Quantum FrameworkIdentity and Trust

Jin Peng Feb 12, 2009

Identities in System (Network) Management

People Identity Management

Creation, management and deletion of administrative users

User authentication (login), Single Sign-On, Federation

Role/Policy based flexible access control

Other security polices (password complexity, session time out etc)

Network Element Identity Management

Network element joins security domain and register itself

Keep track of network element's Metadata (IP Address, Element Type, Release Number)

Keep track of network element's public key and X.509 certificate

Keep track of Web services supported by network element and standard Universal Description Discovery and Integration (UDDI) interface

Provide the common registry for other services and data Mashup

Quantum FrameworkBring people and network together through

identity and trust management

PeopleIdentity

NetworkElementIdentity

AAAPKI

Security

Confidentiality, Integrity, Availability (CIA)

Open Source Stack

JAVA

JBOSS

OpenSSO

SpringFrame

Bounty Castle OpenSSL JavaSSH

Quantum Frame

CND(openLDAP)

Quantum is combination of JBoss and OpenSSO and other other source projects. It is built and maintained in Norforge as a internal OpenSource program. It is presently used by CS1k, MAS, CC7, AS5300 MAS, and CDN.

Quantum provides the following functions.• Central registry via UDDI• RBAC authorization and authentication to all application running in Jboss• Single sign on across application and hardware platforms• PKI management, radius support, external A&A etc.

Quantum Framework

Primary Quantum Frame(1)

Quantum is deployed in 3 possible options1.Primary2.Backup3.Member

Backup Quantum Frame(0/1)

Member Quantum Frame(0/n)

member Quantum Frame(0/n)

member Quantum Frame(0/n)

Common Login and Single Sign-On

Common Login page for a security

domainOnly login once, Single

Sign-On inside the security domain

Built-in RADIUS

service for CLI login

Manage administrative user

Support multiple external authentication protocols

Role based per element type or per instance access control

Support different permissions (authorization model) for different type of element

Control security policies centrally

Monitor Active Sessions

Review Audit Log

A Common Registry for Network Elements

Element registry is the fundamental lookup table for the network

It keeps track of what devices are in the network, what can they do, how to reach them, the URL to manage them etc

Using Public-key cryptography, each network is uniquely identified by its RSA key pairs or X.509 certificate: assure we are talking to the right elements

Element grouping keeps track of the relationships of network elements

Standard base UDDI Web service support for element registry

Manage Network Elementsnetwork level services can be integrated

dynamically into the main navigator

New type of network element, new instance of elements and their web based management console

can be registered dynamically.

Dynamic grouping of registered elements and network services

You can only see links that you are

granted access rights

Mashup with Quantum Framework

Quantum: Network metadata registry: (Universal Description Discovery and Integration)

what are on the network (inventory), what can they do (SOA), what are their relations,

how to reach them, how to protect them (security)

Quantum:Security:AAA and

PKI

Fault/Performanc

eManageme

nt

Other Networkservices

SubscriberManageme

nt

Configuration

Deployment

Patching

Quantum FrameworkThird party Applications

Nortel ManagementApplications

Combinations of Third party discovery and Nortel Registration

Legends:

18

Launches Subscriber Manager

Launches Deployment Manager

Launches SNMP Profile Manager

Launches NRS Manager

Launches Element Manager, BCC

Launches Base Manager

Launches Central Patch Manager

Graphical View of CS1000 Services Mashup on top of Quantum

Framework

An example of Mashup service based on element registry: Central Deployment Management

Circle of Trust Base on Public Key Infrastructure

A user trusts a network element based on

It has a public key that can be trusted or

It has a x.509 certificate issued by a trusted certificate authority A network element (or its management application) trusts a user

based on

Authentication result: is the user authenticated

Access control decisions from the trusted Policy Decision Point: what an authenticated user can do on the element

A network element trust another network element based on

It has a public key that can be trusted or

It has a x.509 certificate issued by a trusted certificate authority

Circle of Trust (Manage network elements' X.509 certificate, trusted

Certificate Authority and Certificate Revocation List centrally )

Circle of Trust (Built-in Private Certificate Authority to bootstrap the trust and

reduce cost of using commercial CA )

Internal Open Source

Host in norforge https://norforge.nortel.com/projects/quantum/

Released in MAS ICP 6.1 To be released in CS1000 release 6.0, Contact

Center release 7.0, MAS AS5300, MAS A2E release and Converged Data Network release

Integration options with Quantum Framework

There are a number of possible integration options. From the most loosely coupled hyper link model to fully engaged with the network level mash service or even provide new network Mashup services.

Level 1: Add the URL of your application as bookmark in Quantum's element table

level 2: Integrate with Quantum's authentication service, achieve Single Sign-On and common login through RADIUS, (REST or SOAP )Web Service, SAML based Federation etc.

Level 3: Integrate with Quantum's authorization and UDDI element registry service, declare your own element type, registered your applications as managed element or services, query access control decisions from Quantum's central PDP (Policy Decision Point)

Level 4: Declare supported (Web) services in your element type definition, integrate with existing network Mashup services such as Subscriber Manager, Certificate Manager, Deployment Manager

Level 5: Create new network Mashup services (alarm management, Performance management, topology management)

24

25

Subscriber Manager Deployment Manager

Central Patch Manager IP-Sec Management

SNMP Profile Manager

Element Manager

EM Phone Provisioning EM Node ManagerNRS Manager

Central User Manager

Base Manager SNMP Agent in ElementsUCM Framework

CP for SNMP, NTP, Security SNMP Trap Server

System Level

Network Level

Hardware CPU level

Quantum in CS1000 - Network, System and Hardware View

LinuxUCM -m

EM/BCC

Call Server

LinuxUCM-primary

SubMgr

CND

LinuxUCM-back

NRSMMySQL

config

CS1000 System 1

TPS GWLinux

Web Servicesxmsg

ftp

Quantum in CS1000: Physical Deployment view ofMuti-system – network view Cust

AD

MySQL

L-SLPLinux

NRS/SPS

UCM-m

L-SLPLinux

ECM-m

ECM-m

TPS GWLinux

ECM-m

MCVxworks

Vxworks

SMScomp

Corecomp

LinuxUCM

EM/BCC

Call Server

CS1000 System 2

TPS GWMySQL

TPS GWLinux

UCM

MCVxworks

VxEll

L-SLPLinux

UCM-m

config

Quantum FrameworkEvolution Path

Identity Management

Administrative User Subscriber

Network

UDDI Element Registry

System Management

People

Unified Communicatio

n

Centralized AAA,PKI

SOA, MOM (Message Oriented

Middleware)

What we do now

What we do next