SlideShare a Scribd company logo

PLNOG 6: Piotr Szołkowski - Identity Management

PROIDEA
PROIDEA

Identity Management

Presentations & Public Speaking
1 of 19
Download to read offline
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Identity Management Piotr Szołkowski
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Compelling Portfolio A portfolio to address the breadth of Ethernet ExtremeXOS® Network Operating System METROCOREAGGREGATIONADVANCEDEDGEVALUEEDGEDATACENTER Sentriant® Summit® WM ReachNXT™ Ridgeline™ EPICenter® Summit X150 Summit X350 Summit X250e Summit X450e Summit X450a Summit X650 Summit X480 SummitStack™ BlackDiamond® 8900 8800 8500 BlackDiamond 10K/12K BlackDiamond 20K Management Wireless Security Port Extender 10/100 Mb 10/100 Mb – 10 Gigabit – 40 Gigabit1 Gigabit 10 Gigabit 40 Gigabit Summit X460
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Introducing … Network-based Identity and Access Management Extending security monitoring and provisioning of users to the network for greater control
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Traditional IdAM Application / Data CenterUser Community Network Infrastructure Identity and Access Management (IdAM) provisioning at the application (i.e. resource) level Protected Application / Data Center IP Manager: John Finance: Bob Sales: Alice Intellectual property data Customer data Financial resource systems Page 4
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Protected Application / Data CenterUser Community Network Infrastructure Identity and Access Management (IdAM) provisioning at the network and application level with Extreme Networks Intellectual property data Protected Network Infrastructure Customer data Financial resource systems Network-based IdAM  Increased Network Availability • Eliminate “noise” traffic and malicious activity within the infrastructure  Network and data access provisioned based on roles and identity  Audit network activity per user IP Manager: John Finance: Bob Sales: Alice Page 5
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. 6 Identity Manager
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Identity Management Phase 1 – A Recap In phase 1 (XOS 12.4.1), Identity management primarily monitored users and devices across the network Users and devices are detected by various means: • Identities derived from Netlogin, Kerberos and LLDP • Netlogin 802.1X Login ID • Netlogin Web-based ID • Netlogin MAC-radius • LLDP-based device identification (e.g. VoIP Phone) • Kerberos Snooping: from analyzing Kerberos packet exchange. during Windows Active Directory Domain Login. • Mappings like IPv4 address<->MAC<->port are derived from ARP, FDB, IP Address Security modules.  Reporting: Location tracking based on username/device name (EPICenter)
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Identity Management Phase 1 Server Farm LDAP, AD, CRM, ERP Internet IPS Extreme EPICenter Firewall Firewall IPS Page 8
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Identity Management Phase 2 Page 9 Role-policy based user management • Every identity learnt on the switch is assigned a role • Dynamic ACLs or policies configured for each role is applied for that identity on the port on which the identity is detected. How is an identity put under a particular role? • The administrator can configure user roles and the criteria to put users under that role. • An LDAP request querying for the attributes of the identity is sent to the LDAP server. • The identity is placed under the role whose criteria is met by the LDAP attributes received from the server. • Other than the user configured roles, Identity Manager supports two default roles – authenticated and unauthenticated. Identities which do not fall under any other role will be put under one of these two roles.
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. LDAP Attributes supported in 12.5.1 Page 10 List of User LDAP attributes that will be queried : •Employee ID •Title •Email Address •Department •Company •Locality •State •Country
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. LDAP configuration Page 11 LDAP servers can be added as both hostnames and IP addresses. Identity manager can be configured to contact the server securely using SSL. A username and password credential combination that has read access to the Active Directory has to be configured so that information about the identities can be retrieved. Also a base LDAP domain name where the users can be searched needs to be configured. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role Match Criteria Page 12 The match criteria for a role can be formulated using a combination of the LDAP attributes and the operators equals(„==„), not equals(„!=„) and „contains‟. Example: 1. create identity-management role “India-Engr” “country==India; AND department==Engineering;” add policy “ind-engr-policy” 2. create identity-management role “US-Marketing” “country==USA; AND “department contains Market” add policy “USMarketPol” 3. create identity-management role “Intl-Marketing” “country!=USA; AND “department contains Market” add policy “IntlMarketPol”. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role Priority Page 13 • Each role can be assigned a priority value. The default value is 255. • The identities are matched against each role based on the priority. • If an identity satisfies the match criteria of two or more roles, the identity is placed in the role with lesser priority value. • For example, if an identity matches both role1 with priority 100 and role2 with priority 200, the identity will be placed in role1. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role-Policy based User Management Each role can be assigned a set of policies that will be applied to all identities that are mapped to that role. A role can be assigned both dynamic ACLs and policies. The identity‟s source IP address will be used for applying the dynamic ACLs and policies. When a dynamic ACL/policy is added to a role, it is immediately installed for all identities mapped to that role. Effective configuration of the dynamic ACLs and policies will ensure that intruders are avoided at the port of entry on the edge switch itself thereby reducing noise in the network.
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role-Policy based User Management
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role-Policy based User Management identity Netlogin Account name Client MAC Address Logon/Logoff Time Roles Policies Information Sources Attributes collected Co-relation & Association Role based Policies LLDP Device Type Device Capability IP ARP Bindings Client IP Address Domain Membership Account Name NetBIOS Host Name Kerberos Snooping City Company Country Department Employee-ID State Title Email-ID LDAP (Microsoft Windows Active Directory) Security DoS Violation ARP Violation Source IP Lockdown
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Hierarchy of roles Employees Contractors (Company = PRIMECORP) Sales (Department = Sales) Operations (Department = Operations) Website (Department = Marketing) (Company = PRIMECONTRACT) CRM Apps (Department = IT) Guests (Company != PRIMECORP) Managers (Title contains Manager) OpsUSA (Country = USA) Engineers (Title = Systems Engineer) Partners (Company = Prime Research LLC) Visitors
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Page 18 Switch programming • Script execution • Manually via CLI – load script <file name> {arg1} {arg2} .... • Automatically at given date and time – one time • Automatically after given time – one time • Automatically from given date time, every defined time – many times • Automatically based on events: • Device Detect • Device Undetect • User-Authenticate • User-Unauthenticate • Identity-Detect • Identity-Undetect • Identity-Role-Associate • Identity-Role-Disassociate • Automatically based on ACL counters – CLEAR-Flow
For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.

Recommended

Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTe...
Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTe...Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTe...
Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTe...
SPTechCon
 
Presentación IronPort Products
Presentación IronPort ProductsPresentación IronPort Products
Presentación IronPort Products
Logicalis Latam
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product family
xKinAnx
 
Data security and compliancy in Office 365
Data security and compliancy in Office 365Data security and compliancy in Office 365
Data security and compliancy in Office 365
Microsoft TechNet - Belgium and Luxembourg
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
Planning and Configuring Extranets in SharePoint 2010
Planning and Configuring Extranets in SharePoint 2010Planning and Configuring Extranets in SharePoint 2010
Planning and Configuring Extranets in SharePoint 2010
Geoff Varosky
 

Recommended

Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTe...
Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTe...Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTe...
Planning and Configuring Extranets in SharePoint 2010 by Geoff Varosky - SPTe...
SPTechCon
 
Presentación IronPort Products
Presentación IronPort ProductsPresentación IronPort Products
Presentación IronPort Products
Logicalis Latam
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product family
xKinAnx
 
Data security and compliancy in Office 365
Data security and compliancy in Office 365Data security and compliancy in Office 365
Data security and compliancy in Office 365
Microsoft TechNet - Belgium and Luxembourg
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
Planning and Configuring Extranets in SharePoint 2010
Planning and Configuring Extranets in SharePoint 2010Planning and Configuring Extranets in SharePoint 2010
Planning and Configuring Extranets in SharePoint 2010
Geoff Varosky
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Michael Noel
 
The Messy Underlay Dilemma - automating PKI at Defragcon
The Messy Underlay Dilemma - automating PKI at DefragconThe Messy Underlay Dilemma - automating PKI at Defragcon
The Messy Underlay Dilemma - automating PKI at Defragcon
rhirschfeld
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
Mike Schwartz
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3
Truong Minh Yen
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
MongoDB
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
Skytap Cloud
 
iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016
Raz-Lee Security
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
NCCOMMS
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
z/OS V2R3 Communications Server Content Preview
z/OS V2R3 Communications Server Content Previewz/OS V2R3 Communications Server Content Preview
z/OS V2R3 Communications Server Content Preview
zOSCommserver
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Discover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MXDiscover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MX
ThousandEyes
 
LogRhythm PowerTech Interact Data Sheet
LogRhythm PowerTech Interact Data SheetLogRhythm PowerTech Interact Data Sheet
LogRhythm PowerTech Interact Data Sheet
jordagro
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
CloudIDSummit
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection features
MariaDB plc
 
3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!
NormShield, Inc.
 
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait Cityin kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Using AI to boost productivity for developers
Using AI to boost productivity for developersUsing AI to boost productivity for developers
Using AI to boost productivity for developers
Teri Eyenike
 

More Related Content

Similar to PLNOG 6: Piotr Szołkowski - Identity Management

Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Michael Noel
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
LogRhythm PowerTech Interact Data Sheet
LogRhythm PowerTech Interact Data SheetLogRhythm PowerTech Interact Data Sheet
LogRhythm PowerTech Interact Data Sheet
jordagro
 

Similar to PLNOG 6: Piotr Szołkowski - Identity Management (20)

Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
 
The Messy Underlay Dilemma - automating PKI at Defragcon
The Messy Underlay Dilemma - automating PKI at DefragconThe Messy Underlay Dilemma - automating PKI at Defragcon
The Messy Underlay Dilemma - automating PKI at Defragcon
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
 
iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016iSecurity Data Sheet March 2016
iSecurity Data Sheet March 2016
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
z/OS V2R3 Communications Server Content Preview
z/OS V2R3 Communications Server Content Previewz/OS V2R3 Communications Server Content Preview
z/OS V2R3 Communications Server Content Preview
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Discover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MXDiscover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MX
 
LogRhythm PowerTech Interact Data Sheet
LogRhythm PowerTech Interact Data SheetLogRhythm PowerTech Interact Data Sheet
LogRhythm PowerTech Interact Data Sheet
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection features
 
3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!
 

Recently uploaded

"I hear you": Moving beyond empathy in UXR
"I hear you": Moving beyond empathy in UXR"I hear you": Moving beyond empathy in UXR
"I hear you": Moving beyond empathy in UXR
Megan Campos
 
The Concession of Asaba International Airport: Balancing Politics and Policy ...
The Concession of Asaba International Airport: Balancing Politics and Policy ...The Concession of Asaba International Airport: Balancing Politics and Policy ...
The Concession of Asaba International Airport: Balancing Politics and Policy ...
Kayode Fayemi
 
Ready Set Go Children Sermon about Mark 16:15-20
Ready Set Go Children Sermon about Mark 16:15-20Ready Set Go Children Sermon about Mark 16:15-20
Ready Set Go Children Sermon about Mark 16:15-20
rejz122017
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
David Celestin
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Hung Le
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
ZurliaSoop
 

Recently uploaded (19)

in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait Cityin kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
 
Using AI to boost productivity for developers
Using AI to boost productivity for developersUsing AI to boost productivity for developers
Using AI to boost productivity for developers
 
Abortion Pills Fahaheel ௹+918133066128💬@ Safe and Effective Mifepristion and ...
Abortion Pills Fahaheel ௹+918133066128💬@ Safe and Effective Mifepristion and ...Abortion Pills Fahaheel ௹+918133066128💬@ Safe and Effective Mifepristion and ...
Abortion Pills Fahaheel ௹+918133066128💬@ Safe and Effective Mifepristion and ...
 
ECOLOGY OF FISHES.pptx full presentation
ECOLOGY OF FISHES.pptx full presentationECOLOGY OF FISHES.pptx full presentation
ECOLOGY OF FISHES.pptx full presentation
 
2024 mega trends for the digital workplace - FINAL.pdf
2024 mega trends for the digital workplace - FINAL.pdf2024 mega trends for the digital workplace - FINAL.pdf
2024 mega trends for the digital workplace - FINAL.pdf
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
LITTLE ABOUT LESOTHO FROM THE TIME MOSHOESHOE THE FIRST WAS BORN
LITTLE ABOUT LESOTHO FROM THE TIME MOSHOESHOE THE FIRST WAS BORNLITTLE ABOUT LESOTHO FROM THE TIME MOSHOESHOE THE FIRST WAS BORN
LITTLE ABOUT LESOTHO FROM THE TIME MOSHOESHOE THE FIRST WAS BORN
 
"I hear you": Moving beyond empathy in UXR
"I hear you": Moving beyond empathy in UXR"I hear you": Moving beyond empathy in UXR
"I hear you": Moving beyond empathy in UXR
 
The Concession of Asaba International Airport: Balancing Politics and Policy ...
The Concession of Asaba International Airport: Balancing Politics and Policy ...The Concession of Asaba International Airport: Balancing Politics and Policy ...
The Concession of Asaba International Airport: Balancing Politics and Policy ...
 
History of Morena Moshoeshoe birth death
History of Morena Moshoeshoe birth deathHistory of Morena Moshoeshoe birth death
History of Morena Moshoeshoe birth death
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.
 
Ready Set Go Children Sermon about Mark 16:15-20
Ready Set Go Children Sermon about Mark 16:15-20Ready Set Go Children Sermon about Mark 16:15-20
Ready Set Go Children Sermon about Mark 16:15-20
 
BIG DEVELOPMENTS IN LESOTHO(DAMS & MINES
BIG DEVELOPMENTS IN LESOTHO(DAMS & MINESBIG DEVELOPMENTS IN LESOTHO(DAMS & MINES
BIG DEVELOPMENTS IN LESOTHO(DAMS & MINES
 
BEAUTIFUL PLACES TO VISIT IN LESOTHO.pptx
BEAUTIFUL PLACES TO VISIT IN LESOTHO.pptxBEAUTIFUL PLACES TO VISIT IN LESOTHO.pptx
BEAUTIFUL PLACES TO VISIT IN LESOTHO.pptx
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
 

PLNOG 6: Piotr Szołkowski - Identity Management

  • 1. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Identity Management Piotr Szołkowski
  • 2. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Compelling Portfolio A portfolio to address the breadth of Ethernet ExtremeXOS® Network Operating System METROCOREAGGREGATIONADVANCEDEDGEVALUEEDGEDATACENTER Sentriant® Summit® WM ReachNXT™ Ridgeline™ EPICenter® Summit X150 Summit X350 Summit X250e Summit X450e Summit X450a Summit X650 Summit X480 SummitStack™ BlackDiamond® 8900 8800 8500 BlackDiamond 10K/12K BlackDiamond 20K Management Wireless Security Port Extender 10/100 Mb 10/100 Mb – 10 Gigabit – 40 Gigabit1 Gigabit 10 Gigabit 40 Gigabit Summit X460
  • 3. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Introducing … Network-based Identity and Access Management Extending security monitoring and provisioning of users to the network for greater control
  • 4. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Traditional IdAM Application / Data CenterUser Community Network Infrastructure Identity and Access Management (IdAM) provisioning at the application (i.e. resource) level Protected Application / Data Center IP Manager: John Finance: Bob Sales: Alice Intellectual property data Customer data Financial resource systems Page 4
  • 5. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Protected Application / Data CenterUser Community Network Infrastructure Identity and Access Management (IdAM) provisioning at the network and application level with Extreme Networks Intellectual property data Protected Network Infrastructure Customer data Financial resource systems Network-based IdAM  Increased Network Availability • Eliminate “noise” traffic and malicious activity within the infrastructure  Network and data access provisioned based on roles and identity  Audit network activity per user IP Manager: John Finance: Bob Sales: Alice Page 5
  • 6. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. 6 Identity Manager
  • 7. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Identity Management Phase 1 – A Recap In phase 1 (XOS 12.4.1), Identity management primarily monitored users and devices across the network Users and devices are detected by various means: • Identities derived from Netlogin, Kerberos and LLDP • Netlogin 802.1X Login ID • Netlogin Web-based ID • Netlogin MAC-radius • LLDP-based device identification (e.g. VoIP Phone) • Kerberos Snooping: from analyzing Kerberos packet exchange. during Windows Active Directory Domain Login. • Mappings like IPv4 address<->MAC<->port are derived from ARP, FDB, IP Address Security modules.  Reporting: Location tracking based on username/device name (EPICenter)
  • 8. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Identity Management Phase 1 Server Farm LDAP, AD, CRM, ERP Internet IPS Extreme EPICenter Firewall Firewall IPS Page 8
  • 9. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Identity Management Phase 2 Page 9 Role-policy based user management • Every identity learnt on the switch is assigned a role • Dynamic ACLs or policies configured for each role is applied for that identity on the port on which the identity is detected. How is an identity put under a particular role? • The administrator can configure user roles and the criteria to put users under that role. • An LDAP request querying for the attributes of the identity is sent to the LDAP server. • The identity is placed under the role whose criteria is met by the LDAP attributes received from the server. • Other than the user configured roles, Identity Manager supports two default roles – authenticated and unauthenticated. Identities which do not fall under any other role will be put under one of these two roles.
  • 10. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. LDAP Attributes supported in 12.5.1 Page 10 List of User LDAP attributes that will be queried : •Employee ID •Title •Email Address •Department •Company •Locality •State •Country
  • 11. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. LDAP configuration Page 11 LDAP servers can be added as both hostnames and IP addresses. Identity manager can be configured to contact the server securely using SSL. A username and password credential combination that has read access to the Active Directory has to be configured so that information about the identities can be retrieved. Also a base LDAP domain name where the users can be searched needs to be configured. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
  • 12. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role Match Criteria Page 12 The match criteria for a role can be formulated using a combination of the LDAP attributes and the operators equals(„==„), not equals(„!=„) and „contains‟. Example: 1. create identity-management role “India-Engr” “country==India; AND department==Engineering;” add policy “ind-engr-policy” 2. create identity-management role “US-Marketing” “country==USA; AND “department contains Market” add policy “USMarketPol” 3. create identity-management role “Intl-Marketing” “country!=USA; AND “department contains Market” add policy “IntlMarketPol”. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
  • 13. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role Priority Page 13 • Each role can be assigned a priority value. The default value is 255. • The identities are matched against each role based on the priority. • If an identity satisfies the match criteria of two or more roles, the identity is placed in the role with lesser priority value. • For example, if an identity matches both role1 with priority 100 and role2 with priority 200, the identity will be placed in role1. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
  • 14. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role-Policy based User Management Each role can be assigned a set of policies that will be applied to all identities that are mapped to that role. A role can be assigned both dynamic ACLs and policies. The identity‟s source IP address will be used for applying the dynamic ACLs and policies. When a dynamic ACL/policy is added to a role, it is immediately installed for all identities mapped to that role. Effective configuration of the dynamic ACLs and policies will ensure that intruders are avoided at the port of entry on the edge switch itself thereby reducing noise in the network.
  • 15. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role-Policy based User Management
  • 16. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Role-Policy based User Management identity Netlogin Account name Client MAC Address Logon/Logoff Time Roles Policies Information Sources Attributes collected Co-relation & Association Role based Policies LLDP Device Type Device Capability IP ARP Bindings Client IP Address Domain Membership Account Name NetBIOS Host Name Kerberos Snooping City Company Country Department Employee-ID State Title Email-ID LDAP (Microsoft Windows Active Directory) Security DoS Violation ARP Violation Source IP Lockdown
  • 17. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Hierarchy of roles Employees Contractors (Company = PRIMECORP) Sales (Department = Sales) Operations (Department = Operations) Website (Department = Marketing) (Company = PRIMECONTRACT) CRM Apps (Department = IT) Guests (Company != PRIMECORP) Managers (Title contains Manager) OpsUSA (Country = USA) Engineers (Title = Systems Engineer) Partners (Company = Prime Research LLC) Visitors
  • 18. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Page 18 Switch programming • Script execution • Manually via CLI – load script <file name> {arg1} {arg2} .... • Automatically at given date and time – one time • Automatically after given time – one time • Automatically from given date time, every defined time – many times • Automatically based on events: • Device Detect • Device Undetect • User-Authenticate • User-Unauthenticate • Identity-Detect • Identity-Undetect • Identity-Role-Associate • Identity-Role-Disassociate • Automatically based on ACL counters – CLEAR-Flow
  • 19. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.