Identity-Based Networking

Overview

When organizations begin opening their networks for enabling a wide variety of applications and data availability to both internal and external constituents, it becomes evident and important to understand and control user activity. Identity helps in controlling access to the network at the entry points.

Identity Based Networking is based on the fact that a user's identity is embedded into the networking services received by the user. It integrates several components of authentication, access control, and user policies to secure network connectivity and resources. It manages user mobility with greater security and reduced costs.

Identity based networking is not a new concept. It existed inherently even when the wireless LAN controllers first emerged. The concept of identity-based networking was applied through authenticating the users joining the wireless network and by placing them into the appropriate virtual LANs (VLANS).


Identity based networking is similar to placing a Security Guard at each Switch Port. It allows only the authorized users to get the network access and places unauthorized users into Guest VLANs. It also prevents unauthorized access points. Dynamic VLAN assignment is based on identity and it allows the assignment by group or individual at the time of authentication.

Identity based networking has VLAN tunneling between mobility domains. An example for such a system may contain a WAN, two VLANs and a network database. The two VLANs are coupled to the WAN with the network database containing their information. When a client who is authorized to work on second VLAN attempts to connect to the first VLAN, a switch in the WAN looks up in the database to determine whether the client is authorized on the second VLAN or not. Then he is connected to the second VLAN through VLAN tunneling.

Identity and Certificate

Identity is used to provide authorizations at any layer of the OSI model. Various editions of Windows Server 2008 are given below.

A Public Key Infrastructure (PKI) Certificate is a statement of identity signed by a trusted party. It combines the digital signature with a public key and the name of the user. It is signed by a certificate authority verifying the identity and serves as a strong authentication. Some of the prominent certificate authorities are VeriSign, Entrust, GTE etc.

Identity Based Networking Services (IBNS) Vs IEEE 802.1x

IBNS is not IEEE 802.1x, but is a superset of 802.1x's functionality. IBNS is a systems security framework that delivers LAN authentication and a part of it uses IEEE 802.1x.

IEEE 802.1x is a standard defined by IEEE 802.1x working group for addressing port based access control using authentication. It defines a standard link layer protocol that is used for transporting higher-level authentication protocols and the actual enforcement is via MAC-based filtering and port state monitoring.


Benefits of Identity Based Networking


Offers complete visibility, access control and audit of all interactions based on user identity, machine identity and health status

Secures remote access

Enables quick resolution of network incidents

Prevents unauthorized access to network resources

Controls assets, applications, and data

Ensures maximum service availability

Increases user productivity gains

Reduces operating costs

CISCO TrustSec

Trusted Security (TrustSec) is Cisco's new security framework that is an add-on to the Cisco Self-defending network. It is intended to determine the role of users before granting any access to resources. It transforms the topology-aware network into the one that is role aware besides allowing the transition from isolated identity mechanisms to secure campus access control. The three fundamental security services of TrustSec are secure campus access control, a converged policy framework, and pervasive integrity and confidentiality.

Secure Campus Access Control - As devices cannot enforce access control until they themselves have been authenticated, Secure Campus Access Control mechanism of Cisco TrustSec accomplishes this using a form of Network Device Access Control (NDAC). It authenticates all IP-enabled entities and supports different roles, access devices, operating systems, and access methods. Various authentication methods can be chosen by the administrators. Identity is mapped with roles through authentication, authorization, and accounting (AAA). The authentication event is supplemented by device posture validation for end device compliance with software revision levels. This mechanism is independent of role, device type, operating system, or access method and works transparently for wired, wireless, and VPNs. After establishing the identity, scalable security roles are applied for posture, compliance, location based services.

Converged Policy Framework-

While policy enforcement is completely decentralized, a converged policy framework allows merging of multiple policy requirements into a single configuration on a switch or any other policy enforcement point. This helps ensure that network and security administrators can map roles to policy from a central place, and this policy is intelligently mapped to a user port upon authentication. Policy is a very broad term and can include a simple permit or deny to a network address all the way to malware prevention. Whether the policy is to control access to applications, voice or video tools, or Web resources, the converged policy framework provides a simple mechanism to provision and monitor policy based on role ubiquitously throughout the network. Figure 4 shows how a central policy engine now converges policies for various roles.

A new concept called security group access control lists (SGACLs) based on role rather than IP subnets allows access control policy to be decoupled from physical topology. Since role membership is dynamically populated on campus switches through secure campus access control, and up-to-date role information is available everywhere through SGTs, SGACLs can also be deployed close to the protected resource to simplify configuration. Figure 5 shows the steps in Cisco TrustSec for secure campus access control and converged policy assignment through an SGACL.

Cisco TrustSec can coordinate and converge multiple compliance requirements and access policies when a user or device requests access to a network. With Cisco TrustSec, security policies can be collapsed into a centralized policy engine that acts as a broker between the campus network infrastructure and back-end policy directories, such as Active Directory. Cisco's existing Access Control System (ACS) is being extended to provide policy aggregation and control of this converged policy framework. If deployed along with Cisco NAC, the Cisco ACS also interacts with the NAC system to take advantage of endpoint posture, remediation, and other NAC services.

Pervasive Integrity and Confidentiality

Authenticated users with authorized access also need the peace of mind that their information and transactions are completely confidential. Rather than attempting to encrypt individual applications, Cisco TrustSec provides the ability to secure every link in the campus with strong encryption. A new Cisco innovation, the Security Association Protocol (SAP), simplifies the management of each link's encryption keys. This not only helps secure the LAN but also provides security for every application without having to retrofit and encrypt at the application layer. Switch integrated security mechanisms block man-in-the-middle attacks to disallow traffic redirection and snooping. Switch protection features and controlled access to the switch itself help ensure that network device integrity is maintained, since compromised devices can be used to intercept information. Cisco TrustSec also carries role information over secured links to make roles, policies, and confidentiality pervasive and scalable, while preserving traffic visibility within the switches to deliver the entire breadth of Cisco network services and security.

Cisco TrustSec adds data protection by securing every data path in the campus switching environment based on digital device certificates and strong encryption based on the IEEE 802.1AE standard. Data confidentiality and integrity is instantiated between devices on a hop by hop basis. This allows mission-critical applications such as firewalls, intrusion prevention, and content inspection to maintain visibility into the packet streams at each switch boundary without disrupting the requirements for data integrity and confidentiality. Most access control policies today are managed through Ingress Filter ACLs that require an understanding of network and application topology. As the network or services change, these ACLs must be modified and propagated throughout the network. It is very difficult to keep these ACLs synchronized with corporate requirements and as a result legacy access control implementations typically do not scale. Cisco TrustSec dramatically reduces the cost of managing access control shifting from a classic Ingress Filter model to an Ingress Tag and Egress Filter model.

Instead of having every entry point understand where every user can and cannot go, administrators can localize access rules to just those areas of the network that understand the policy for a given role. In other words, only those destinations that care about a given role need an ACL policy to deal with that role. This approach allows administrators to implement security policies independent of the location of the user or device. User roles need to be defined only once and are then pervasively and consistently applied across the entire infrastructure. A new Cisco innovation, the Security Association Protocol based upon the IEEE 802.1af standard simplifies the key management between links and also facilitates interoperability with other 802.1AE-compatible devices. Cisco TrustSec also carries role information over secured links to make policies and confidentiality pervasive and scalable.

Cisco TrustSec will be available across the entire Cisco Catalyst switching portfolio over the next 18 months, beginning in the first quarter of calendar year 2008. To facilitate the deployment and adoption of this solution, Cisco will provide the Security Exchange Protocol (SXP) as a software solution to allow existing Cisco products to participate in the TrustSec architecture. Existing switches enabled with SXP can communicate user-to-roles mappings across third-party Cisco TrustSec-capable clouds. However, it does have scaling limitations as compared to Cisco TrustSec-enabled switches. Upgrading SXP-enabled switches to hardware-supported Cisco TrustSec capabilities as your organization goes through its natural refresh cycle will provide complete access-control services as well as line-rate integrity and confidentiality.