Educause Security Discussion mailing list archives
Re: How to Protect Campus Sensitive Servers - Solution
From: schilling <schilling2006 () GMAIL COM>
Date: Fri, 5 Feb 2010 13:28:14 -0500
Ok, here is the proposal I just finished without too much fine reading. Please comment. A good reference about dynamic access policy is at http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml ITS VPN Group Proposal Background More and more people/groups within FSU Information Technology Services - ITS are asking for separate VPN group while ITS is coming together as one organization. We understand that each group might have valid concerns of limiting their resource exposure. At the same time, a lot people are confused of which VPN group to use for what purpose. Is there a better way to do the VPN within ITS at least? Proposed Solution Defense in depth is the way to go.VPN should and will not be the panacea for the security. We would like to propose a single ITS VPN group for all ITS employees. And there are layers of access control in place. Layers of Access Control 1. Who can use ITS VPN group? Only an ITS active employee could use this group. 2. What network can tunnel through the VPN for ITS VPN group? This will start with FSU complete network. 3. What network you can access after a FSUID is authenticated by VPN server? Dynamic access policy on our VPN server can decide which network a FSUID can access according to a FSUID’s fsuVPNMember value[s]. For example, we would like to have ITS-sec, ITS-ios, ITS-tss as possible fsuVPNMember values for ITS employees. VPN server will check the fsuVPNMember values when an ITS employee login if VPN server sees ITS-sec – most specific, then there will be a dynamic ACL like the following apply to the use session: permit ip any host 192.168.6.6 #example confidential server1 permit ip any host 10.10.7.7 #example confidential server2 else if VPN server also sees ITS-ios – less specific, the there will be another dynamic ACL like the following apply to the user session: deny ip any host 192.168.6.6 deny ip any host 10.10.7.7 permit ip any 192.168.6.0 0.0.0.255 permit ip any 10.10.7.0 0.0.0.255 else if VPN server sees that you are just ITS employee – most general without any fsuVPNMember related to ITS, then a dynamic ACL as follows will be applied to the user session: deny ip any 192.168.6.0 0.0.0.255 deny ip any 10.10.7.0 0.0.0.255 permit ip any 192.168.0.0 0.0.255.255 permit ip any 10.10.0.0 0.0.255.255 So basically, the VPN server dynamic access policies will collectively limit network layer/ip address a specific FSUID can access to. 4. Which transport layer of certain IP[s] you can access to? This is controlled by either VLAN ACL or host based firewall or both.. 5. Can a specific user login the host? This is controlled by host based authentication. 6. Can a specific user access certain file/directory? This is controlled by host based authorization. What need to be done? Each ITS function subgroup justifies being different from other within ITS in terms of confidentiality/trust, and designates one or two subgroup manager. Each ITS-subgroup manager comes up with the list of special IPs they want to limit and FSUIDs who should have access to this ITS-subgroup. Core will create a single ITS VPN group and corresponding ITS-subgroup dynamic access policies. Core will open VLAN ACL in loose or strict mode of ITS VPN address pool to corresponding IPs for each ITS-subgroup. Host administrator can do the strict mode of ITS VPN address pool to host on host based firewall. Host administrator will also take care of authentication and authorization on the host. What might be of concern? Will our VPN server be able to handle a lot of dynamic ACLs and policies? How to justify the need of a separate ITS-subgroup? Use security clearance level? Can we delegate granting ITS-subgroup fsuVPNMember attribute/value to ITS-subgroup manager[s]? On Fri, Feb 5, 2010 at 9:49 AM, schilling <schilling2006 () gmail com> wrote:
Hi All, There once a white paper called Cisco ASA LDAP Integration Use Cases on 6200networks.com(now available as other site, either hijacked or registered by somebody else) run by Cisco employee Joe Harris. There are use cases about group mapping. I still had a hard copy of the white paper, but could not find a e-copy. If someone had it, please share with the group. Shiling Ding Information Technology Services Florida State University On Fri, Feb 5, 2010 at 9:19 AM, Di Fabio, Andrea <adifabio () nsu edu> wrote:I received a lot of requests to share our Dynamic Split tunnel configuration, so I am just going to post it to the group. I remember doing this 3 or 4 years ago, and looking back at the ASA configuration, there is nothing special in the actual ASA configuration, besides multiple VPN Group Policies. So let's say you create 2 group policies: VPN_Faculty VPN_Staff As you know each one can have its own DHCP pool, split tunnel (called network list), ACL, etc. What you want to do, is to create Radius mappings for users. We did this based on AD groups, and assigned the following Radius Attribute for each Radius Policy: For users matching faculty groups in AD/Radius Attribute Name: Class Attribute Number: 25 Attribute Format: OctetString Value: OU=VPN_Faculty; For users Matching Staff groups in AD/Radius Attribute Name: Class Attribute Number: 25 Attribute Format: OctetString Value: OU=VPN_Staff; Etc. Note that the value must match the VPN group policy and the string is case sensitive and it REQUIRES the SEMICOLON at the end or it won't work. I did a quick Google search and I found the following document: http://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html which seems to explain it better than what I may have done. I hope this helps. Andrea Di Fabio Information Security Officer High Performance Computing Technology Coordinator Norfolk State University Office of Information Technology Marie V. McDemmond Center for Applied Research, Rm 401F 555 Park Avenue, Suite 401 Norfolk, Virginia 23504 757-823-2896 Office 757-823-2128 Fax
Current thread:
- How to Protect Campus Sensitive Servers - Solution Di Fabio, Andrea (Feb 05)
- <Possible follow-ups>
- Re: How to Protect Campus Sensitive Servers - Solution schilling (Feb 05)
- Re: How to Protect Campus Sensitive Servers - Solution schilling (Feb 05)