Identity driven networking
Identity driven networking (IDN) is the process of applying network controls to a network device access based on the identity of an individual or group of individuals responsible to or operating the device. Individuals are identified, and the network is tuned to respond to their presence by context.
The OSI model provides for a method to deliver network traffic, not only to the system but through to the application that requested or is listening for data. These applications can operate either as a system based user-daemon process, or they may be a user application such as a web browser.
Internet security is built around the idea that the ability to request or respond to requests should be subjected to some degree of authentication, validation, authorization, and policy enforcement. Identity driven networking endeavors to resolve user and system based policy into a single management paradigm.
Since the internet comprises a vast range of devices and applications there are also many boundaries and therefore ideas on how to resolve connectivity to users within those boundaries. An endeavor to overlay the system with an identity framework must first decide what an Identity is, determine it, and only then use existing controls to decide what is intended with this new information.
The Identity
A digital identity represents the connectedness between the real and some projection of an identity; and it may incorporate references to devices as well as resources and policies.
In some systems, policies provide the entitlements that an identity can claim at any particular point in time and space. For example, a person may be entitled to some privileges during work from their workplace that may be denied from home out of hours.
How it might work
Before a user gets to the network there is usually some form of machine authentication, this probably verifies and configures the system for some basic level of access. Short of mapping a user to a MAC address prior or during this process (802.1x) it is not simple to have users authenticate at this point. It is more usual for a user to attempt to authenticate once the system processes (daemons) are started, and this may well require the network configuration to have already been performed.
It follows that, in principle, the network identity of a device should be established before permitting network connectivity, for example by using digital certificates in place of hardware addresses which are trivial to spoof as device identifiers. Furthermore, a consistent identity model has to account for typical network devices such as routers and switches which can't depend on user identity, since no distinctive user is associated with the device. Absent this capability in practice, however, strong identity is not asserted at the network level.
The first task when seeking to apply Identity Driven Network controls comprises some form of authentication, if not at the device level then further up the stack. Since the first piece of infrastructure placed upon a network is often a network operating system (NOS) there will often be an Identity Authority that controls the resources that the NOS contains (usually printers and file shares). There will also be procedures to authenticate users onto it. Incorporating some form of single sign-on means that the flow on effect to other controls can be seamless.
Many network capabilities can be made to rely upon authentication technologies for the provisioning of an access control policy.
For instance; Packet filtering -firewall, content-control software, Quota Management systems and Quality of service (QoS) systems are good examples of where controls can be made dependent upon authentication.
See also
- AAA protocols such as RADIUS
- LDAP
- EAP