Identity Driven Networking
Encyclopedia
Identity Driven Networking (IDN) is the process of applying network controls to a network device access based on the identity of an individual or group of individuals responsible to or operating the device. Individuals are identified, and the network is tuned to respond to their presence by context.
The OSI model
provides for a method to deliver network traffic, not only to the system but through to the application that requested or is listening for data. These applications can operate either as a system based user -daemon process
, or they may be a user application such as a web browser
.
Internet security
is built around the idea that the ability to request or respond to requests should be subjected to some degree of authentication
, validation
, authorization
, and policy
enforcement. Identity Driven Networking endeavors to resolve user and system based policy into a single management paradigm.
Since the internet comprises a vast range of devices and applications there are also many boundaries and therefore ideas on how to resolve connectivity to users within those boundaries. An endeavor to overlay the system with an identity framework must first decide what an Identity is, determine it, and only then use existing controls to decide what is intended with this new information.
represents the connectedness between the real and some projection of an identity; and it may incorporate references to devices as well as resources and policies.
In some systems, policies provide the entitlements that an identity can claim at any particular point in time and space. For example, a person may be entitled to some privileges during work from their workplace that may be denied from home out of hours.
prior or during this process (802.1x) it is not simple to have users authenticate at this point. It is more usual for a user to attempt to authenticate once the system processes (daemons) are started, and this may well require the network configuration to have already been performed.
It follows that, in principle, the network identity of a device should be established before permitting network connectivity, for example by using digital certificates in place of hardware addresses which are trivial to spoof as device identifiers. Furthermore, a consistent identity model has to account for typical network devices such as routers and switches which can't depend on user identity, since no distinctive user is associated with the device. Absent this capability in practice, however, strong identity is not asserted at the network level.
The first task when seeking to apply Identity Driven Network controls comprises some form of authentication, if not at the device level then further up the stack. Since the first piece of infrastructure placed upon a network is often a network operating system
(NOS) there will often be an Identity Authority that controls the resources that the NOS contains (usually printers and file shares). There will also be procedures to authenticate users onto it. Incorporating some form of single sign-on
means that the flow on effect to other controls can be seamless.
Many network capabilities can be made to rely upon authentication technologies for the provisioning of an access control policy.
For instance; Packet filtering -firewall, content-control software
, Quota Management systems and Quality of service
(QoS) systems are good examples of where controls can be made dependent upon authentication.
The OSI model
OSI model
The Open Systems Interconnection model is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar...
provides for a method to deliver network traffic, not only to the system but through to the application that requested or is listening for data. These applications can operate either as a system based user -daemon process
Daemon (computer software)
In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
, or they may be a user application such as a web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
.
Internet security
Internet security
Internet security is a branch of computer security specifically related to the Internet. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud,...
is built around the idea that the ability to request or respond to requests should be subjected to some degree of authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, validation
Validation
Validation or validity may refer to:* Validity, in logic, determining whether a statement is true or false* Validity , the application of the principles of statistics to arrive at valid conclusions...
, authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
, and policy
Policy
A policy is typically described as a principle or rule to guide decisions and achieve rational outcome. The term is not normally used to denote what is actually done, this is normally referred to as either procedure or protocol...
enforcement. Identity Driven Networking endeavors to resolve user and system based policy into a single management paradigm.
Since the internet comprises a vast range of devices and applications there are also many boundaries and therefore ideas on how to resolve connectivity to users within those boundaries. An endeavor to overlay the system with an identity framework must first decide what an Identity is, determine it, and only then use existing controls to decide what is intended with this new information.
The Identity
A digital identityDigital identity
Digital identity is the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things...
represents the connectedness between the real and some projection of an identity; and it may incorporate references to devices as well as resources and policies.
In some systems, policies provide the entitlements that an identity can claim at any particular point in time and space. For example, a person may be entitled to some privileges during work from their workplace that may be denied from home out of hours.
How it might work
Before a user gets to the network there is usually some form of machine authentication, this probably verifies and configures the system for some basic level of access. Short of mapping a user to a MAC addressMAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
prior or during this process (802.1x) it is not simple to have users authenticate at this point. It is more usual for a user to attempt to authenticate once the system processes (daemons) are started, and this may well require the network configuration to have already been performed.
It follows that, in principle, the network identity of a device should be established before permitting network connectivity, for example by using digital certificates in place of hardware addresses which are trivial to spoof as device identifiers. Furthermore, a consistent identity model has to account for typical network devices such as routers and switches which can't depend on user identity, since no distinctive user is associated with the device. Absent this capability in practice, however, strong identity is not asserted at the network level.
The first task when seeking to apply Identity Driven Network controls comprises some form of authentication, if not at the device level then further up the stack. Since the first piece of infrastructure placed upon a network is often a network operating system
Network operating system
A networking operating system , also referred to as the Dialoguer, is the software that runs on a server and enables the server to manage data, users, groups, security, applications, and other networking functions...
(NOS) there will often be an Identity Authority that controls the resources that the NOS contains (usually printers and file shares). There will also be procedures to authenticate users onto it. Incorporating some form of single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
means that the flow on effect to other controls can be seamless.
Many network capabilities can be made to rely upon authentication technologies for the provisioning of an access control policy.
For instance; Packet filtering -firewall, content-control software
Content-control software
Content-control software, also known as censorware or web filtering software, is a term for software designed and optimized for controlling what content is permitted to a reader, especially when it is used to restrict material delivered over the Web...
, Quota Management systems and Quality of service
Quality of service
The quality of service refers to several related aspects of telephony and computer networks that allow the transport of traffic with special requirements...
(QoS) systems are good examples of where controls can be made dependent upon authentication.
See also
- AAA protocolAAA protocolIn computer security, AAA commonly stands for authentication, authorization and accounting.- Authentication :Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the...
s such as RADIUSRADIUSRemote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service... - LDAPLightweight Directory Access ProtocolThe Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
- EAPExtensible Authentication ProtocolExtensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....