SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
PLNOG 6: Piotr Szołkowski - Identity Management
1. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Identity Management
Piotr Szołkowski
2. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Compelling Portfolio
A portfolio to address the breadth of Ethernet
ExtremeXOS® Network Operating System
METROCOREAGGREGATIONADVANCEDEDGEVALUEEDGEDATACENTER
Sentriant®
Summit® WM
ReachNXT™
Ridgeline™
EPICenter®
Summit X150 Summit X350
Summit X250e Summit X450e
Summit X450a
Summit X650
Summit X480
SummitStack™
BlackDiamond®
8900
8800
8500
BlackDiamond
10K/12K
BlackDiamond
20K
Management
Wireless
Security
Port Extender
10/100 Mb 10/100 Mb – 10 Gigabit – 40 Gigabit1 Gigabit 10 Gigabit 40 Gigabit
Summit X460
3. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Introducing …
Network-based Identity and Access
Management
Extending security monitoring and provisioning of users to
the network for greater control
4. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Traditional IdAM
Application / Data CenterUser Community Network Infrastructure
Identity and Access Management (IdAM) provisioning at the
application (i.e. resource) level
Protected Application / Data Center
IP Manager: John
Finance: Bob
Sales: Alice
Intellectual
property
data
Customer
data
Financial
resource
systems
Page 4
5. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Protected Application / Data CenterUser Community Network Infrastructure
Identity and Access Management (IdAM) provisioning at the
network and application level with Extreme Networks
Intellectual
property
data
Protected Network Infrastructure
Customer
data
Financial
resource
systems
Network-based IdAM
Increased Network Availability
• Eliminate “noise” traffic and malicious
activity within the infrastructure
Network and data access provisioned
based on roles and identity
Audit network activity per user
IP Manager: John
Finance: Bob
Sales: Alice
Page 5
6. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. 6
Identity Manager
7. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Identity Management Phase 1 – A Recap
In phase 1 (XOS 12.4.1), Identity management primarily
monitored users and devices across the network
Users and devices are detected by various means:
• Identities derived from Netlogin, Kerberos and LLDP
• Netlogin 802.1X Login ID
• Netlogin Web-based ID
• Netlogin MAC-radius
• LLDP-based device identification (e.g. VoIP Phone)
• Kerberos Snooping: from analyzing Kerberos packet exchange.
during Windows Active Directory Domain Login.
• Mappings like IPv4 address<->MAC<->port are derived from ARP, FDB,
IP Address Security modules.
Reporting: Location tracking based on username/device
name (EPICenter)
8. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Identity Management Phase 1
Server Farm
LDAP, AD, CRM, ERP
Internet
IPS
Extreme
EPICenter
Firewall
Firewall
IPS
Page 8
9. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Identity Management Phase 2
Page 9
Role-policy based user management
• Every identity learnt on the switch is assigned a role
• Dynamic ACLs or policies configured for each role is applied for that identity
on the port on which the identity is detected.
How is an identity put under a particular role?
• The administrator can configure user roles and the criteria to put users under
that role.
• An LDAP request querying for the attributes of the identity is sent to the
LDAP server.
• The identity is placed under the role whose criteria is met by the LDAP
attributes received from the server.
• Other than the user configured roles, Identity Manager supports two default
roles – authenticated and unauthenticated. Identities which do not fall under
any other role will be put under one of these two roles.
10. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
LDAP Attributes supported in 12.5.1
Page
10
List of User LDAP attributes that will be queried :
•Employee ID
•Title
•Email Address
•Department
•Company
•Locality
•State
•Country
11. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
LDAP configuration
Page
11
LDAP servers can be added as both hostnames and IP
addresses.
Identity manager can be configured to contact the server
securely using SSL.
A username and password credential combination that has
read access to the Active Directory has to be configured so
that information about the identities can be retrieved.
Also a base LDAP domain name where the users can be
searched needs to be configured.
For Internal Use Only. Extreme Networks Confidential and Proprietary.
Not to be distributed outside of Extreme Networks, Inc.
12. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Role Match Criteria
Page
12
The match criteria for a role can be formulated using a
combination of the LDAP attributes and the operators
equals(„==„), not equals(„!=„) and „contains‟.
Example:
1. create identity-management role “India-Engr” “country==India; AND
department==Engineering;” add policy “ind-engr-policy”
2. create identity-management role “US-Marketing” “country==USA; AND
“department contains Market” add policy “USMarketPol”
3. create identity-management role “Intl-Marketing” “country!=USA; AND
“department contains Market” add policy “IntlMarketPol”.
For Internal Use Only. Extreme Networks Confidential and Proprietary.
Not to be distributed outside of Extreme Networks, Inc.
13. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Role Priority
Page
13
• Each role can be assigned a priority value. The default value
is 255.
• The identities are matched against each role based on the
priority.
• If an identity satisfies the match criteria of two or more roles,
the identity is placed in the role with lesser priority value.
• For example, if an identity matches both role1 with priority
100 and role2 with priority 200, the identity will be placed in
role1.
For Internal Use Only. Extreme Networks Confidential and Proprietary.
Not to be distributed outside of Extreme Networks, Inc.
14. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Role-Policy based User Management
Each role can be assigned a set of policies that will be applied to all
identities that are mapped to that role.
A role can be assigned both dynamic ACLs and policies.
The identity‟s source IP address will be used for applying the
dynamic ACLs and policies.
When a dynamic ACL/policy is added to a role, it is immediately
installed for all identities mapped to that role.
Effective configuration of the dynamic ACLs and policies will ensure
that intruders are avoided at the port of entry on the edge switch
itself thereby reducing noise in the network.
15. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Role-Policy based User Management
16. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Role-Policy based User Management
identity
Netlogin Account name
Client MAC Address
Logon/Logoff Time
Roles
Policies
Information
Sources
Attributes
collected
Co-relation &
Association
Role based Policies
LLDP
Device Type
Device Capability
IP ARP Bindings Client IP Address
Domain Membership
Account Name
NetBIOS Host Name
Kerberos Snooping
City
Company
Country
Department
Employee-ID
State
Title
Email-ID
LDAP
(Microsoft Windows
Active Directory)
Security
DoS Violation
ARP Violation
Source IP Lockdown
17. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.
Hierarchy of roles
Employees
Contractors
(Company = PRIMECORP) Sales
(Department = Sales)
Operations
(Department = Operations)
Website
(Department = Marketing)
(Company = PRIMECONTRACT)
CRM Apps
(Department = IT)
Guests
(Company != PRIMECORP)
Managers
(Title contains Manager)
OpsUSA
(Country = USA)
Engineers
(Title = Systems Engineer)
Partners
(Company = Prime Research LLC)
Visitors
18. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc. Page 18
Switch programming
• Script execution
• Manually via CLI – load script <file name> {arg1} {arg2} ....
• Automatically at given date and time – one time
• Automatically after given time – one time
• Automatically from given date time, every defined time – many times
• Automatically based on events:
• Device Detect
• Device Undetect
• User-Authenticate
• User-Unauthenticate
• Identity-Detect
• Identity-Undetect
• Identity-Role-Associate
• Identity-Role-Disassociate
• Automatically based on ACL counters – CLEAR-Flow
19. For Internal Use Only. Extreme Networks Confidential and Proprietary. Not to be distributed outside of Extreme Networks, Inc.