On the Hayama campus of a general research graduate school, a national graduate school, IEEE 802.High security is ensured by network authentication with 1X and secure VPN connection.The most important thing in this authentication system was the construction of a private CA that manages an e -certificate.
Bring authentication to the network to enhance security
The General Research Graduate School (hereinafter referred to as the General University) is a national graduate university established to train excellent researchers.There are a major in the National Research Institute and museums (university joint usage institutions), which are located in 18 locations nationwide.After a highly specialized research activity at these institutions, you will be able to acquire a Ph.D. in a five -year philosophy or a doctoral course.
Kanagawa Prefecture Hayama Campus of General Research Graduate School (hereinafter referred to as Sadan University)
By the way, at the Kanagawa Prefecture Hayama Campus of the university, the headquarters functions and the Graduate School of Leading Science are installed, and 200-300 students, including students, teachers, and clerks, use the information network.Originally, it was a simple network based on dozens of L2 switches before the 2004 national university incorporation, but "The management was different in each department and the policy was different. Pc and the PC.There were a lot of problems such as information management and dangers of viruses. "Therefore, the company has examined integrated network authentication in 2006, along with measures against Personal Information Protection Law and information security policies.In addition to these LAN network authentication, we decided to build a PKI with a digital certificate in addition to VPN authentication that remotely access external servers.
The background of the PKI introduction by the digital certificate is that "ID and password authentication tends to be difficult to manage after users. The digital certificate can be managed on the network side and transmitted to users.I think it is easy to understand by authentication. "The use of a single authentication system, such as wired LAN, wireless LAN, and VPN, is also a unique advantage of a PKI using a highly versatile electronic certificate.The Tokyo Electron Device was responsible for these network authentication, dynamic VLANs, and integrated certifications with electronic certificates.
Reasons why GLEAS was adopted to build private CA
The university's network is IEEE 802.The "SUMMIT X450" of Extreme Networks is placed as a 1X switch, and the "SUMMIT X350" is placed in the edge.It also uses Meloo Networks "MC1030" as a wireless LAN switch, Radius server "Enterpras Std", and OpenLDAP as a directory server.
General Research Graduate School Hayama Information Network Center Shinichi Doda
Regarding private CAs, it was built and operated at the open source NAREGI-CA, but it was necessary to rebuild private CA due to hardware failure.The private CA introduced there was "Gléas" of JCCH Security Solutions Systems (hereinafter JS3)."First of all, I thought that it was important to be able to use it with a web browser, and that it is important to operate even for clerical staff and unknown PKIs. The user interface is also convenient and has no perfection in Japan and abroad.Mr. Doda highly appreciates.
One of the great attractions of private CA is the high customizability.Gléas can customize standard templates and issue different policies for each group.
In August 2009, Soji University replayed Naregi-Ca, which was no longer working due to hardware failure, and introduced appliances with GLEAS.IEEE802.The configuration of the network, such as 1x and VPN, is shown in the figure below.
Network configuration of Research Institute
First of all, for the LAN of the Hayama campus, the user makes a preliminary application before using the PC, and the secretariat registers on the LDAP server.Based on this user directory, switches and RADIUS servers identify the secretariat's PC, student PC, and guest PCs.Dynamically assign VLANs with the switched policy.
IEEE 802.The authentication using 1X is intended for PCs used by clerks, and the settings are set by the information staff in charge of the PC.On the other hand, students use web browser authentication for students who are temporarily used in MAC address authentication, seminars, etc."I was able to separate the same network infrastructure, such as teachers, students, clerical staff, and outsiders, according to each use."On the other hand, regarding VPN, it supports access from two internet connection lines.The dedicated 100Mbps line connected to the SINET can be connected by IPsec by using an online screen VPN router.In addition, a connection using a 100Mbps B FLET'S allows remote access via SSL-VPN using OpenVPN.In each case, the VPN connection has been certified by an electronic certificate, achieving highly secure remote access.
The use of use such as cooperation with OpenID and use in EFS is increasingly expanding.
The Sadai University will continue to utilize the certification base of this private CA."In aiming to expand the service of VPN and developing portals for graduates, I would like to focus on collaboration with a tele -certificate along with certification such as SHIBBOLETH and OpenID, which realize single sign -on on a wide range of websites."(Mr. Toda) says.He also wants to proceed with the use of Windows encryption function EFS (Encrypting File System), which is effective as an information leakage countermeasure.It can be said that the PKI's ability as a authentication base is exactly the case.