IF-MAP Overview - ITU

IF-MAP OverviewJan UrsiTechnical Director EMEA 2009 Infoblox Inc. All Rights Reserved.

IF-MAP: A Powerful New Standard IF-MAP Interface to Metadata Access Points An open protocol standard published (free) by the TrustedComputing Group– Available since April, 2008– Version 2.0 released August, 2010 Pub/sub database - Like Facebook for IP devices and systems Supports a wide array of applications:–––––Multi-Vendor Network Security (NAC)Compliance ManagementAsset ManagementSmart GridNetwork Automation / Cloud ComputingCould do for data sharing what IP did for connectivity 2009 Infoblox Inc. All Rights Reserved.

The Integration rastructureManagementHRApplicationsSNMP, Syslog, Netflow Complex CostlyCustom Integration – API’s, Scripts Brittle High Maintenance 2010 Infoblox Inc. All Rights Reserved.

From Integration to Orchestration with lish,Subscribe,Search)IF-MAP ServerAutomatically aggregates, correlates, and distributes datato and from different systems, in real time 2010 Infoblox Inc. All Rights Reserved.

Today, Systems Share the IP Network,But Don’t Share DataNetworkSecurityPhysicalSecurityNetworkLocation Provisioning,Visualization &Analytics(Management)Decisions(Control)Sensors &Actuators 2009 Infoblox Inc. All Rights Reserved.

IF-MAP Doesn’t Replace Existing Systems &Applications – It Enables Them to Easily Share DataNetworkSecurityPhysicalSecurityNetworkLocation Provisioning,Visualization &Analytics(Management)IF-MAP ServerDecisions(Control)Sensors &Actuators 2009 Infoblox Inc. All Rights Reserved.

Many New Applications are Emerging –Just the Tip of the Iceberg PhysicalNetworkSecurityCyber/Physical SecurityIT tion &Analytics Don’t allow users Track the location andstatus of all IT assetsto connect to the(Management)MAPnetwork if theyhaven’t badgedDatabaseinto the buildingDecisions Don’t allow a(Control)wireless device toconnect if itslocated outside ofthe building(IPs, MACs, devices,hardware, VMs, apps,users, etc.) in real time Allocate assets on thefly, dynamically reprovision data centersAssetManagementCloud Computing Federateauthentication andauthorization statusacross private & publicclouds Move computingworkloads to thecloud when pricesdropSensors &Actuators 2009 Infoblox Inc. All Rights Reserved.

Vendor Support for IF-MAP is ionAvailByre SecuritySCADA SecurityXNowGreat BayEndpoint DiscoveryXNowHirsch ElectronicsPhysical Access ControlXNowInfobloxDHCP Server (NIOS)XNowInfobloxOrchestration Server (IBOS)JuniperInfranet Controller (Policy Server)XLogisenseRegistration Portal, Billing SystemXNowLumetaNetwork Discovery & Leak DetectionXNowMikadoNAC SolutionXH1-11NCPVPN ClientXH1-11Open SourceIF-MAP Client Stack (PERL)XNowOpen SourceIF-MAP Client Stack (C )XQ1-11Open SourceIF-MAP Server (Omapd, Irond)Open SourceSNMP/IF-MAP BridgeXNowQ1 LabsSIEMXQ1-11XNowXNowXNow 2009 Infoblox Inc. All Rights Reserved.

Some Infoblox IF-MAP Projects Large Aircraft Manufacturer (In Production)– Security for factory control (SCADA) traffic over wireless factory network– Firewall configurations loaded dynamically from IF-MAP server– Uses firewall/VPN gateways from Byres Security (Tofino) Software Development Company (In Production)– Network access control without software agents on endpoints– Uses Infoblox DHCP server, Juniper UAC, Juniper firewalls Las Vegas Hotel and Casino (In Production)– Differentiated IP services for every room (3000 Juniper firewalls)– Uses Infoblox DHCP, Juniper UAC and firewalls (3000), Logisense registration/billing portal Global Bank (Starting Rollout)– Dynamic, secure desktops – deploying to 8000 users– Uses QIP DHCP, Juniper UAC and firewalls JANET - National ISP for Higher Education in UK (Pilot)– Federation of authentication data for EDUROAM service– Uses IF-MAP federation Real-Time CMDB (Pilot)– Real-time discovery of devices joining the network– Uses Infoblox DHCP, IF-MAP client and OneCMDB (Open Source CMDB) 2009 Infoblox Inc. All Rights Reserved.

IF-MAP ProtocolOverview 2009 Infoblox Inc. All Rights Reserved.

Unique Characteristics Cited by IF-MAP Supporters1. Open, standard protocol2. Lightweight, easy to implement3. No global schema – supports emergent structures4. Pub/sub paradigm 2009 Infoblox Inc. All Rights Reserved.

IF-MAP ComponentsIF-MAP Client(s)IF-MAP Serveremployeeattribute activedistinguishedname C US, O myco,OU people,CN 12534User Name John DoeDepartment Salesfailed-login-attempts 3, login-status allowedrole access-finance-serverallowed3 MAP Client Operations:PublishSubscribeSearch3 MAP Server Objects:IdentifiersLinksMetadata 2009 Infoblox Inc. All Rights Reserved.

IF-MAP Access Operations Publish:Tell others that metadata – Clients store metadata into MAP for others to see Example: Authentication server publishes when a user logs in (or out) Search:Tell me if match(metadata pattern)– Clients retrieve published metadata associated with a particularidentifier and linked identifiers Example: An application can request the current physical location of the user Subscribe:Tell me when match(metadatapattern)– Clients request asynchronous results for searches that match whenothers publish new metadata Example: Tell me when any user’s status goes from “employee” to“terminated” 2009 Infoblox Inc. All Rights Reserved.

IF-MAP Server ObjectsIdentifiersLinksAll objects are represented by uniqueidentifiersConnote relationships between pairs ofidentifiersMetadata Attributes attached to Identifiers or LinksTypical Data Types:– Identifiers: Identity, IP address, MAC address, Session ID, Device– Metadata:– AAA info (authenticated, role, capabilities/policies)– Device info (AV running, OS level, screen size, etc.)– Event info (unauthorized access attempt, etc.),– Layer 2 info (port, VLAN), location, etc.– Many others, plus user-defined 2009 Infoblox Inc. All Rights Reserved.

Basic Components of MAP ContentIdentifiersMetadataLink 2009 Infoblox Inc. All Rights Reserved.

IF-MAP Use cases 2009 Infoblox Inc. All Rights Reserved.

Use Case – Solution for Policy-Based Remote Access192.0.2.7User JohnWindows 802.1X Client00:11:22:33:44:551- Endpoint plugs-in2- SW sends EAP Start3- Supplicant sendscredentialsMAP Database10- Endpoint requests DHCPidentity John14- Endpointgenerates trafficAccessrequestmac11-DHCP sendsMAC-IP metadataInfobox HA PairDHCP/DNS Appliance to MAP9- SW opens portMAC 00:11:22:33:44:55IP-MACCisco 3750 Switch8- UAC sends RADIUSaccept to SW4- SW sends RADIUSCredential to UAC6- UAC publishesTo MAPJuniper SSGFirewall 13- UAC activatesL3 access on FW.Infobox HA PairMAP ServerAuthenticatedasIP 192.0.2.77- UAC subscribesto MAP12-MAP sends IPMAC to UACCHANGE?CHANGE!Juniper IC 4000UAC5- UAC does Auth.LookupPrivate ApplicationsIF-MAPAAAAccessrequest 113:3Capability access-privateapplications 2009 Infoblox Inc. All Rights Reserved.

Use Case – Integrated Network / PhysicalSecurity SolutionSecure Zone 1Zone 2MAP Databaselocation Zone 21Hirsch System(Physical Sensor)Publish: John in Zone 1AccessRequestauthenticatedidentity JohnPublish: John in Zone 2Cisco 3750SwitchGrantsAccessRequestInfobloxMAP ServerCHANGE?CHANGE!Publish: John is Authenticated;Session ID 113:3Subscribe: Changes to Session 113:3Policy Violation:Access Cut OffJuniper SSGFirewallClassifiedNetworkSubscription Update: John in Zone 2Publish (delete): John is AuthenticatedAccessrequest 113:3Juniper IC 4000UAC 1- Card(John)enterszone1location 2009 Infoblox Inc. All Rights Reserved.

Use Case: Real-Time CMDBMANAGED NETWORK10.0.1.57Infoblox DHCPServerishe DiscoUpdateCMDBCMDBveryMAC 00:11:11:33:44:55MAP DatabaseInvokTopology BuilderCMDBSERVERIP-MACInfobloxMAP ServerMAP ClientDiscovery EngineIP-MACIP 10.0.1.17IP 10.0.1.57PublDiscoveryResultsDISCOVERY SENSORS /AGENTSMAC 00:11:22:33:44:55MAC 00:11:AA:33:44:55IP 10.0.1.55IP-MAC 2009 Infoblox Inc. All Rights Reserved.

Use Case: SCADA Security IP-based industrial control traffic shares the general IT network in the factory “Endboxes” provide VPN/firewall security Endbox configurations dynamically loaded from MAP server – based on user, role, etc.ProvisioningClient 2009 Infoblox Inc. All Rights Reserved.

Use Case: Federated IF-MAP Servers for UKEDUROAM Service Enables login at remote universities / research centers using home login credentials Serves 1.9 million users across 850 locations Enabled today using RADIUS Proxy Service provider (JANET) maintains database of roaming activityUnivAOK!Bbaker, Roamingfrom University erRadiusproxyRoaming nivD 2009 Infoblox Inc. All Rights Reserved.

IF-MAP Federation for Next Gen EDUROAM Service Local RADIUS servers replaced by RADSEC servers RADSEC servers communicate directly – no need for proxy JANET no longer sees RADIUS transactions, no view of who is roaming IF-MAP Federation provides a solution:-Local RADSEC servers publish user/location data to local MAP server-JANET’s central MAP server subscribes to changes on university MAP serversUnivBUnivAJANETRADSECJjames, Roamingfrom University rationSubscriptions 2009 Infoblox Inc. All Rights Reserved.

IF-MAP has Applications in Cloud Computing andIT Orchestration Infrastructure 2.0 Working Group has been discussing the impact ofvirtualization & cloud computing on the network Members include equipment vendors, cloud providers and end users Infoblox, Cisco, Google, Microsoft, F5, Citrix, Bechtel, Boeing, NASA Developing an “inter-cloud registry service” based on IF-MAP Ongoing project at Open Cloud Consortium in Chicago Co-sponsored by Cisco CTO’s office and UCS group More info at www.infra20.com 2009 Infoblox Inc. All Rights Reserved.

Inter-Cloud Registry Helps Cloud Providers andUsers to Match Workload Needs with Cloud Assetsmember ofmember ofassigned toVirtualNetworkVirtualMachineCloudmember ofVirtualMachineMAC Addressruns onassigned toIP Addressassigned toMAC AddressVirtualMachinemember ofVirtualNetworkassigned toassigned toMAC Addressassigned toIP AddressIP Address 2009 Infoblox Inc. All Rights Reserved.

The Vision: IF-MAP Supports Data ExchangeAmong Infoblox, and Other Vendors’ ProductsVisibilityApplicationsInfoblox DDIIF-MAPOrchestrationProvide DDI serviceDetect IPsCommunicate/ Take ActionCore ServicesDNS / DHCP / IPAMClosed LoopAutomationInfoblox NCCMCheck InfrastructureInfrastructureRecognize change25 2009 Infoblox Inc. All Rights Reserved.

Resources 2009 Infoblox Inc. All Rights Reserved.

Infoblox NIOS Appliances Support IF-MAP Dynamically updates IF-MAPserver when IPs are allocated,renewed, or released by NIOSDHCP serverOther systems can subscribe toupdates and take action in realtime (e.g. discovery, configuration,scanning, open/close ports, etc.)Unique to the Infoblox DHCPserver (today)InfobloxNIOS ApplianceDHCP LeaseInformation(IP, MAC, Start,Duration, etc.)IF-MAP Server 2009 Infoblox Inc. All Rights Reserved.

Infoblox Orchestration Server (IBOS):The World’s Most Powerful IF-MAP Server Fully compliant with TCG standard Proven interoperability with otherIF-MAP compliant products Unique Infoblox nServerIF-MAP 2.0 compliantLossless HAFine-grained client authorizationData browser, extensive loggingIF-MAP FederationCustom Identifiers Network SecurityPhysical SecurityNetwork LocationIF-MAP Client Systems 2009 Infoblox Inc. All Rights Reserved.

Resources – Documentation & Freeware 3 minute video on IF-MAP on Orchestration/IF-MAP Solutions page on infoblox.com www.if-map.org –IF-MAP community Web site–Includes links to open source IF-MAP servers and other resourceswww.juniper.com– www.trustedcomputinggroup.org– Information about Infranet Controller: lete protocol specs, information on TPM, TNC, Trusted Storage and related topicsInfoblox IF-MAP Starter Kit: Free for 90 days, 995 in the US for perpetual license, 18% annual support–VMware IF-MAP appliance–Client simulator–Open-source client stacks (PERL, java, C )–Open-source SNMP-MAP Bridge 2009 Infoblox Inc. All Rights Reserved.

Hirsch Electronics Physical Access Control X Now Infoblox DHCP Server (NIOS) X Now Infoblox Orchestration Server (IBOS) X Now Juniper Infranet Controller (Policy Server) X X Now Logisense Registration Portal, Billing System X Now Lumeta Network Discovery &