Roles Based Network Access Controls

1
Roles Based Network Access Controls

• James R. Clifford
• Los Alamos National Laboratory

2
Outline

• Problem Control foreign national access to
  sensitive data
• 700 FN in 25 organizations, 80 buildings, 12
  technical areas
• Solution
• Create separate network with minimal sensitive
  data
• Implementation
• Deployment and Support
• Lessons Learned
• Future Directions

3
Direction

• Further, the Laboratory is now developing a
  segregated unclassified computer network for
  utilization by our foreign national employees.
  This network will allow for greater control over
  what types and how information can be accessed
  while still allowing for important scientific
  research to be accomplished. - LANL Director
  Michael Anastasio - Testimony to House Energy and
  Commerce Committee on September 28, 2008

4
LANL Network 2008
Open Network
Scientific Collaboration (segmented)
I-2
1 GE
Internet
10GE
ESNet
On-site visitor access
Public Internet presence
Yellow Network (Unclassified-Protected)
Restricted Subnets Limited amounts of and tight
controls on presence of sensitive information
Central Services
General User
Slide 4
5
Design

• Create a new Open Collaboration Enclave (OCE)
  using VPN overlay
• Connect new OCE network with a firewall
• Add Radius server on steroids
• Define roles and resource policies
• Add remote web and VPN solution

6
LANL Network 2009
Open Network
Scientific Collaboration (segmented)
I-2
1 GE
Internet
10GE
ESNet
On-site visitor access
Public Internet presence
Yellow Network (Unclassified-Protected)
Central Services
General User
Limited amounts of and tight controls on
presence of sensitive information
OCE
Slide 6
7
OCE Network Components
RADIUS, LDAP Syslog, Mgt
Yellow Network
Infranet Controller
Internet
Desktops Printers
VPN
Netscreen FW
Customer LANs
SSL Portal
Slide 7
8
Firewall Policy

• PERMIT policy except for OCE to Yellow
• Core policy allows DNS, AD, backups - 140 rules
• Rules include protocol, destination IP address,
  port(s)
• Includes services required for user logins
• Role based policy rule
• Default DENY OCE to yellow
• Web captive portal sets up roles based firewall
  policy
• Users must be able to login so they can run
  browser
• Assumes a single user client system

9
Infranet Controller - RADIUS on Steroids

• Uses existing RADIUS and LDAP services
• Can also use MS Active Directory
• Users get roles based on directory information
• Can also use network location, host integrity
• Resource Policy (firewall) rules are based on
  Roles

10
LDAP Example

• dn employeeNumber123456,oupeople,dclanl,dcgov
  
• cn Edward Crane
• departmentNumber ABC-1
• employeeNumber 123456
• employeeType Employee
• lanlRole Juniper RO Administrator
• lanlRole Remote VPN
• lanlRole Basic Network

11
Role Mapping Example
12
Resource Access Policy Example
13
Role Member Management

• HR Data determines Employee and organization role
  data
• Basic Network Role created when user gets a
  network account
• Import role data from resource owner, e.g. High
  Performance Computing
• Users may select roles within business rules,
  e.g. Remote VPN
• Ad hoc role management
• Uses lanlRole attribute value
• Role owner (and delegates) use web page to
  add/remove members
• Directory updates are in real time
• Roles removed when person terminates

14
Resource Access Policy Management

• Resources in list determined by the role/resource
  owner
• Managed as a text file by network operations
• Access Control Tester,tcp//datawarehouse.lanl.gov
  http,https
• Converted to XML
• Host names and ports checked and converted
• XML imported into Infranet Controller

15
Remote Access ssl-portal

• https//ssl-portal.lanl.gov
• Portal page has bookmarks, web browsing and SSL
  VPN
• Features depend on user roles
• SSL VPN tunnels land in the OCE network
• Terminal sessions and file access using SSL
  tunnels are being evaluated

16
Surveillance

• Watch for users accessing unauthorized resources
• Uses existing information
• HR data
• Host registration information
• Resource access policies
• Logs
• Router flows

17
Deployment and Support

• Project started in mid-October
• 500 VPN boxes and firewall deployed by early
  January
• Found many IP ACL problems, performance,
  reliability
• 4 Divisions selected for early adoption (30 of
  total) of access controls in January
• Fleshed out Basic Network and Employee roles
• Set up project issue tracking system
• Full access control enabled over 2 weeks in mid
  March
• Remote access enforced in early April
• On-going support turned over to operations in May
• VPN box adds and removes
• Resource policy changes
• User help questions

18
Lessons Learned

• Solution is expensive to support
• Not leveraging solution, unfamiliar (but
  powerful) technology used for 1 project
• VPN boxes on users desks add unnecessary
  complexity
• Transition was disruptive to customers
• Short schedule left shortened deployment and
  testing time
• Resources people need to do their job was not
  well understood
• Some network services not well supported
• Project skill shortage
• Customers not well informed

19
Whats Next

• Access policy federation between firewall and
  ssl-portal
• PF-NET
• Terminal sessions for remote access
• Single / reduced signon for remote users
• Network re-architecture project
• Eliminate desktop VPN boxes
• 802.1x and MAC authentication
• Desktop agent for host integrity check
• VLAN assignment and roles based access
• Firewall and proxy consolidatation
• Etc.

20
Questions?