HOME

TheInfoList



Click Here for Items Related To - Identity Driven Networking
OR:
Identity Driven Networking on:   [Wikipedia]   [Google]   [Amazon]

Identity driven networking (IDN) is the process of applying network controls to a network device access based on the identity of an individual or a group of individuals responsible to or operating the device. Individuals are identified, and the network is tuned to respond to their presence by context. The
OSI model The Open Systems Interconnection (OSI) model is a reference model developed by the International Organization for Standardization (ISO) that "provides a common basis for the coordination of standards development for the purpose of systems inter ...
provides a method to deliver
network traffic Network traffic or data traffic is the amount of data moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network. Network traffic is the main ...
, not only to the system but to the application that requested or is listening for data. These applications can operate either as a system based user- daemon process, or as a user application such as a
web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...
.
Internet security Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules ...
is built around the idea that the ability to request or respond to requests should be subjected to some degree of
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
, validation,
authorization Authorization or authorisation (see American and British English spelling differences#-ise, -ize (-isation, -ization), spelling differences), in information security, computer security and identity management, IAM (Identity and Access Managemen ...
, and
policy Policy is a deliberate system of guidelines to guide decisions and achieve rational outcomes. A policy is a statement of intent and is implemented as a procedure or protocol. Policies are generally adopted by a governance body within an or ...
enforcement. Identity driven networking endeavors to resolve user and system based policy into a single management paradigm. Since the internet comprises a vast range of devices and applications there are also many boundaries and therefore ideas on how to resolve connectivity to users within those boundaries. An endeavor to overlay the system with an identity framework must first decide what an Identity is, determine it, and only then use existing controls to decide what is intended with this new information.


The Identity

A
digital identity A digital identity is data stored on Computer, computer systems relating to an individual, organization, application, or device. For individuals, it involves the collection of personal data that is essential for facilitating automated access to ...
represents the connectedness between the real and some projection of an identity; and it may incorporate references to ''devices'' as well as ''resources'' and ''policies''. In some systems, policies provide the entitlements that an identity can claim at any particular point in time and space. For example, a person may be entitled to some privileges ''during work from their workplace'' that may be denied ''from home out of hours''.


How it might work

Before a user gets to the network there is usually some form of machine authentication, this probably verifies and configures the system for some basic level of access. Short of mapping a user to a
MAC address A MAC address (short for medium access control address or media access control address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use i ...
prior or during this process (802.1x) it is not simple to have users authenticate at this point. It is more usual for a user to attempt to authenticate once the system processes (daemons) are started, and this may well require the network configuration to have already been performed. It follows that, in principle, the network identity of a device should be established ''before'' permitting network connectivity, for example by using
digital certificates In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes the public key and informati ...
in place of hardware addresses which are trivial to spoof as device identifiers. Furthermore, a consistent identity model has to account for typical network devices such as routers and switches which can't depend on user identity, since no distinctive user is associated with the device. Absent this capability in practice, however, strong identity is not asserted at the network level. The first task when seeking to apply Identity Driven Network controls comprises some form of authentication, if not at the device level then further up the stack. Since the first piece of infrastructure placed upon a network is often a
network operating system A network operating system (NOS) is a specialized operating system for a network device such as a router, switch or firewall. Historically operating systems with networking capabilities were described as network operating systems, because they ...
(NOS) there will often be an Identity Authority that controls the resources that the NOS contains (usually printers and file shares). There will also be procedures to authenticate users onto it. Incorporating some form of single sign-on means that the flow on effect to other controls can be seamless. Many network capabilities can be made to rely upon authentication technologies for the provisioning of an access control policy. For instance; Packet filtering -
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
,
content-control software An Internet filter is software that restricts or controls the content an Internet user is capable to access, especially when utilized to restrict material delivered over the Internet via the Web, Email, or other means. Such restrictions can be appl ...
, Quota Management systems and
Quality of service Quality of service (QoS) is the description or measurement of the overall performance of a service, such as a telephony or computer network, or a cloud computing service, particularly the performance seen by the users of the network. To quantitat ...
(QoS) systems are good examples of where controls can be made dependent upon authentication.


See also

*
AAA protocol Authentication, authorization, and accounting (AAA) is a framework used to control and track access within a computer network. Authentication is concerned with proving identity, authorization with granting permissions, accounting with maintainin ...
s such as
RADIUS In classical geometry, a radius (: radii or radiuses) of a circle or sphere is any of the line segments from its Centre (geometry), center to its perimeter, and in more modern usage, it is also their length. The radius of a regular polygon is th ...
*
LDAP The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed Directory service, directory information services over an Internet Protocol (IP) networ ...
* EAP


References

{{DEFAULTSORT:Identity Driven Networking Computer access control