Minutes: SALSA NetAuth call 16-Feb-06

Minutes: SALSA NetAuth call
16-Feb-06

*Attendees*
Chris Misra, U. Massachusetts (chair)
Rich Cropp, Penn State U.
Charles Yun, Internet2
Eric Gauthier, Boston U.
Dustin Brown, U. Kansas
Robert Lowe, Lawrence U.
Steve Olshansky, Internet2
Katherine Strojny, Internet2 (scribe)

*Action Items*

New: [AI] {Dustin} will send links for RINGS website, including user manuals, theory of operations, and upcoming presentations.

[AI] {Chris} will send a notice about upcoming meetings with Netauth discussions.

[AI] Once content is more complete and the wiki is in a permanent location, {Chris and Kevin} will get a note out to some of the lists announcing the wiki.

Updated:

[AI] {Group} is invited to take a look at the NetAuth wiki and add content, toward developing a repository of useful information and understanding the solution space better. In particular, Kevin is seeking input on isolation methods and Frequently Asked Questions.

Carry Over:

[AI] {Chris} will clean up the action item list.

[AI] {Individuals} are requested to send in case studies for potential use in NetAuth documents.

[AI] {Kevin} will email the list and see if anyone wants to join the case studies project.

[AI] The following individuals volunteered to write case studies, with a soft deadline of March 30:
- {Chris Misra}: Layer 2 & 3 isolation using NetReg and a homegrown switching system
- {John Moore}: Lockdown Networks and VLAN switching
- {Kevin Amorin}: PacketFence (ARP manipulation and VLANs)

[AI] People are sought who can draft case studies for Cisco Clean Access. If anyone knows of candidates, please contact Chris.

[AI] When the ResNet survey goes live, {Chris} will post a notice to the list in order to encourage participation.

[AI] {Group} will delegate liaisons for TNC and NAC.

[AI] {Kevin Amorin} will send information to the list about EAP (Extensible Authentication Protocol) activity currently underway in IETF.

[AI] {Individuals} who look into the IETF Distributed Security (distsec) mailing list are requested to provide feedback to the group on whether the activities are of interest to this group. To join the list, refer to the following link: https://www.machshav.com/mailman/listinfo.cgi/distsec

[AI] {Chris} and {SteveO} will send a note to the WG via the list soliciting suggestions for the future direction of the WG.

[AI] {Chris} will put together a few slides describing intersection points between SALSA NetAuth and SALSA NetAuth-FWNA.

[AI] {Chris} will send the list of vendor questions developed by the WG during this call to the group via the list. This will move forward in collaboration with the effective practice group at EDUCAUSE.

[AI] {Chris} will arrange vendor discussions for a subsequent call.

[AI] {Chris} will post messages to the NetAuth and FWNA lists soliciting volunteers to develop an outline of issues for NetAuth in a federated environment.

[AI] {Chris} will solicit from the WG contributions about NetAuth vendor solutions currently being used.

*Discussion*

Intellectual Property Reminder: The Internet2 intellectual property policy can be found here:
http://members.internet2.edu/intellectualproperty.html

The call included an overview of RINGS given by Dustin Brown, an update on the NetAuth wiki, a discussion of upcoming events, and a discussion of network registration for automated devices (e.g., Xbox). Minutes of the previous conference call were provisionally approved.

Case studies are progressing toward the March 30 soft deadline. Someone has been identified to do a Bradford case study. Chris invited anyone interested in submitting case studies to contact him.

Dustin Brown gave an overview and fielded questions on RINGS, an open source network authorization solution developed at the University of Kansas. They had been using ANSR DHCP to perform device registry, using LDAP as the DHCP source and central information repository for devices. After ruling out some existing solutions due to cost or architecture, Dustin and his group at U. Kansas developed RINGS based on the ANSR concept.

In RINGS, the user logs in, gets an information page, and downloads a small client program that performs a base security scan: virus scanning installation, virus scan, update Windows configuration and critical patches. The user is given a pass code and brought back to a website, where they are given a short quiz on the responsible use agreement.

RINGS is available on SourceForge.net as of a couple months ago. U. Kansas currently deploys RINGS in their ResNet (4300 students) and plans to roll out to campus wireless and eventually wired connections. Dustin is presenting RINGS at upcoming conferences, including EDUCAUSE regionals, Security Professionals, and ACUTA.

What architecture does RINGS use for the backend? For the client? The RINGS web registration architecture is JAVA/JSP/Struts pulling from a MySQL database. Linux and Mac have Java clients, and the Windows client is currently C#, so Windows systems must have either the .Net framework or any Java runtime environment.

Are you doing isolation and if so how? Isolation is currently IP-based: when users do bad things, bump them back to a non-routable IP address range. In future, they hope to have ANSR DHCP server talk to RINGS in order to force a proclaimed "bad" device to re-DHCP and change to a quarantine VLAN.

How pluggable is the Java component? Is it mandatory inside the code or can it be configured, so that RINGS can be used for registration component but not post-validation? It is very pluggable. The existing steps can be replaced with a separate algorithm if needed. Some universities are interested in using the "Security Analyzer" (client piece) and plugging it into their current solution.

How is detection of the target system done, for instance when determining which client to send? The target operating system is learned by pulling information from the connecting system's browser. Each client then has its own detection process. DHCP fingerprinting is used, not to determine the client version but to gather information on the system. Dustin is glad to act as a contact for any questions on DHCP fingerprinting.

[AI] {Dustin} will send links for RINGS website, including user manuals, theory of operations, and upcoming presentations.

Kevin reported that the wiki is now linked from the NetAuth website (top and bottom):
http://security.internet2.edu/netauth/
Content will move over to the Internet2 wiki once available. The wiki contains new content on commercial and open source NetAuth solutions. Kevin is seeking input on isolation methods, plus input on the FAQ: what questions have been asked at conferences in the past? Content is welcome; self-register or email Kevin or Chris with suggestions.

Once the wiki matures, how do we make this more public? [AI] Once content is more complete and the wiki is in a permanent location, {Chris and Kevin} will get a note out to some of the lists announcing that the wiki is available. The hope is that the wiki can act as a useful repository for NetAuth information that people can be pointed to when they have questions. Chris reported that 50 people attended the recent NERCOMP SIG at U. Mass., and a lot of the same questions were asked, reinforcing the need for the wiki.

Kevin is currently looking at agents and brought up the question of a standard integration of agents, or a standardized agent. Even if we can't standardize on one agent, the NetAuth group may be able to make contributions in the area of interoperability or by just discussing how the different agents communicate.

Upcoming meetings include the following:
- Security Professionals conference April 10-12, 2006 in Denver: http://www.educause.edu/sec06
- Spring 2006 Internet2 Member Meeting, April 24-26 in Arlington, VA: http://events.internet2.edu/2006/spring-mm

[AI] {Chris} will send a notice about upcoming meetings with Netauth discussions. He invited Dustin to send him information on upcoming RINGS presentations so that they can be posted.

Is anyone doing network authorization for machines that might be autonomously authorizing? Yes, this is within scope. Examples include the Xbox, and Cisco is tackling the problem for IP phones. For Xboxes, some universities ask for MAC address then make it happen. DHCP fingerprinting may be an emerging trend, for device verification.

The next conference call will take place Thursday, 2-Mar-2006. Agenda and bridge will be sent to the list in advance of the call.