IF-MAP Overview - TT · IF-MAP Overview Jan Ursi ... CMDB SIEM Asset Mgmt IPAM Infrastructure...

© 2009 Infoblox Inc. All Rights Reserved.

IF-MAP Overview

Jan Ursi Technical Director EMEA


IF-MAP: A Powerful New Standard

  IF-MAP = Interface to Metadata Access Points

  An open protocol standard published (free) by the Trusted Computing Group –  Available since April, 2008 –  Version 2.0 released August, 2010

  Pub/sub database - Like Facebook for IP devices and systems

  Supports a wide array of applications: –  Multi-Vendor Network Security (NAC) –  Compliance Management –  Asset Management –  Smart Grid –  Network Automation / Cloud Computing

Could do for data sharing what IP did for connectivity


•  Complex

•  Costly

•  Brittle

•  High Maintenance

Applications

Management

Supply Chain Mgmt

Smart Grid CRM

HR

ERP

CMDB

SIEM

Asset Mgmt

IPAM Infrastructure

Network Security

DNS, DHCP

AAA Switches Routers

Building Controls

Factory Controls Network

Location

The Integration Challenge

SNMP, Syslog, Netflow

Custom Integration – API’s, Scripts


IF-MAP Server

Applications

Management

Supply Chain Mgmt

Smart Grid CRM

HR

ERP

CMDB

SIEM

Asset Mgmt

IPAM Infrastructure

Network Security

DNS, DHCP

AAA Switches Routers

Building Controls

Factory Controls Network

Location

IF-MAP Protocol

(Publish, Subscribe,

Search)

From Integration to Orchestration with IF-MAP

Automatically aggregates, correlates, and distributes data to and from different systems, in real time


Today, Systems Share the IP Network, But Don’t Share Data

Decisions (Control)

Sensors & Actuators

… Network Security

Physical Security

Provisioning, Visualization &

Analytics (Management)

Network Location


IF-MAP Doesn’t Replace Existing Systems & Applications – It Enables Them to Easily Share Data

Decisions (Control)

Sensors & Actuators


Physical Security



IF-MAP Server

Network Location


Many New Applications are Emerging – Just the Tip of the Iceberg…

Decisions (Control)

Sensors & Actuators


Physical Security

Asset Management



MAP Database

Cyber/Physical (CyPhy)

Convergence

 Don’t allow users to connect to the network if they haven’t badged into the building

Cloud Computing

 Federate authentication and authorization status

across private & public clouds

 Don’t allow a wireless device to

connect if its located outside of

the building

 Move computing workloads to the

cloud when prices drop

 Track the location and status of all IT assets (IPs, MACs, devices, hardware, VMs, apps,

users, etc.) in real time

 Allocate assets on the fly, dynamically re-

provision data centers

IT Automation


Vendor Support for IF-MAP is Growing

Vendor Product/Function IF-MAP Client

IF-MAP Server Avail

Byre Security SCADA Security X Now Great Bay Endpoint Discovery X Now Hirsch Electronics Physical Access Control X Now Infoblox DHCP Server (NIOS) X Now Infoblox Orchestration Server (IBOS) X Now Juniper Infranet Controller (Policy Server) X X Now Logisense Registration Portal, Billing System X Now Lumeta Network Discovery & Leak Detection X Now Mikado NAC Solution X H1-11 NCP VPN Client X H1-11 Open Source IF-MAP Client Stack (PERL) X Now Open Source IF-MAP Client Stack (C++) X Q1-11 Open Source IF-MAP Server (Omapd, Irond) X Now Open Source SNMP/IF-MAP Bridge X Now Q1 Labs SIEM X Q1-11


Some Infoblox IF-MAP Projects

  Large Aircraft Manufacturer (In Production) –  Security for factory control (SCADA) traffic over wireless factory network –  Firewall configurations loaded dynamically from IF-MAP server –  Uses firewall/VPN gateways from Byres Security (Tofino)

  Software Development Company (In Production) –  Network access control without software agents on endpoints –  Uses Infoblox DHCP server, Juniper UAC, Juniper firewalls

  Las Vegas Hotel and Casino (In Production) –  Differentiated IP services for every room (3000 Juniper firewalls) –  Uses Infoblox DHCP, Juniper UAC and firewalls (3000), Logisense registration/billing portal

  Global Bank (Starting Rollout) –  Dynamic, secure desktops – deploying to 8000 users –  Uses QIP DHCP, Juniper UAC and firewalls

  JANET - National ISP for Higher Education in UK (Pilot) –  Federation of authentication data for EDUROAM service –  Uses IF-MAP federation

  Real-Time CMDB (Pilot) –  Real-time discovery of devices joining the network –  Uses Infoblox DHCP, IF-MAP client and OneCMDB (Open Source CMDB)


IF-MAP Protocol Overview


Unique Characteristics Cited by IF-MAP Supporters

1.  Open, standard protocol

2.  Lightweight, easy to implement

3.  No global schema – supports emergent structures

4.  Pub/sub paradigm


IF-MAP Components

IF-MAP Server IF-MAP Client(s)

3 MAP Client Operations: Publish Subscribe Search

User Name = John Doe

Department = Sales

distinguished-name =

C=US, O=myco, OU=people, CN=12534

employee-attribute = active

role = access-finance-server-

allowed

failed-login-attempts = 3, login-status =

allowed

3 MAP Server Objects: Identifiers Links Metadata


  Publish:

–  Clients store metadata into MAP for others to see   Example: Authentication server publishes when a user logs in (or out)

  Search:

–  Clients retrieve published metadata associated with a particular identifier and linked identifiers   Example: An application can request the current physical location of the user

  Subscribe:

–  Clients request asynchronous results for searches that match when others publish new metadata   Example: Tell me when any user’s status goes from “employee” to

“terminated”

Tell others that…<metadata…>

Tell me when…match(metadata pattern)

Tell me if…match(metadata pattern)

IF-MAP Access Operations


IF-MAP Server Objects

Identifiers All objects are represented by unique identifiers

Links Connote relationships between pairs of identifiers

Metadata Attributes attached to Identifiers or Links

Typical Data Types: –  Identifiers: Identity, IP address, MAC address, Session ID, Device –  Metadata:

–  AAA info (authenticated, role, capabilities/policies) – Device info (AV running, OS level, screen size, etc.) –  Event info (unauthorized access attempt, etc.), –  Layer 2 info (port, VLAN), location, etc. – Many others, plus user-defined


Basic Components of MAP Content

Identifiers

Metadata Link


IF-MAP Use cases


Use Case – Solution for Policy-Based Remote Access

Cisco 3750 Switch Infobox HA Pair

DHCP/DNS Appliance

Juniper IC 4000 UAC

User= John Windows 802.1X Client

00:11:22:33:44:55

Private Applications

AAA

Juniper SSG Firewall

Infobox HA Pair MAP Server

identity =

John

Access-request = 113:3

MAP Database

Authenticated-as

Capability = access-private-

applications

MAC = 00:11:22:33:44:55

IP= 192.0.2.7

IP-MAC

1- Endpoint plugs-in 2- SW sends EAP Start 3- Supplicant sends credentials

4- SW sends RADIUS Credential to UAC

5- UAC does Auth. Lookup

8- UAC sends RADIUS accept to SW

9- SW opens port

10- Endpoint requests DHCP

12-MAP sends IP-MAC to UAC

13- UAC activates L3 access on FW.

14- Endpoint generates traffic

192.0.2.7

Access-request-

mac

6- UAC publishes To MAP

7- UAC subscribes to MAP

11-DHCP sends MAC-IP metadata to MAP

IF-MAP

CHANGE? CHANGE!


11- UAC updates firewall policy to block access 12- UAC publishes the update to the MAP 1- Employee (John) enters zone 1 2- Hirsch system publishes to the MAP server 3- Employee requests for access to the network 4- UAC publishes to the MAP server 5- UAC Subscribes to the MAP server 6- UAC grants access to the corporate network 7- Employee connects to the classified network 8- Employee leaves Zone 1, while still logged in

Subscription Update: John in Zone 2

9- Card reader publishes the update to the MAP 10- MAP updates UAC about the location change

Use Case – Integrated Network / Physical Security Solution

Juniper IC 4000 UAC Appliance

Infoblox MAP Server

Hirsch System (Physical Sensor)

Publish: John in Zone 1

Publish: John is Authenticated; Session ID 113:3 Subscribe: Changes to Session 113:3

identity = John

location = Zone 1

Access-request =

113:3

Secure Zone 1

Classified Network

Juniper SSG Firewall

Cisco 3750 Switch

Publish: John in Zone 2

location = Zone 2

Publish (delete): John is Authenticated

Access Request

Grants Access Request

Zone 2 MAP Database

authenticated

Policy Violation: Access Cut Off

CHANGE? CHANGE!


Use Case: Real-Time CMDB

MA

P D

atab

ase

IP= 10.0.1.57

IP= 10.0.1.17

MAC = 00:11:11:33:44:55

IP-MAC

CMDB

DiscoveryEngine

TopologyBuilder

DISCOVERYSENSORS/AGENTS

IP= 10.0.1.55

MAC = 00:11:22:33:44:55

IP-MAC

MAC = 00:11:AA:33:44:55

IP-MAC

MAPClient

MANAGEDNETWORK

Infoblox MAP Server

Infoblox DHCP Server

CMDB SERVER

Invoke Discovery

Dis

cove

ry R

esul

ts

Update CMDB

Publish

10.0.1.57


• IP-based industrial control traffic shares the general IT network in the factory • “Endboxes” provide VPN/firewall security • Endbox configurations dynamically loaded from MAP server – based on user, role, etc.

Use Case: SCADA Security

Provisioning Client


• Enables login at remote universities / research centers using home login credentials

• Serves 1.9 million users across 850 locations

• Enabled today using RADIUS Proxy

• Service provider (JANET) maintains database of roaming activity

Univ A

Univ B

Univ D

Univ C

Radius Server

Radius Server

Radius Server

Radius Server

Radius proxy

OK!

JANET

Use Case: Federated IF-MAP Servers for UK EDUROAM Service

Roaming Users

[email protected]

Bbaker, Roaming from University D

[email protected]


Univ A

Univ B

Univ D

Univ C

RADSEC Jjames, Roaming from University B

• Local RADIUS servers replaced by RADSEC servers  RADSEC servers communicate directly – no need for proxy  JANET no longer sees RADIUS transactions, no view of who is roaming

• IF-MAP Federation provides a solution: -Local RADSEC servers publish user/location data to local MAP server -JANET’s central MAP server subscribes to changes on university MAP servers

JANET

RADSEC RADSEC

RADSEC

IF-MAP Federation for Next Gen EDUROAM Service

[email protected]

Local IF-MAP Server

Local IF-MAP Server

Local IF-MAP Server

Central IF-MAP Server

IF-MAP Client

Federation Subscriptions

OK! [email protected]


IF-MAP has Applications in Cloud Computing and IT Orchestration

• Infrastructure 2.0 Working Group has been discussing the impact of virtualization & cloud computing on the network

• Members include equipment vendors, cloud providers and end users • Infoblox, Cisco, Google, Microsoft, F5, Citrix, Bechtel, Boeing, NASA…

• Developing an “inter-cloud registry service” based on IF-MAP • Ongoing project at Open Cloud Consortium in Chicago • Co-sponsored by Cisco CTO’s office and UCS group

• More info at www.infra20.com


IP Address

assigned to

Inter-Cloud Registry Helps Cloud Providers and Users to Match Workload Needs with Cloud Assets

MAC Address

IP Address

MAC Address

IP Address

Virtual Machine

Virtual Machine

Virtual Machine

Virtual Network

MAC Address

Virtual Network

Cloud member of member of

member of member of

assigned to

assigned to assigned to

assigned to

assigned to

runs on


The Vision: IF-MAP Supports Data Exchange Among Infoblox, and Other Vendors’ Products

Infrastructure

Core Services DNS / DHCP / IPAM

Infoblox DDI

Infoblox NCCM

Closed Loop Automation

Visibility Applications

Check Infrastructure

Provide DDI service

Recognize change

Detect IPs

Communicate / Take Action

25

IF-MAP Orchestration


Resources


Infoblox NIOS Appliances Support IF-MAP

  Dynamically updates IF-MAP server when IPs are allocated, renewed, or released by NIOS DHCP server

  Other systems can subscribe to updates and take action in real-time (e.g. discovery, configuration, scanning, open/close ports, etc.)

  Unique to the Infoblox DHCP server (today)

IF-MAP Server

Infoblox NIOS Appliance

DHCP Lease Information

(IP, MAC, Start, Duration, etc.)


Infoblox Orchestration Server (IBOS): The World’s Most Powerful IF-MAP Server

  Fully compliant with TCG standard

  Proven interoperability with other IF-MAP compliant products

  Unique Infoblox capabilities –  IF-MAP 2.0 compliant –  Lossless HA –  Fine-grained client authorization –  Data browser, extensive logging –  IF-MAP Federation –  Custom Identifiers

IF-MAP Client Systems

Infoblox Orchestration

Server

Network Security Physical Security Network Location

…


Resources – Documentation & Freeware

  3 minute video on IF-MAP on Orchestration/IF-MAP Solutions page on infoblox.com

  www.if-map.org –  IF-MAP community Web site –  Includes links to open source IF-MAP servers and other resources

  www.juniper.com –  Information about Infranet Controller: us/en/products-services/security/uac/#overview

  www.trustedcomputinggroup.org –  Complete protocol specs, information on TPM, TNC, Trusted Storage and related topics

  Infoblox IF-MAP Starter Kit:   Free for 90 days, $995 in the US for perpetual license, 18% annual support

–  VMware IF-MAP appliance –  Client simulator –  Open-source client stacks (PERL, java, C++) –  Open-source SNMP-MAP Bridge

IF-MAP Overview - TT · IF-MAP Overview Jan Ursi ... CMDB SIEM Asset Mgmt IPAM Infrastructure...

Documents

Transcript of IF-MAP Overview - TT · IF-MAP Overview Jan Ursi ... CMDB SIEM Asset Mgmt IPAM Infrastructure...