我是我是如何经常听到来自思科专有的增强负面评论逗乐了。我很多(许多,许多,许多)思科谁是积极参与标准制定机构组织,包括IETF的员工之一。今天的许多网络标准开始了作为专有解决方案,是可利用的年即将完成之前的标准。
As someone who is passionate not only about innovation in security but also about the standardization of those innovations, I thought I'd point out a few of the recent efforts that I've either been involved in, or am just very interested in.
隧道化EAP(评估小组):
今年五月,通过隧道的EAP(TEAP)规范正式发布为RFC-7170。本RFC正式使得思科在EAP-FASTv2创新使用EAP-链接的可以在任何802.1X客户端或者认证服务器来实现的标准。需要注意的是,与在支持Dot1X环境中的所有EAP通信时,EAP类型是完全透明的认证器(开关|无线|等)。这意味着它不需要Cisco交换机或无线控制器使用TEAP,只是一个请求者和鉴权,这两个支持的协议。
TEAP has some unique advantages over other authentication protocols. It has the capability to do TLS version negotiation; it may use any inner-method supported by both the supplicant and authentication server (EAP-MSChapV2, EAP-GTC, EAP-TLS); and it has the ability to chain the credentials of the machine and the user together in asingle EAP-Transaction.
这符合一个郊区故事ndous industry demand, with a standard way to authenticate and authorize that it is an authorized asset AND an authorized user, with a mixture of identity sources: Certificates / Username & PWD / One-Time-Passwords / other 2-factor authentication mechanisms.
Examples:
- 与证书(EAP-TLS)设备认证,表明该电脑属于公司PLUS用户名/密码认证到Active Directory(EAP-MSCHAPV2)。
- Device authentication using the Active Directory account & password (EAP-MSChapV2), which validates the machine is a domain member and is active PLUS a username/password authentication to Active Directory (EAP-MSChapV2).
- Device authentication using a Certificate (EAP-TLS), showing the computer (laptop, desktop, tablet, phone, etc.) belongs to the company PLUS a username/password authentication to Active Directory (EAP-MSChapV2).
By using BOTH the machine and user authentications in a single Authorization, you are able to validate that it is an Authorized User AND an Authorized Machine. Not just one or the other.
Other Advantages of TEAP:
- 评估小组使用TLS会话恢复不维护服务器状态(类似于EAP-FAST) - 这允许服务器规模,以处理更大的客户数目。
- 隧道内的证书配置。这将允许评估小组通道内的证书更新,以下。它可以使用BYOD是提供初始证书的另一种方法,如果你有内方法(如用户名/密码)第一验证。TEAP基本上运行登记在TEAP信道的安全传输(EST)的内部。
- TEAP has EAP Channel Bindings to bind the context in which TEAP is used (wired, wireless, IKEv2, L3, etc.) into the TEAP exchange. << How valuable is this??? Awesome!
- TEAP has an extensible Type Length Value (TLV) format that can be used to carry data for other purposes within the TEAP tunnel. Such as PT-EAP (Posture Transport) for providing posture check data transport through the TEAP channel. << Theoretically a real method for transporting this posture data within the EAP protocol (finally).
As with all standards, this one was written and contributed to by many individuals from many different companies, including but not limited to: Cisco, Juniper, Infineon and others. I'd like to call out the efforts of my friends and colleagues, people I look up to and admire: Nancy Cam-Winget, Joe Salowey, Hao Zhou and Steve Hanna.
The next steps are for the customers who want TEAP and EAP-Chaining to call their sales reps from Cisco, Microsoft, Apple, Google, Juniper (soon to be Pulse), etc. (pick your flavor of endpoint and authentication server). Tell your sales team(s) how much this functionality is needed and get it committed to their road maps.
安全组标记(SGT)安全组交换协议(SXP)
I've talked about this innovative technology on my blog in the past (See:Security Group Tagging Basics。)
Earlier this year, Cisco submitted an informational draft on SGT eXchange Protocol (SXP), opening the use of SGT's to non-Cisco network and security application vendors. Since then, they updated the submission with a new informational draft comprising the SGT eXchange Protocol (SXP) and the SGT Ethernet Frame Format.
http://www.ietf.org/id/draft-smith-kandula-sxp-01.txt
过去,这是100%的思科专有的,而所需的所有思科网络基础设施,安全设备和策略服务器。这些意见让其他厂商来实现内联标记和标签交换与思科的产品,无论是在电线上,或通过对等协议。
Many, many, many thanks to Kevin Regan, Mitsunori Sagae, Darrin Miller, Joe Salowey, Michael Smith, Sue Thomson & Rakesh Kandula for getting this incredible innovation published as an informational draft.
pxGrid
前一段时间,思科高级副总裁克里斯杨宣布了一项新的创新,共享的安全应用,称为pxGrid上下文之间的安全数据。
今年七月,pxGrid已作为一个互联网草案,并提交(和大受欢迎)在多伦多IETF 90。
pxGridis a Cisco innovation and the world’s first scalable mechanism for multi-directional sharing of security-related data between security applications. Its uses are extensible beyond security and into other management realms.
正如任何建议标准,有厨房不仅仅是思科更多的厨师。所提出的标准是由思科,瞻博网络(即将脉冲),迈克菲公司,波音公司,NIST,和其他人正在联合形。该提案是向前发展的,它的期待很有可能pxGrid将是围绕安全自动化和连续监测(SACM)的IETF标准的主要贡献者。
在这个标准特别感谢工作属于:南希凸轮 - 温格特,斯科特·波普,丽莎Lorensin,崖卡恩,史蒂夫Venema,史蒂夫·汉纳大卫Waltemire,和很多很多很多人!它是一种荣幸和特权沿侧这样的天才小组工作。