No Next Item No Next Conference Can't Favor Can't Forget Item List Conference Home Entrance    Help
View Responses

Grex Systems Item 124: IAAA
Entered by dtk on Thu Nov 27 15:33:21 UTC 2014: 

Out of curiosity, who here has implemented an Identity / AuthN|Z / Audit
 framework in an incumbent network? 

In short, while the Windows environment has been under management by AD 
since Windows 2000, the UNIX and Linux environment has relied on local 
authentication and jump-servers (with the exception of a few kerberized
web- applications that run inside Linux servers and have SPNs hanging
off the AD  domain). I have spent significant political capital over the
last four or  more years trying to introduce centralized AuthN|Z for
Linux and UNIX and  finally got approval to pursue the product I have
been recommending (though  I am having to get people's time out-of-hide,
and have no budget, just  whatever I can beg or borrow).

The solution I am putting forward is Red Hat's Enterprise IdM (the 
productized version of FreeIPA 3), which uses LDAPS, Kerberos, DNS and
NTP  to provide IAAA (well, Identity, Authentication and Authorization
-- Audit  is coming) that is centrally managed, highly available,
consistent and  flexible. To support segregation of concerns based on
sites and based on  environments, I am pushing for multiple child-realms
(IPA Domains) that  communicate via a single parent realm that provides
bi-directional  transitive trusts between the other realms, which does
not host any  principals, and which implements policy to govern
realm-to-realm interaction  using the realm boundaries as trust
boundaries. In the design, each realm  would have at least two
replication cells, and the apex realm would own the  trust relationship
with the Forest Root Domain in AD. 

Because of organizational lines, this is extra challenging. While my
team is  part of IT Ops on the org chart (can I get one of the Power
Point Rangers to  actually draw that up? everyone knows it, but I have
not actually seen it),  my team bridges between IT Ops and INFOSEC. As
such, each side tries to  claim we are from the other side, trying to
jack up their role[1]. 

The INFOSEC side of the house has significant veto power, and the IT Ops
 side fears anything new that did not come from one of the IT Ops leads,
and  has to be wooed in order to not politically shank[2] technology 
introduction. 

Although everyone says this is an important and powerful tool, and that
it  will make their job easier, there are so many attempts to inject
"how we do  things here" implementation details that will make the
solution harder to  manage and more brittle (such as the use of IP
Anycast + Source NAT to  loadbalance LDAPS, instead of using the
in-built DNS service location, or  using a single NTP address that is IP
Anycast from multiple authoritative  time servers, guarantying that time
will slosh back and forth, missing the  fact that NTP has a built-in
quorum counting mechanism and that Kerberos  does not like if time moves
backwards, or putting the DIT in a clustered  filesystem, rather than
local copies in every IPA server and leveraging LDAP  multi-master
replication over TLS)[3] all in the name of making it more  resilient,
because availability, and loadbalancers and clusters and  AVAILABILITY!
and because reasons. 

Does anyone have experience with implementing IAAA in a large incumbent 
network with heterogenous Operating Systems and multiple OS versions?
What  have been your experiences? What has worked well? What has caused
you grey  hair or ulcers or eating crow in front of senior leadership? 


-- 

  1: Meanwhile I am actively working with and through my new chain of 
command to evolve our identity and better articulate how we support the 
mission, so we can better bridge the divide. The goal is to help IT Ops
get  to "yes" with security (who have a reputation of only knowing how
to say " no") and at the same time being eyes-and-hands of security
within IT and  providing them an advocate who will guide IT to adopt
strong protective  practices. 
  2: I have had to stand before management and senior officers to
  explain 
myself because I dared to suggest we could do a better job more easily
and  scale more efficiently than linearly by implementing
force-multiplier tools  and practices that have been well understood and
used in multiple industries  for years. 
  3: Yes, each of these has been suggested at least once, all seriously,
  
with no understanding of irony or second-order effects (the term
electrical  engineers use for unintended consequences)

0 responses total.

Response not possible - You must register and login before posting.

No Next Item No Next Conference Can't Favor Can't Forget Item List Conference Home Entrance    Help

- Backtalk version 1.3.30 - Copyright 1996-2006, Jan Wolter and Steve Weiss