Re: How to Protect Campus Sensitive Servers - Solution

[schilling <schilling2006 () GMAIL COM>]

Ok, here is the proposal I just finished without too much fine
reading. Please comment.
A good reference about dynamic access policy is at
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml


ITS VPN Group Proposal

Background
More and more people/groups within FSU Information Technology Services
- ITS are asking for separate VPN group while ITS is coming together
as one organization. We understand that each group might have valid
concerns of limiting their resource exposure. At the same time, a lot
people are confused of which VPN group to use for what purpose. Is
there a better way to do the VPN within ITS at least?

Proposed Solution
Defense in depth is the way to go.VPN should and will not be the
panacea for the security.  We would like to propose a single ITS VPN
group for all ITS employees. And there are layers of access control in
place.

Layers of Access Control
1.      Who can use ITS VPN group?
Only an ITS active employee could use this group.

2.      What network can tunnel through the VPN for ITS VPN group?
 This will start with FSU complete network.

3.      What network you can access after a FSUID is authenticated by VPN server?
Dynamic access policy on our VPN server can decide which network a
FSUID can access according to a FSUID’s fsuVPNMember value[s].
For example, we would like to have ITS-sec, ITS-ios, ITS-tss as
possible fsuVPNMember values for ITS employees. VPN server will check
the fsuVPNMember values when an ITS employee login
if VPN server sees ITS-sec – most specific, then there will be a
dynamic ACL like the following apply to the use session:
permit ip any host 192.168.6.6 #example confidential server1
permit ip any host 10.10.7.7 #example confidential server2
else if VPN server also sees ITS-ios – less specific, the there will
be another dynamic ACL like
the following apply to the user session:
                deny ip any host 192.168.6.6
                deny ip any host 10.10.7.7
                permit ip any 192.168.6.0  0.0.0.255
                permit ip any 10.10.7.0 0.0.0.255
else if VPN server sees that you are just ITS employee – most general
without any fsuVPNMember related to ITS, then a dynamic ACL as follows
will be applied to the user session:
                deny ip any 192.168.6.0 0.0.0.255
                deny ip any 10.10.7.0 0.0.0.255
                permit ip any 192.168.0.0 0.0.255.255
                permit ip any 10.10.0.0 0.0.255.255
        So basically, the VPN server dynamic access policies will
collectively limit network layer/ip address a specific FSUID can
access to.

4.      Which transport layer of certain IP[s] you can access to?
This is controlled by either VLAN ACL or host based firewall or both..

5.      Can a specific user login the host?
This is controlled by host based authentication.

6.      Can a specific user access certain file/directory?
This is controlled by host based authorization.

What need to be done?

        Each ITS function subgroup justifies being different from other
within ITS in terms of confidentiality/trust, and designates one or
two subgroup manager.

        Each ITS-subgroup manager comes up with the list of special IPs they
want to limit and FSUIDs who should have access to this ITS-subgroup.

        Core will create a single ITS VPN group and corresponding
ITS-subgroup dynamic access policies.

        Core will open VLAN ACL in loose or strict mode of ITS VPN address
pool to corresponding IPs for each ITS-subgroup.

        Host administrator can do the strict mode of ITS VPN address pool to
host on host based firewall.

        Host administrator will also take care of authentication and
authorization on the host.

What might be of concern?

        Will our VPN server be able to handle a lot of dynamic ACLs and policies?

        How to justify the need of a separate ITS-subgroup? Use security
clearance level?

        Can we delegate granting ITS-subgroup fsuVPNMember attribute/value to
ITS-subgroup manager[s]?


On Fri, Feb 5, 2010 at 9:49 AM, schilling <schilling2006 () gmail com> wrote:
> Hi All,
>
> There once a white paper called Cisco ASA LDAP Integration Use Cases
> on 6200networks.com(now available as other site, either hijacked or
> registered by somebody else) run by Cisco employee Joe Harris.  There
> are use cases about group mapping. I still had a hard copy of the
> white paper, but could not find a e-copy. If someone had it, please
> share with the group.
>
> Shiling Ding
> Information Technology Services
> Florida State University
>
> On Fri, Feb 5, 2010 at 9:19 AM, Di Fabio, Andrea <adifabio () nsu edu> wrote:
> > I received a lot of requests to share our Dynamic Split tunnel
> > configuration, so I am just going to post it to the group.
> > I remember doing this 3 or 4 years ago, and looking back at the ASA
> > configuration, there is nothing special in the actual ASA configuration,
> > besides multiple VPN Group Policies.
> >
> > So let's say you create 2 group policies:
> >
> > VPN_Faculty
> > VPN_Staff
> >
> > As you know each one can have its own DHCP pool, split tunnel (called
> > network list), ACL, etc.
> >
> > What you want to do, is to create Radius mappings for users.  We did this
> > based on AD groups, and assigned the following Radius Attribute for each
> > Radius Policy:
> >
> > For users matching faculty groups in AD/Radius
> >
> > Attribute Name: Class
> > Attribute Number: 25
> > Attribute Format: OctetString
> > Value: OU=VPN_Faculty;
> >
> > For users Matching Staff groups in AD/Radius
> >
> > Attribute Name: Class
> > Attribute Number: 25
> > Attribute Format: OctetString
> > Value: OU=VPN_Staff;
> >
> > Etc.
> >
> > Note that the value must match the VPN group policy and the string is case
> > sensitive and it REQUIRES the SEMICOLON at the end or it won't work.
> >
> > I did a quick Google search and I found the following document:
> > http://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html
> > which seems to explain it better than what I may have done.
> >
> > I hope this helps.
> >
> > Andrea Di Fabio
> > Information Security Officer
> > High Performance Computing Technology Coordinator
> > Norfolk State University
> > Office of Information Technology
> > Marie V. McDemmond Center for Applied Research, Rm 401F
> > 555 Park Avenue, Suite 401
> > Norfolk, Virginia 23504
> > 757-823-2896 Office
> > 757-823-2128 Fax