IF-MAP Overview Jan Ursi Technical Director EMEA
advertisement
IF-MAP Overview Jan Ursi Technical Director EMEA © 2009 Infoblox Inc. All Rights Reserved. IF-MAP: A Powerful New Standard IF-MAP = Interface to Metadata Access Points An open protocol standard published (free) by the Trusted Computing Group – Available since April, 2008 – Version 2.0 released August, 2010 Pub/sub database - Like Facebook for IP devices and systems Supports a wide array of applications: – – – – – Multi-Vendor Network Security (NAC) Compliance Management Asset Management Smart Grid Network Automation / Cloud Computing Could do for data sharing what IP did for connectivity © 2009 Infoblox Inc. All Rights Reserved. The Integration Challenge ERP SIEM Smart Grid Supply Chain Mgmt AAA Switches Routers Network Location CMDB Building Controls Factory Controls Network Security DNS, DHCP Asset Mgmt CRM IPAM Infrastructure Management HR Applications SNMP, Syslog, Netflow • Complex • Costly Custom Integration – API’s, Scripts • Brittle • High Maintenance © 2010 Infoblox Inc. All Rights Reserved. From Integration to Orchestration with IF-MAP SIEM Smart Grid Supply Chain Mgmt IF-MAP Protocol AAA Switches Routers Network Location CMDB ERP Building Controls Factory Controls Network Security DNS, DHCP Infrastructure Management Asset Mgmt CRM IPAM HR Applications (Publish, Subscribe, Search) IF-MAP Server Automatically aggregates, correlates, and distributes data to and from different systems, in real time © 2010 Infoblox Inc. All Rights Reserved. Today, Systems Share the IP Network, But Don’t Share Data Network Security Physical Security Network Location … Provisioning, Visualization & Analytics (Management) Decisions (Control) Sensors & Actuators © 2009 Infoblox Inc. All Rights Reserved. IF-MAP Doesn’t Replace Existing Systems & Applications – It Enables Them to Easily Share Data Network Security Physical Security Network Location … Provisioning, Visualization & Analytics (Management) IF-MAP Server Decisions (Control) Sensors & Actuators © 2009 Infoblox Inc. All Rights Reserved. Many New Applications are Emerging – Just the Tip of the Iceberg… Physical Network Security Cyber/Physical Security IT Automation (CyPhy) Provisioning, Convergence Visualization & Analytics Don’t allow users Track the location and status of all IT assets to connect to the (Management) MAP network if they haven’t badged Database into the building Decisions Don’t allow a (Control) wireless device to connect if its located outside of the building (IPs, MACs, devices, hardware, VMs, apps, users, etc.) in real time Allocate assets on the fly, dynamically reprovision data centers Asset Management Cloud … Computing Federate authentication and authorization status across private & public clouds Move computing workloads to the cloud when prices drop Sensors & Actuators © 2009 Infoblox Inc. All Rights Reserved. Vendor Support for IF-MAP is Growing IF-MAP Client IF-MAP Server Vendor Product/Function Avail Byre Security SCADA Security X Now Great Bay Endpoint Discovery X Now Hirsch Electronics Physical Access Control X Now Infoblox DHCP Server (NIOS) X Now Infoblox Orchestration Server (IBOS) Juniper Infranet Controller (Policy Server) X Logisense Registration Portal, Billing System X Now Lumeta Network Discovery & Leak Detection X Now Mikado NAC Solution X H1-11 NCP VPN Client X H1-11 Open Source IF-MAP Client Stack (PERL) X Now Open Source IF-MAP Client Stack (C++) X Q1-11 Open Source IF-MAP Server (Omapd, Irond) Open Source SNMP/IF-MAP Bridge X Now Q1 Labs SIEM X Q1-11 X Now X Now X Now © 2009 Infoblox Inc. All Rights Reserved. Some Infoblox IF-MAP Projects Large Aircraft Manufacturer (In Production) – Security for factory control (SCADA) traffic over wireless factory network – Firewall configurations loaded dynamically from IF-MAP server – Uses firewall/VPN gateways from Byres Security (Tofino) Software Development Company (In Production) – Network access control without software agents on endpoints – Uses Infoblox DHCP server, Juniper UAC, Juniper firewalls Las Vegas Hotel and Casino (In Production) – Differentiated IP services for every room (3000 Juniper firewalls) – Uses Infoblox DHCP, Juniper UAC and firewalls (3000), Logisense registration/billing portal Global Bank (Starting Rollout) – Dynamic, secure desktops – deploying to 8000 users – Uses QIP DHCP, Juniper UAC and firewalls JANET - National ISP for Higher Education in UK (Pilot) – Federation of authentication data for EDUROAM service – Uses IF-MAP federation Real-Time CMDB (Pilot) – Real-time discovery of devices joining the network – Uses Infoblox DHCP, IF-MAP client and OneCMDB (Open Source CMDB) © 2009 Infoblox Inc. All Rights Reserved. IF-MAP Protocol Overview © 2009 Infoblox Inc. All Rights Reserved. Unique Characteristics Cited by IF-MAP Supporters 1. Open, standard protocol 2. Lightweight, easy to implement 3. No global schema – supports emergent structures 4. Pub/sub paradigm © 2009 Infoblox Inc. All Rights Reserved. IF-MAP Components IF-MAP Client(s) IF-MAP Server employeeattribute = active distinguishedname = C=US, O=myco, OU=people, CN=12534 User Name = John Doe Department = Sales failed-login-attempts = 3, login-status = allowed role = access-finance-serverallowed 3 MAP Client Operations: Publish Subscribe Search 3 MAP Server Objects: Identifiers Links Metadata © 2009 Infoblox Inc. All Rights Reserved. IF-MAP Access Operations Publish: Tell others that…<metadata…> – Clients store metadata into MAP for others to see Example: Authentication server publishes when a user logs in (or out) Search: Tell me if…match(metadata pattern) – Clients retrieve published metadata associated with a particular identifier and linked identifiers Example: An application can request the current physical location of the user Subscribe: Tell me when…match(metadata pattern) – Clients request asynchronous results for searches that match when others publish new metadata Example: Tell me when any user’s status goes from “employee” to “terminated” © 2009 Infoblox Inc. All Rights Reserved. IF-MAP Server Objects Identifiers Links All objects are represented by unique identifiers Connote relationships between pairs of identifiers Metadata Attributes attached to Identifiers or Links Typical Data Types: – Identifiers: Identity, IP address, MAC address, Session ID, Device – Metadata: – AAA info (authenticated, role, capabilities/policies) – Device info (AV running, OS level, screen size, etc.) – Event info (unauthorized access attempt, etc.), – Layer 2 info (port, VLAN), location, etc. – Many others, plus user-defined © 2009 Infoblox Inc. All Rights Reserved. Basic Components of MAP Content Identifiers Metadata Link © 2009 Infoblox Inc. All Rights Reserved. IF-MAP Use cases © 2009 Infoblox Inc. All Rights Reserved. Use Case – Solution for Policy-Based Remote Access 192.0.2.7 User= John Windows 802.1X Client 00:11:22:33:44:55 1- Endpoint plugs-in 2- SW sends EAP Start 3- Supplicant sends credentials MAP Database 10- Endpoint requests DHCP identity = John 14- Endpoint generates traffic Accessrequestmac 11-DHCP sends MAC-IP metadata Infobox HA Pair DHCP/DNS Appliance to MAP 9- SW opens port MAC = 00:11:22: 33:44:55 IP-MAC Cisco 3750 Switch 8- UAC sends RADIUS accept to SW 4- SW sends RADIUS Credential to UAC 6- UAC publishes To MAP Juniper SSG Firewall 13- UAC activates L3 access on FW. Infobox HA Pair MAP Server Authenticatedas IP= 192.0.2.7 7- UAC subscribes to MAP 12-MAP sends IPMAC to UAC CHANGE? CHANGE! Juniper IC 4000 UAC 5- UAC does Auth. Lookup Private Applications IF-MAP AAA Accessrequest = 113:3 Capability = access-privateapplications © 2009 Infoblox Inc. All Rights Reserved. Use Case – Integrated Network / Physical Security Solution Secure Zone 1 Zone 2 MAP Database location = Zone 2 1 Hirsch System (Physical Sensor) Publish: John in Zone 1 Access Request authenticated identity = John Publish: John in Zone 2 Cisco 3750 Switch Grants Access Request Infoblox MAP Server CHANGE? CHANGE! Publish: John is Authenticated; Session ID 113:3 Subscribe: Changes to Session 113:3 Policy Violation: Access Cut Off Juniper SSG Firewall Classified Network Subscription Update: John in Zone 2 Publish (delete): John is Authenticated Accessrequest = 113:3 Juniper IC 4000 UAC Appliance 1011122456789Hirsch UAC Employee UAC MAPgrants publishes Subscribes reader updates publishes system connects leaves access publishes firewall publishes UAC tothe to Zone the the to about to update MAP the policy the 1, MAP to while corporate the update classified server to the server to the still MAP block to MAP logged network the network server access change MAP in 3requests for access to the network 1- Card (John) enters zone 1location © 2009 Infoblox Inc. All Rights Reserved. Use Case: Real-Time CMDB MANAGED NETWORK 10.0.1.57 Infoblox DHCP Server ish e Dis co Upda te CMD B CMDB very MAC = 00:11:11: 33:44:55 MAP Database Invok Topology Builder CMDB SERVER IP-MAC Infoblox MAP Server MAP Client Discovery Engine IP-MAC IP= 10.0.1.17 IP= 10.0.1.57 Publ Discovery Results DISCOVERY SENSORS / AGENTS MAC = 00:11:22: 33:44:55 MAC = 00:11:AA: 33:44:55 IP= 10.0.1.55 IP-MAC © 2009 Infoblox Inc. All Rights Reserved. Use Case: SCADA Security • IP-based industrial control traffic shares the general IT network in the factory • “Endboxes” provide VPN/firewall security • Endbox configurations dynamically loaded from MAP server – based on user, role, etc. Provisioning Client © 2009 Infoblox Inc. All Rights Reserved. Use Case: Federated IF-MAP Servers for UK EDUROAM Service • Enables login at remote universities / research centers using home login credentials • Serves 1.9 million users across 850 locations • Enabled today using RADIUS Proxy • Service provider (JANET) maintains database of roaming activity Univ A OK! Bbaker, Roaming from University D JANET Radius Server Radius Server Univ C Univ B Radius Server Radius proxy Roaming Users Jsmith@univB.edu Bbaker@univD.edu Radius Server Univ D © 2009 Infoblox Inc. All Rights Reserved. IF-MAP Federation for Next Gen EDUROAM Service • Local RADIUS servers replaced by RADSEC servers RADSEC servers communicate directly – no need for proxy JANET no longer sees RADIUS transactions, no view of who is roaming • IF-MAP Federation provides a solution: -Local RADSEC servers publish user/location data to local MAP server -JANET’s central MAP server subscribes to changes on university MAP servers Univ B Univ A JANET RADSEC Jjames, Roaming from University B OK! IF-MAP Client RADSEC Local IF-MAP Server Jjames@ Jjames@ univB.edu univB.edu RADSEC RADSEC Local IF-MAP Server Univ C Central IF-MAP Server Local IF-MAP Server Univ D Federation Subscriptions © 2009 Infoblox Inc. All Rights Reserved. IF-MAP has Applications in Cloud Computing and IT Orchestration • Infrastructure 2.0 Working Group has been discussing the impact of virtualization & cloud computing on the network • Members include equipment vendors, cloud providers and end users • Infoblox, Cisco, Google, Microsoft, F5, Citrix, Bechtel, Boeing, NASA… • Developing an “inter-cloud registry service” based on IF-MAP • Ongoing project at Open Cloud Consortium in Chicago • Co-sponsored by Cisco CTO’s office and UCS group • More info at www.infra20.com © 2009 Infoblox Inc. All Rights Reserved. Inter-Cloud Registry Helps Cloud Providers and Users to Match Workload Needs with Cloud Assets member of member of assigned to Virtual Network Virtual Machine Cloud member of Virtual Machine MAC Address runs on assigned to IP Address assigned to MAC Address Virtual Machine member of Virtual Network assigned to assigned to MAC Address assigned to IP Address IP Address © 2009 Infoblox Inc. All Rights Reserved. The Vision: IF-MAP Supports Data Exchange Among Infoblox, and Other Vendors’ Products Visibility Applications Infoblox DDI IF-MAP Orchestration Provide DDI service Detect IPs Communicate / Take Action Core Services DNS / DHCP / IPAM Closed Loop Automation Infoblox NCCM Check Infrastructure Infrastructure Recognize change 25 © 2009 Infoblox Inc. All Rights Reserved. Resources © 2009 Infoblox Inc. All Rights Reserved. Infoblox NIOS Appliances Support IF-MAP Dynamically updates IF-MAP server when IPs are allocated, renewed, or released by NIOS DHCP server Other systems can subscribe to updates and take action in realtime (e.g. discovery, configuration, scanning, open/close ports, etc.) Unique to the Infoblox DHCP server (today) Infoblox NIOS Appliance DHCP Lease Information (IP, MAC, Start, Duration, etc.) IF-MAP Server © 2009 Infoblox Inc. All Rights Reserved. Infoblox Orchestration Server (IBOS): The World’s Most Powerful IF-MAP Server Fully compliant with TCG standard Proven interoperability with other IF-MAP compliant products Unique Infoblox capabilities – – – – – – Infoblox Orchestration Server IF-MAP 2.0 compliant Lossless HA Fine-grained client authorization Data browser, extensive logging IF-MAP Federation Custom Identifiers … Network Security Physical Security Network Location IF-MAP Client Systems © 2009 Infoblox Inc. All Rights Reserved. Resources – Documentation & Freeware 3 minute video on IF-MAP on Orchestration/IF-MAP Solutions page on infoblox.com www.if-map.org – IF-MAP community Web site – Includes links to open source IF-MAP servers and other resources www.juniper.com – www.trustedcomputinggroup.org – Information about Infranet Controller: us/en/products-services/security/uac/#overview Complete protocol specs, information on TPM, TNC, Trusted Storage and related topics Infoblox IF-MAP Starter Kit: Free for 90 days, $995 in the US for perpetual license, 18% annual support – VMware IF-MAP appliance – Client simulator – Open-source client stacks (PERL, java, C++) – Open-source SNMP-MAP Bridge © 2009 Infoblox Inc. All Rights Reserved.
