210 likes | 443 Views
Roles Based Network Access Controls. James R. Clifford Los Alamos National Laboratory. Outline. Problem: Control foreign national access to sensitive data 700+ FN in 25 organizations, 80 buildings, 12 technical areas Solution Create separate network with minimal sensitive data
E N D
Roles Based Network Access Controls James R. Clifford Los Alamos National Laboratory
Outline • Problem: Control foreign national access to sensitive data • 700+ FN in 25 organizations, 80 buildings, 12 technical areas • Solution • Create separate network with minimal sensitive data • Implementation • Deployment and Support • Lessons Learned • Future Directions
Direction • “Further, the Laboratory is now developing a segregated unclassified computer network for utilization by our foreign national employees. This network will allow for greater control over what types and how information can be accessed while still allowing for important scientific research to be accomplished.” - LANL Director Michael Anastasio - Testimony to House Energy and Commerce Committee on September 28, 2008
LANL Network 2008 Turquoise Visitor Green Open Network Scientific Collaboration (segmented) I-2 1 GE Internet 10GE ESNet On-site visitor access Public Internet presence Yellow Network (Unclassified-Protected) Restricted Subnets Limited amounts of and tight controls on presence of sensitive information Central Services General User Slide 4
Design • Create a new “Open Collaboration Enclave” (OCE) using VPN overlay • Connect new OCE network with a firewall • Add “Radius server on steroids” • Define roles and resource policies • Add remote web and VPN solution
LANL Network 2009 Turquoise Visitor Green Open Network Scientific Collaboration (segmented) I-2 1 GE Internet 10GE ESNet On-site visitor access Public Internet presence Yellow Network (Unclassified-Protected) Central Services General User Limited amounts of and tight controls on presence of sensitive information OCE Slide 6
OCE Network Components RADIUS, LDAP Syslog, Mgt Yellow Network Infranet Controller Internet Desktops Printers VPN Netscreen FW Customer LANs SSL Portal Slide 7
Firewall Policy • PERMIT policy except for OCE to Yellow • Core policy allows DNS, AD, backups - 140 rules • Rules include: protocol, destination IP address, port(s) • Includes services required for user logins • Role based policy rule • Default DENY OCE to yellow • Web captive portal sets up roles based firewall policy • Users must be able to login so they can run browser • Assumes a single user client system
Infranet Controller - RADIUS on Steroids • Uses existing RADIUS and LDAP services • Can also use MS Active Directory • Users get roles based on directory information • Can also use network location, host integrity • Resource Policy (firewall) rules are based on Roles
LDAP Example • dn: employeeNumber=123456,ou=people,dc=lanl,dc=gov • cn: Edward Crane • departmentNumber: ABC-1 • employeeNumber: 123456 • employeeType: Employee • lanlRole: Juniper RO Administrator • lanlRole: Remote VPN • lanlRole: Basic Network
Role Member Management • HR Data determines Employee and organization role data • Basic Network Role created when user gets a network account • Import role data from resource owner, e.g. High Performance Computing • Users may select roles within business rules, e.g. Remote VPN • Ad hoc role management • Uses lanlRole attribute value • Role owner (and delegates) use web page to add/remove members • Directory updates are in real time • Roles removed when person terminates
Resource Access Policy Management • Resources in list determined by the role/resource owner • Managed as a text file by network operations • Access Control Tester,tcp://datawarehouse.lanl.gov:http,https • Converted to XML • Host names and ports checked and converted • XML imported into Infranet Controller
Remote Access: ssl-portal • https://ssl-portal.lanl.gov • Portal page has bookmarks, web browsing and SSL VPN • Features depend on user roles • SSL VPN tunnels land in the OCE network • Terminal sessions and file access using SSL tunnels are being evaluated
Surveillance • Watch for users accessing unauthorized resources • Uses existing information: • HR data • Host registration information • Resource access policies • Logs • Router flows
Deployment and Support • Project started in mid-October • 500 VPN boxes and firewall deployed by early January • Found many IP ACL problems, performance, reliability • 4 Divisions selected for early adoption (30% of total) of access controls in January • Fleshed out Basic Network and Employee roles • Set up project issue tracking system • Full access control enabled over 2 weeks in mid March • Remote access enforced in early April • On-going support turned over to operations in May • VPN box adds and removes • Resource policy changes • User help questions
Lessons Learned • Solution is expensive to support • Not leveraging solution, unfamiliar (but powerful) technology used for 1 project • VPN boxes on users’ desks add unnecessary complexity • Transition was disruptive to customers • Short schedule left shortened deployment and testing time • Resources people need to do their job was not well understood • Some network services not well supported • Project skill shortage • Customers not well informed
What’s Next • Access policy federation between firewall and ssl-portal • PF-NET • Terminal sessions for remote access • Single / reduced signon for remote users • Network re-architecture project • Eliminate desktop VPN boxes • 802.1x and MAC authentication • Desktop agent for host integrity check • VLAN assignment and roles based access • Firewall and proxy consolidatation • Etc.