IF-MAP Overview - TT · IF-MAP Overview Jan Ursi ... CMDB SIEM Asset Mgmt IPAM Infrastructure...
Transcript of IF-MAP Overview - TT · IF-MAP Overview Jan Ursi ... CMDB SIEM Asset Mgmt IPAM Infrastructure...
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP: A Powerful New Standard
IF-MAP = Interface to Metadata Access Points
An open protocol standard published (free) by the Trusted Computing Group – Available since April, 2008 – Version 2.0 released August, 2010
Pub/sub database - Like Facebook for IP devices and systems
Supports a wide array of applications: – Multi-Vendor Network Security (NAC) – Compliance Management – Asset Management – Smart Grid – Network Automation / Cloud Computing
Could do for data sharing what IP did for connectivity
© 2010 Infoblox Inc. All Rights Reserved.
• Complex
• Costly
• Brittle
• High Maintenance
Applications
Management
Supply Chain Mgmt
Smart Grid CRM
HR
ERP
CMDB
SIEM
Asset Mgmt
IPAM Infrastructure
Network Security
DNS, DHCP
AAA Switches Routers
Building Controls
Factory Controls Network
Location
The Integration Challenge
SNMP, Syslog, Netflow
Custom Integration – API’s, Scripts
© 2010 Infoblox Inc. All Rights Reserved.
IF-MAP Server
Applications
Management
Supply Chain Mgmt
Smart Grid CRM
HR
ERP
CMDB
SIEM
Asset Mgmt
IPAM Infrastructure
Network Security
DNS, DHCP
AAA Switches Routers
Building Controls
Factory Controls Network
Location
IF-MAP Protocol
(Publish, Subscribe,
Search)
From Integration to Orchestration with IF-MAP
Automatically aggregates, correlates, and distributes data to and from different systems, in real time
© 2009 Infoblox Inc. All Rights Reserved.
Today, Systems Share the IP Network, But Don’t Share Data
Decisions (Control)
Sensors & Actuators
… Network Security
Physical Security
Provisioning, Visualization &
Analytics (Management)
Network Location
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP Doesn’t Replace Existing Systems & Applications – It Enables Them to Easily Share Data
Decisions (Control)
Sensors & Actuators
… Network Security
Physical Security
Provisioning, Visualization &
Analytics (Management)
IF-MAP Server
Network Location
© 2009 Infoblox Inc. All Rights Reserved.
Many New Applications are Emerging – Just the Tip of the Iceberg…
Decisions (Control)
Sensors & Actuators
… Network Security
Physical Security
Asset Management
Provisioning, Visualization &
Analytics (Management)
MAP Database
Cyber/Physical (CyPhy)
Convergence
Don’t allow users to connect to the network if they haven’t badged into the building
Cloud Computing
Federate authentication and authorization status
across private & public clouds
Don’t allow a wireless device to
connect if its located outside of
the building
Move computing workloads to the
cloud when prices drop
Track the location and status of all IT assets (IPs, MACs, devices, hardware, VMs, apps,
users, etc.) in real time
Allocate assets on the fly, dynamically re-
provision data centers
IT Automation
© 2009 Infoblox Inc. All Rights Reserved.
Vendor Support for IF-MAP is Growing
Vendor Product/Function IF-MAP Client
IF-MAP Server Avail
Byre Security SCADA Security X Now Great Bay Endpoint Discovery X Now Hirsch Electronics Physical Access Control X Now Infoblox DHCP Server (NIOS) X Now Infoblox Orchestration Server (IBOS) X Now Juniper Infranet Controller (Policy Server) X X Now Logisense Registration Portal, Billing System X Now Lumeta Network Discovery & Leak Detection X Now Mikado NAC Solution X H1-11 NCP VPN Client X H1-11 Open Source IF-MAP Client Stack (PERL) X Now Open Source IF-MAP Client Stack (C++) X Q1-11 Open Source IF-MAP Server (Omapd, Irond) X Now Open Source SNMP/IF-MAP Bridge X Now Q1 Labs SIEM X Q1-11
© 2009 Infoblox Inc. All Rights Reserved.
Some Infoblox IF-MAP Projects
Large Aircraft Manufacturer (In Production) – Security for factory control (SCADA) traffic over wireless factory network – Firewall configurations loaded dynamically from IF-MAP server – Uses firewall/VPN gateways from Byres Security (Tofino)
Software Development Company (In Production) – Network access control without software agents on endpoints – Uses Infoblox DHCP server, Juniper UAC, Juniper firewalls
Las Vegas Hotel and Casino (In Production) – Differentiated IP services for every room (3000 Juniper firewalls) – Uses Infoblox DHCP, Juniper UAC and firewalls (3000), Logisense registration/billing portal
Global Bank (Starting Rollout) – Dynamic, secure desktops – deploying to 8000 users – Uses QIP DHCP, Juniper UAC and firewalls
JANET - National ISP for Higher Education in UK (Pilot) – Federation of authentication data for EDUROAM service – Uses IF-MAP federation
Real-Time CMDB (Pilot) – Real-time discovery of devices joining the network – Uses Infoblox DHCP, IF-MAP client and OneCMDB (Open Source CMDB)
© 2009 Infoblox Inc. All Rights Reserved.
Unique Characteristics Cited by IF-MAP Supporters
1. Open, standard protocol
2. Lightweight, easy to implement
3. No global schema – supports emergent structures
4. Pub/sub paradigm
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP Components
IF-MAP Server IF-MAP Client(s)
3 MAP Client Operations: Publish Subscribe Search
User Name = John Doe
Department = Sales
distinguished-name =
C=US, O=myco, OU=people, CN=12534
employee-attribute = active
role = access-finance-server-
allowed
failed-login-attempts = 3, login-status =
allowed
3 MAP Server Objects: Identifiers Links Metadata
© 2009 Infoblox Inc. All Rights Reserved.
Publish:
– Clients store metadata into MAP for others to see Example: Authentication server publishes when a user logs in (or out)
Search:
– Clients retrieve published metadata associated with a particular identifier and linked identifiers Example: An application can request the current physical location of the user
Subscribe:
– Clients request asynchronous results for searches that match when others publish new metadata Example: Tell me when any user’s status goes from “employee” to
“terminated”
Tell others that…<metadata…>
Tell me when…match(metadata pattern)
Tell me if…match(metadata pattern)
IF-MAP Access Operations
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP Server Objects
Identifiers All objects are represented by unique identifiers
Links Connote relationships between pairs of identifiers
Metadata Attributes attached to Identifiers or Links
Typical Data Types: – Identifiers: Identity, IP address, MAC address, Session ID, Device – Metadata:
– AAA info (authenticated, role, capabilities/policies) – Device info (AV running, OS level, screen size, etc.) – Event info (unauthorized access attempt, etc.), – Layer 2 info (port, VLAN), location, etc. – Many others, plus user-defined
© 2009 Infoblox Inc. All Rights Reserved.
Use Case – Solution for Policy-Based Remote Access
Cisco 3750 Switch Infobox HA Pair
DHCP/DNS Appliance
Juniper IC 4000 UAC
User= John Windows 802.1X Client
00:11:22:33:44:55
Private Applications
AAA
Juniper SSG Firewall
Infobox HA Pair MAP Server
identity =
John
Access-request = 113:3
MAP Database
Authenticated-as
Capability = access-private-
applications
MAC = 00:11:22:33:44:55
IP= 192.0.2.7
IP-MAC
1- Endpoint plugs-in 2- SW sends EAP Start 3- Supplicant sends credentials
4- SW sends RADIUS Credential to UAC
5- UAC does Auth. Lookup
8- UAC sends RADIUS accept to SW
9- SW opens port
10- Endpoint requests DHCP
12-MAP sends IP-MAC to UAC
13- UAC activates L3 access on FW.
14- Endpoint generates traffic
192.0.2.7
Access-request-
mac
6- UAC publishes To MAP
7- UAC subscribes to MAP
11-DHCP sends MAC-IP metadata to MAP
IF-MAP
CHANGE? CHANGE!
© 2009 Infoblox Inc. All Rights Reserved.
11- UAC updates firewall policy to block access 12- UAC publishes the update to the MAP 1- Employee (John) enters zone 1 2- Hirsch system publishes to the MAP server 3- Employee requests for access to the network 4- UAC publishes to the MAP server 5- UAC Subscribes to the MAP server 6- UAC grants access to the corporate network 7- Employee connects to the classified network 8- Employee leaves Zone 1, while still logged in
Subscription Update: John in Zone 2
9- Card reader publishes the update to the MAP 10- MAP updates UAC about the location change
Use Case – Integrated Network / Physical Security Solution
Juniper IC 4000 UAC Appliance
Infoblox MAP Server
Hirsch System (Physical Sensor)
Publish: John in Zone 1
Publish: John is Authenticated; Session ID 113:3 Subscribe: Changes to Session 113:3
identity = John
location = Zone 1
Access-request =
113:3
Secure Zone 1
Classified Network
Juniper SSG Firewall
Cisco 3750 Switch
Publish: John in Zone 2
location = Zone 2
Publish (delete): John is Authenticated
Access Request
Grants Access Request
Zone 2 MAP Database
authenticated
Policy Violation: Access Cut Off
CHANGE? CHANGE!
© 2009 Infoblox Inc. All Rights Reserved.
Use Case: Real-Time CMDB
MA
P D
atab
ase
IP= 10.0.1.57
IP= 10.0.1.17
MAC = 00:11:11:33:44:55
IP-MAC
CMDB
DiscoveryEngine
TopologyBuilder
DISCOVERYSENSORS/AGENTS
IP= 10.0.1.55
MAC = 00:11:22:33:44:55
IP-MAC
MAC = 00:11:AA:33:44:55
IP-MAC
MAPClient
MANAGEDNETWORK
Infoblox MAP Server
Infoblox DHCP Server
CMDB SERVER
Invoke Discovery
Dis
cove
ry R
esul
ts
Update CMDB
Publish
10.0.1.57
© 2009 Infoblox Inc. All Rights Reserved.
• IP-based industrial control traffic shares the general IT network in the factory • “Endboxes” provide VPN/firewall security • Endbox configurations dynamically loaded from MAP server – based on user, role, etc.
Use Case: SCADA Security
Provisioning Client
© 2009 Infoblox Inc. All Rights Reserved.
• Enables login at remote universities / research centers using home login credentials
• Serves 1.9 million users across 850 locations
• Enabled today using RADIUS Proxy
• Service provider (JANET) maintains database of roaming activity
Univ A
Univ B
Univ D
Univ C
Radius Server
Radius Server
Radius Server
Radius Server
Radius proxy
OK!
JANET
Use Case: Federated IF-MAP Servers for UK EDUROAM Service
Roaming Users
Bbaker, Roaming from University D
© 2009 Infoblox Inc. All Rights Reserved.
Univ A
Univ B
Univ D
Univ C
RADSEC Jjames, Roaming from University B
• Local RADIUS servers replaced by RADSEC servers RADSEC servers communicate directly – no need for proxy JANET no longer sees RADIUS transactions, no view of who is roaming
• IF-MAP Federation provides a solution: -Local RADSEC servers publish user/location data to local MAP server -JANET’s central MAP server subscribes to changes on university MAP servers
JANET
RADSEC RADSEC
RADSEC
IF-MAP Federation for Next Gen EDUROAM Service
Local IF-MAP Server
Local IF-MAP Server
Local IF-MAP Server
Central IF-MAP Server
IF-MAP Client
Federation Subscriptions
© 2009 Infoblox Inc. All Rights Reserved.
IF-MAP has Applications in Cloud Computing and IT Orchestration
• Infrastructure 2.0 Working Group has been discussing the impact of virtualization & cloud computing on the network
• Members include equipment vendors, cloud providers and end users • Infoblox, Cisco, Google, Microsoft, F5, Citrix, Bechtel, Boeing, NASA…
• Developing an “inter-cloud registry service” based on IF-MAP • Ongoing project at Open Cloud Consortium in Chicago • Co-sponsored by Cisco CTO’s office and UCS group
• More info at www.infra20.com
© 2009 Infoblox Inc. All Rights Reserved.
IP Address
assigned to
Inter-Cloud Registry Helps Cloud Providers and Users to Match Workload Needs with Cloud Assets
MAC Address
IP Address
MAC Address
IP Address
Virtual Machine
Virtual Machine
Virtual Machine
Virtual Network
MAC Address
Virtual Network
Cloud member of member of
member of member of
assigned to
assigned to assigned to
assigned to
assigned to
runs on
© 2009 Infoblox Inc. All Rights Reserved.
The Vision: IF-MAP Supports Data Exchange Among Infoblox, and Other Vendors’ Products
Infrastructure
Core Services DNS / DHCP / IPAM
Infoblox DDI
Infoblox NCCM
Closed Loop Automation
Visibility Applications
Check Infrastructure
Provide DDI service
Recognize change
Detect IPs
Communicate / Take Action
25
IF-MAP Orchestration
© 2009 Infoblox Inc. All Rights Reserved.
Infoblox NIOS Appliances Support IF-MAP
Dynamically updates IF-MAP server when IPs are allocated, renewed, or released by NIOS DHCP server
Other systems can subscribe to updates and take action in real-time (e.g. discovery, configuration, scanning, open/close ports, etc.)
Unique to the Infoblox DHCP server (today)
IF-MAP Server
Infoblox NIOS Appliance
DHCP Lease Information
(IP, MAC, Start, Duration, etc.)
© 2009 Infoblox Inc. All Rights Reserved.
Infoblox Orchestration Server (IBOS): The World’s Most Powerful IF-MAP Server
Fully compliant with TCG standard
Proven interoperability with other IF-MAP compliant products
Unique Infoblox capabilities – IF-MAP 2.0 compliant – Lossless HA – Fine-grained client authorization – Data browser, extensive logging – IF-MAP Federation – Custom Identifiers
IF-MAP Client Systems
Infoblox Orchestration
Server
Network Security Physical Security Network Location
…
© 2009 Infoblox Inc. All Rights Reserved.
Resources – Documentation & Freeware
3 minute video on IF-MAP on Orchestration/IF-MAP Solutions page on infoblox.com
www.if-map.org – IF-MAP community Web site – Includes links to open source IF-MAP servers and other resources
www.juniper.com – Information about Infranet Controller: us/en/products-services/security/uac/#overview
www.trustedcomputinggroup.org – Complete protocol specs, information on TPM, TNC, Trusted Storage and related topics
Infoblox IF-MAP Starter Kit: Free for 90 days, $995 in the US for perpetual license, 18% annual support
– VMware IF-MAP appliance – Client simulator – Open-source client stacks (PERL, java, C++) – Open-source SNMP-MAP Bridge