dtk
|
|
IAAA
| 
Nov 27 15:33 UTC 2014 |
Out of curiosity, who here has implemented an Identity / AuthN|Z / Audit
framework in an incumbent network?
In short, while the Windows environment has been under management by AD
since Windows 2000, the UNIX and Linux environment has relied on local
authentication and jump-servers (with the exception of a few kerberized
web- applications that run inside Linux servers and have SPNs hanging
off the AD domain). I have spent significant political capital over the
last four or more years trying to introduce centralized AuthN|Z for
Linux and UNIX and finally got approval to pursue the product I have
been recommending (though I am having to get people's time out-of-hide,
and have no budget, just whatever I can beg or borrow).
The solution I am putting forward is Red Hat's Enterprise IdM (the
productized version of FreeIPA 3), which uses LDAPS, Kerberos, DNS and
NTP to provide IAAA (well, Identity, Authentication and Authorization
-- Audit is coming) that is centrally managed, highly available,
consistent and flexible. To support segregation of concerns based on
sites and based on environments, I am pushing for multiple child-realms
(IPA Domains) that communicate via a single parent realm that provides
bi-directional transitive trusts between the other realms, which does
not host any principals, and which implements policy to govern
realm-to-realm interaction using the realm boundaries as trust
boundaries. In the design, each realm would have at least two
replication cells, and the apex realm would own the trust relationship
with the Forest Root Domain in AD.
Because of organizational lines, this is extra challenging. While my
team is part of IT Ops on the org chart (can I get one of the Power
Point Rangers to actually draw that up? everyone knows it, but I have
not actually seen it), my team bridges between IT Ops and INFOSEC. As
such, each side tries to claim we are from the other side, trying to
jack up their role[1].
The INFOSEC side of the house has significant veto power, and the IT Ops
side fears anything new that did not come from one of the IT Ops leads,
and has to be wooed in order to not politically shank[2] technology
introduction.
Although everyone says this is an important and powerful tool, and that
it will make their job easier, there are so many attempts to inject
"how we do things here" implementation details that will make the
solution harder to manage and more brittle (such as the use of IP
Anycast + Source NAT to loadbalance LDAPS, instead of using the
in-built DNS service location, or using a single NTP address that is IP
Anycast from multiple authoritative time servers, guarantying that time
will slosh back and forth, missing the fact that NTP has a built-in
quorum counting mechanism and that Kerberos does not like if time moves
backwards, or putting the DIT in a clustered filesystem, rather than
local copies in every IPA server and leveraging LDAP multi-master
replication over TLS)[3] all in the name of making it more resilient,
because availability, and loadbalancers and clusters and AVAILABILITY!
and because reasons.
Does anyone have experience with implementing IAAA in a large incumbent
network with heterogenous Operating Systems and multiple OS versions?
What have been your experiences? What has worked well? What has caused
you grey hair or ulcers or eating crow in front of senior leadership?
--
1: Meanwhile I am actively working with and through my new chain of
command to evolve our identity and better articulate how we support the
mission, so we can better bridge the divide. The goal is to help IT Ops
get to "yes" with security (who have a reputation of only knowing how
to say " no") and at the same time being eyes-and-hands of security
within IT and providing them an advocate who will guide IT to adopt
strong protective practices.
2: I have had to stand before management and senior officers to
explain
myself because I dared to suggest we could do a better job more easily
and scale more efficiently than linearly by implementing
force-multiplier tools and practices that have been well understood and
used in multiple industries for years.
3: Yes, each of these has been suggested at least once, all seriously,
with no understanding of irony or second-order effects (the term
electrical engineers use for unintended consequences)
|