Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© Fraunhofer IGD 1
Jaromir LikavecSenior Network Engineer
CWNE #127 CCIE Wireless #45051Fraunhofer Institute for Computer Graphics Research IGD
Security Challenges in R&DEnvironments
Tel +49 6151 155 – [email protected]
#WLPC_EU Lisbon Portugal 2017
© Fraunhofer IGD
Fraunhofer IGD
Characteristics of R&D Environments
Unification Of Network Access
USE Case Security Requirements
Certificate Deployment
WLAN and Remote Access at Fraunhofer IGD
Device Profiling
Posture Assessment
Network Monitoring/Network Troubleshooting
Summary
Agenda
2 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
Spatial Information Management
3D Printing Technology
Information Visualization
and Visual Analytics
Virtual and Augmented Reality
Fraunhofer IGD Darmstadt
3
Smart Living & Biometric TechnologiesVisual Healthcare TechnologiesVisual Computing System TechnologiesCultural Heritage DigitizationInteractive Engineering Technologies
#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
DataVisualizationHoloLensvideo
© Fraunhofer IGD
• High-security requirements
• Heterogeneous mobile equipment
• A mixture of private and corporate equipment
• Need for BYOD
• Need for remote access
• A constant need for deployment of new use cases
• Need for network monitoring
• A structured approach to troubleshooting
• Cutting edge technology
R&D environments are characterized by:
4 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
• Motivation:
• Different access mechanisms for LAN, WLAN and VPN
• Consolidate WLAN and VPN access
• Separate network access with private / corporate devices
• Private evil Corporate good
• Develop a unified access concept for end device
• Deploy Device/User-based authentication und authorization
Unification of Network Access
5 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
Two-Factor Authentication (certificate + username/password)
Prevent sharing of certificate by multiple users
Check user exists in AD before allowing VPN
Use AD group membership as criteria for allowing SSLVPN
Check if the PC is joined to the AD domain
Verify Device certificate is on correct device
USE Case Security Requirements
6
Trusted user Trusted Device Full AccessTrusted User Untrusted Device Limited AccessUntrusted User Trusted Device Limited AccessUntrusted User Untrusted Device No Access
PermissionsUsers
Mobile Devices
#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
Generate Computer Certificate
7 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
• Domain Computer – automatic distribution und automatic renewal
• Mobile Devices – manual generation and Web download
• Apple Mac and Linux computermanual generation and Web download
• HQ CC-LAN use of Mail Certificates
• Cisco IP phones MIC Certificates
Use Of Certificates
8
• Certificate Validity
• Certificate Revocation List (CRL)
• Device Entry at MS AD
• User/Password at MS AD
• MAC -Address on dns/dhcp (for HQ)
#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
What is checked
© Fraunhofer IGD
New Network Access at Fraunhofer IGD
#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
LANRemote AccessWireless
© Fraunhofer IGD
WLAN and Remote Access at Fraunhofer IGD
10
CiscoAnyconnectMobility
#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
Remote Access
11 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
Dynamic classification of every device that connects to network using the infrastructure
Use Probes for collecting device attributes : Radius, DHCP, HTTP, NetFlow, NMAP, SNMP, LLDP/CDP
Device Profiling
12
Device Identity Groups
Apply PoliciesPrinterVlan
VoiceVlan
Dyn.Vlan
VideoVlan
#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
• Compliance Check OS
• Analysis of Antivirus, Antispyware, Personal FW …
• Quarantine and
• Remediation Services
Posture Assessment
13 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
Cisco ISE
WLC
Cisco PRIME
ZABBIX
SPLUNK
Monitoring Troubleshooting
14
XT Spectrum
Air check – G2
Omnipeek/Wireshark
Ekahau Site Survey
#WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
802.1X is ready for productive use
Device certificates are used to determine whether the device is a corporate device or a private device that is connected to the LAN, WLAN, or VPN
User credentials follow as a second step
This solution for network access increases security and reduce operating costs
Summary
15
It’s not the Network
It’s (still) not the Network #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec
© Fraunhofer IGD
Questions:
Thank You
16 #WLPC_EU Lisbon Portugal 2017 - Jaromir Likavec