I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Indiana UniversityUpdate

Tom Zellerzeller@indiana.edu

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

First an Ad for NetGuru

• Meets immediately after I2 Joint Techs• Focuses on large campus network issues• Email me at zeller@indiana.edu

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Governance

• Completed 10 year Strategic Plan• Beginning new 10 yr Strategic Plan

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Governance

• Completed 10 yr tactical Telecom Plan– Business model considerations– Network edges in surges for new features– Dorm wiring left to natural refurb cycle– $$ for network security on ongoing basis

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Projects

• WiFi RFP completed. Upgrade over summer• Implementing MPLS– PCI first target

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Isolating and Protecting Devices on the Network

A database-driven methodologyTom Zeller June 2008

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Purpose

• Automatically detect special categories of devices and create an appropriate network environment for them

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Methodology Overview

802.1x on wired and wirelessFor non-802.1x devices switch proxies using

MAC address as username and pwCustom RADIUS server recognized username is a

MAC address looks up policy

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Define Device Categories

• Work with departments• Categories should be easily added• Examples:– PCI cash register– Security Camera– Stolen Laptop– RoboDog– Many more

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Define Policy Action for Each Category

• VLAN ID• Port ACL• Access Denied• Alert someone (e.g. stolen laptops)• Allow only if in a particular building• Allow only if network type matches

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

MAC Table Input

• Web application with granular access to categories– e.g. Only physical plant admins can add cameras

• API for IDS, scanners, etc to add devices on fly• Include date for annual refresh• Force building restriction for most categories• Restrict to wired or wireless only (or both)

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Device, Category/Action Tables

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Link VLAN names to VLAN Numbers

• VLAN “Quarantine” is different number in different locations

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

RADIUS Logic

• If username is a MAC address– Don’t authenticate via ADS– Look up in registered device table– If present retrieve policy action and building– If building matches requesting switch• Send policy via RADIUS attributes to switch

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Transparency:The Solution to Complexity

• Develop web application to allow support personnel to enter MAC address and see what SHOULD have happened (category, building, VLAN, ACL) and/or what ACTUALLY happened (from log file)

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Need to investigate

• Trusted Computing Group – Trusted Connect Group– New IF-MAP standard for NW database– Input from multiple sources– Info subscribed by network device

• Consider intersection between device and user, if any

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Indiana UniversityUpdate

Tom Zellerzeller@indiana.edu