID Management.
Authentication at the point of need. Collaboration on a set of recommended best practices for providers and subscribers. Open process.

15 RA21 Addresses issues important to academic libraries Privacy Walk-ins
Protection of personally-identifying history and usage data Uneven quality of some providers’ SAML implementations

16 RA21 Improved user experience Authentication at the point of need
Single Sign On (SSO) Comprehensive device support Support for multiple institutional affiliations

17 RA21 Simplified technical environment More granular control
Federated metadata No need to maintain IP ranges with providers Reduced dependence on proxy servers

18 RA21 Challenges Gaining library management’s attention to this issue
Getting buy-in and support from campus IT Resisting fragmentation of effort

19 RA21 Participants Steering Committee Participants

20 Case study Improve the user experience of students and researchers ing-the-stumbling-blocks-that-impede-researcher-access- to-e-resources/

21 A way forward A goal to work toward, NOT an abrupt change
Dual stack support for the foreseeable future Libraries need to get involved If we do this carefully and well, it should be minimally disruptive to users.

22 Finis Rich Wenger Phone

Download ppt "IP Filtering is Obsolete Where do we go from here?"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.

Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.
Www.eduserv.org.uk/openathens Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.

Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.
Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.

David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.
1 7 th CACR Information Workshop Vulnerabilities of Multi- Application Systems April 25, 2001 MAXIMUS.

1 7 th CACR Information Workshop Vulnerabilities of Multi- Application Systems April 25, 2001 MAXIMUS.

Similar presentations

Ads by Google