• Home

  • Documents

  • Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network...
16
© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research IGD Security Challenges in R&D Environments Tel +49 6151 155 – 314 [email protected] www.igd.fraunhofer.de #WLPC_EU Lisbon Portugal 2017

Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD 1

Jaromir LikavecSenior Network Engineer

CWNE #127 CCIE Wireless #45051Fraunhofer Institute for Computer Graphics Research IGD

Security Challenges in R&DEnvironments

Tel +49 6151 155 – [email protected]

#WLPC_EU Lisbon Portugal 2017

Page 2: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

Fraunhofer IGD

Characteristics of R&D Environments

Unification Of Network Access

USE Case Security Requirements

Certificate Deployment

WLAN and Remote Access at Fraunhofer IGD

Device Profiling

Posture Assessment

Network Monitoring/Network Troubleshooting

Summary

Agenda

2 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 3: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

Spatial Information Management

3D Printing Technology

Information Visualization

and Visual Analytics

Virtual and Augmented Reality

Fraunhofer IGD Darmstadt

3

Smart Living & Biometric TechnologiesVisual Healthcare TechnologiesVisual Computing System TechnologiesCultural Heritage DigitizationInteractive Engineering Technologies

#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

DataVisualizationHoloLensvideo

https://www.youtube.com/watch?v=NkzqMHRBZDg&t=46s
Page 4: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

• High-security requirements

• Heterogeneous mobile equipment

• A mixture of private and corporate equipment

• Need for BYOD

• Need for remote access

• A constant need for deployment of new use cases

• Need for network monitoring

• A structured approach to troubleshooting

• Cutting edge technology

R&D environments are characterized by:

4 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 5: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

• Motivation:

• Different access mechanisms for LAN, WLAN and VPN

• Consolidate WLAN and VPN access

• Separate network access with private / corporate devices

• Private evil Corporate good

• Develop a unified access concept for end device

• Deploy Device/User-based authentication und authorization

Unification of Network Access

5 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 6: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

Two-Factor Authentication (certificate + username/password)

Prevent sharing of certificate by multiple users

Check user exists in AD before allowing VPN

Use AD group membership as criteria for allowing SSLVPN

Check if the PC is joined to the AD domain

Verify Device certificate is on correct device

USE Case Security Requirements

6

Trusted user Trusted Device Full AccessTrusted User Untrusted Device Limited AccessUntrusted User Trusted Device Limited AccessUntrusted User Untrusted Device No Access

PermissionsUsers

Mobile Devices

#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 7: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

Generate Computer Certificate

7 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 8: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

• Domain Computer – automatic distribution und automatic renewal

• Mobile Devices – manual generation and Web download

• Apple Mac and Linux computermanual generation and Web download

• HQ CC-LAN use of Mail Certificates

• Cisco IP phones MIC Certificates

Use Of Certificates

8

• Certificate Validity

• Certificate Revocation List (CRL)

• Device Entry at MS AD

• User/Password at MS AD

• MAC -Address on dns/dhcp (for HQ)

#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

What is checked

Page 9: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

New Network Access at Fraunhofer IGD

#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

LANRemote AccessWireless

Page 10: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

WLAN and Remote Access at Fraunhofer IGD

10

CiscoAnyconnectMobility

#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 11: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

Remote Access

11 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 12: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

Dynamic classification of every device that connects to network using the infrastructure

Use Probes for collecting device attributes : Radius, DHCP, HTTP, NetFlow, NMAP, SNMP, LLDP/CDP

Device Profiling

12

Device Identity Groups

Apply PoliciesPrinterVlan

VoiceVlan

Dyn.Vlan

VideoVlan

#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 13: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

• Compliance Check OS

• Analysis of Antivirus, Antispyware, Personal FW …

• Quarantine and

• Remediation Services

Posture Assessment

13 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 14: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

Cisco ISE

WLC

Cisco PRIME

ZABBIX

SPLUNK

Monitoring Troubleshooting

14

XT Spectrum

Air check – G2

Omnipeek/Wireshark

Ekahau Site Survey

#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 15: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

802.1X is ready for productive use

Device certificates are used to determine whether the device is a corporate device or a private device that is connected to the LAN, WLAN, or VPN

User credentials follow as a second step

This solution for network access increases security and reduce operating costs

Summary

15

It’s not the Network 

It’s (still) not the Network #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec

Page 16: Security Challenges in R&D Environments...© Fraunhofer IGD 1 Jaromir Likavec Senior Network Engineer CWNE #127 CCIE Wireless #45051 Fraunhofer Institute for Computer Graphics Research

© Fraunhofer IGD

Questions:

Thank You

16 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec


WEITERBILDUNG FRAUNHOFER ACADEMY – IHR ......DIE PRAXIS Die Fraunhofer Academy ist seit 2006 die Weiterbildungseinrichtung der Fraunhofer-Gesellschaft. Die Fraunhofer Academy gibt

WEITERBILDUNG FRAUNHOFER ACADEMY – IHR ......DIE PRAXIS Die Fraunhofer Academy ist seit 2006 die Weiterbildungseinrichtung der Fraunhofer-Gesellschaft. Die Fraunhofer Academy gibt

Documents
Neubau - Fraunhofer

Neubau - Fraunhofer

Documents
Cast Salt Cores - Fraunhofer · Title: Cast Salt Cores Author: Fraunhofer IFAM Subject: Cast Salt Cores Keywords: Fraunhofer IFAM, Fraunhofer Institute for Manufacturing Technology

Cast Salt Cores - Fraunhofer · Title: Cast Salt Cores Author: Fraunhofer IFAM Subject: Cast Salt Cores Keywords: Fraunhofer IFAM, Fraunhofer Institute for Manufacturing Technology

Documents
© Fraunhofer Fraunhofer within the German Research System Hans-Jörg Bullinger Fraunhofer-Gesellschaft

© Fraunhofer Fraunhofer within the German Research System Hans-Jörg Bullinger Fraunhofer-Gesellschaft

Documents
#LNdWDD - Fraunhofer

#LNdWDD - Fraunhofer

Documents
FRAUNHOFER INSTITUTE FOR MATERIAL AND BEAM … · FRAUNHOFER INSTITUTE FOR MATERIAL AND BEAM ... Fraunhofer IWS Annual Report 2013 7 EU PROJECT ... Fraunhofer IWS engineers upgraded

FRAUNHOFER INSTITUTE FOR MATERIAL AND BEAM … · FRAUNHOFER INSTITUTE FOR MATERIAL AND BEAM ... Fraunhofer IWS Annual Report 2013 7 EU PROJECT ... Fraunhofer IWS engineers upgraded

Documents
PKI-Contacts - PKI für Fraunhofer Kontakte · Fraunhofer Competence Center PKI PKI-Contacts - PKI für Fraunhofer Kontakte Anleitung für Kommunikationspartner der Fraunhofer-Gesellschaft

PKI-Contacts - PKI für Fraunhofer Kontakte · Fraunhofer Competence Center PKI PKI-Contacts - PKI für Fraunhofer Kontakte Anleitung für Kommunikationspartner der Fraunhofer-Gesellschaft

Documents
Schlussbericht - Fraunhofer

Schlussbericht - Fraunhofer

Documents
JAHRESBERICHT - Fraunhofer

JAHRESBERICHT - Fraunhofer

Documents
@CWNP #CWNPwebinar @carpentertom3 Certified Wireless Network Professional Pre-Conference Training CWNA Tom Carpenter CWNE @carpentertom CWSP Robert Bartz CWNE @eightotwo CWNA Peter

@CWNP #CWNPwebinar @carpentertom3 Certified Wireless Network Professional Pre-Conference Training CWNA Tom Carpenter CWNE @carpentertom CWSP Robert Bartz CWNE @eightotwo CWNA Peter

Documents
INTRODUCING FRAUNHOFER IGB - EuCheMS · 2016-11-02 · © Fraunhofer IGB EuCheMS General Assembly, 10th of September 2016, Seville, Spain Achim Weber INTRODUCING FRAUNHOFER IGB Fraunhofer

INTRODUCING FRAUNHOFER IGB - EuCheMS · 2016-11-02 · © Fraunhofer IGB EuCheMS General Assembly, 10th of September 2016, Seville, Spain Achim Weber INTRODUCING FRAUNHOFER IGB Fraunhofer

Documents
Fraunhofer FOKUS

Fraunhofer FOKUS

Documents
Fraunhofer Group for Life Sciences - donar.messe.dedonar.messe.de/exhibitor/labvolution/2017/K467722/fraunhofer-group-for...© 2017 Fraunhofer Group for Life Sciences 1 Fraunhofer

Fraunhofer Group for Life Sciences - donar.messe.dedonar.messe.de/exhibitor/labvolution/2017/K467722/fraunhofer-group-for...© 2017 Fraunhofer Group for Life Sciences 1 Fraunhofer

Documents
FrAunhoFer-AllIAnz BATTerIen Foto: Fraunhofer IISB ... · Foto: Fraunhofer IWM. 4 Lithium-Batteriemodul für ein hybrides Leichtfahrzeug. Foto: Fraunhofer ISE. Produkte und Dienstleistungen

FrAunhoFer-AllIAnz BATTerIen Foto: Fraunhofer IISB ... · Foto: Fraunhofer IWM. 4 Lithium-Batteriemodul für ein hybrides Leichtfahrzeug. Foto: Fraunhofer ISE. Produkte und Dienstleistungen

Documents
Fraunhofer IML ∙ Fraunhofer ISST ∙ TU Dortmund ∙ … · © Fraunhofer · vertraulich · Folie 3 1ohne ISST/ inkl.FLW/ITL/LFO Fraunhofer IML und Logistikstandort Dortmund in

Fraunhofer IML ∙ Fraunhofer ISST ∙ TU Dortmund ∙ … · © Fraunhofer · vertraulich · Folie 3 1ohne ISST/ inkl.FLW/ITL/LFO Fraunhofer IML und Logistikstandort Dortmund in

Documents
AnnuAl RepoRt 2011/2012 - Fraunhofer...AnnuAl RepoRt FRAUNHOFER INSTITUTE FOR ExpERImENTAl SOFTwARE ENgINEERINg IESE. ... digiCon AG, Kornwestheim Photographs: Fraunhofer IESE Fraunhofer

AnnuAl RepoRt 2011/2012 - Fraunhofer...AnnuAl RepoRt FRAUNHOFER INSTITUTE FOR ExpERImENTAl SOFTwARE ENgINEERINg IESE. ... digiCon AG, Kornwestheim Photographs: Fraunhofer IESE Fraunhofer

Documents
Fraunhofer-Verbund Life Sciences - donar.messe.dedonar.messe.de/exhibitor/labvolution/2017/K467722/fraunhofer-verbund...© 2017 Fraunhofer-Verbund Life Sciences 2 Joseph von Fraunhofer

Fraunhofer-Verbund Life Sciences - donar.messe.dedonar.messe.de/exhibitor/labvolution/2017/K467722/fraunhofer-verbund...© 2017 Fraunhofer-Verbund Life Sciences 2 Joseph von Fraunhofer

Documents
BETOFLUX - Fraunhofer

BETOFLUX - Fraunhofer

Documents
FraunhoFer BaTTerY allIanCe Photo: Fraunhofer IISB. SyStemS

FraunhoFer BaTTerY allIanCe Photo: Fraunhofer IISB. SyStemS

Documents
ADVANCED TRAINING WITH FRAUNHOFER THE FRAUNHOFER …content/contentPar... · ››› Competitive advantage through Fraunhofer-Gesellschaft networks Customized training In preparing

ADVANCED TRAINING WITH FRAUNHOFER THE FRAUNHOFER …content/contentPar... · ››› Competitive advantage through Fraunhofer-Gesellschaft networks Customized training In preparing

Documents
RETROSPECTIVE - Fraunhofer

RETROSPECTIVE - Fraunhofer

Documents
© Fraunhofer FRAUNHOFER CHILE: A DRIVER FOR INNOVATION IN CHILE

© Fraunhofer FRAUNHOFER CHILE: A DRIVER FOR INNOVATION IN CHILE

Documents
Maschinelles Lernen – Ergebnisbericht...Manuel Molina Vogelsang | Fraunhofer IMW Dmitry Neustroev | Fraunhofer IMW Dr. Henning Petzka | Fraunhofer IAIS Dr. Stefan Rüping | Fraunhofer

Maschinelles Lernen – Ergebnisbericht...Manuel Molina Vogelsang | Fraunhofer IMW Dmitry Neustroev | Fraunhofer IMW Dr. Henning Petzka | Fraunhofer IAIS Dr. Stefan Rüping | Fraunhofer

Documents
Vortrag // Sommersymposium 2013, Fraunhofer UMSICHT ... · © Fraunhofer UMSICHT Fraunhofer UMSICHT Energetische Nutzung von Biertreber Institutsteil Sulzbach-Rosenberg – Sommersymposium

Vortrag // Sommersymposium 2013, Fraunhofer UMSICHT ... · © Fraunhofer UMSICHT Fraunhofer UMSICHT Energetische Nutzung von Biertreber Institutsteil Sulzbach-Rosenberg – Sommersymposium

Documents
Fraunhofer Vlad

Fraunhofer Vlad

Documents
Sonderdruck - Fraunhofer

Sonderdruck - Fraunhofer

Documents
FRAUNHOFER-INSTITUT FÜR WERKSTOFF- UND ......Fraunhofer IWS Jahresbericht 2012 7 20 JAHRE FRAUNHOFER IN DRESDEN Die Fraunhofer-Institute und -Institutsteile am Standort Dresden feierten

FRAUNHOFER-INSTITUT FÜR WERKSTOFF- UND ......Fraunhofer IWS Jahresbericht 2012 7 20 JAHRE FRAUNHOFER IN DRESDEN Die Fraunhofer-Institute und -Institutsteile am Standort Dresden feierten

Documents
FraunhoFer-allianz Big Data · Fraunhofer IGD Fraunhofer SIT Fraunhofer LBF Fraunhofer IVI Fraunhofer MOEZ Fraunhofer IBMT Fraunhofer IIS Fraunhofer AISEC Fraunhofer FKIE Fraunhofer

FraunhoFer-allianz Big Data · Fraunhofer IGD Fraunhofer SIT Fraunhofer LBF Fraunhofer IVI Fraunhofer MOEZ Fraunhofer IBMT Fraunhofer IIS Fraunhofer AISEC Fraunhofer FKIE Fraunhofer

Documents
Fraunhofer IFF Geschäftsfeld Prozess- und Anlagentechnik ... · © Fraunhofer Fraunhofer IFF Geschäftsfeld Prozess- und Anlagentechnik Energie- und Ressourceneffizienz - Forschen

Fraunhofer IFF Geschäftsfeld Prozess- und Anlagentechnik ... · © Fraunhofer Fraunhofer IFF Geschäftsfeld Prozess- und Anlagentechnik Energie- und Ressourceneffizienz - Forschen

Documents
5G - Fraunhofer

5G - Fraunhofer

Documents