HOME

TheInfoList



Click Here for Items Related To - Identity Driven Networking
OR:
Identity Driven Networking on:   [Wikipedia]   [Google]   [Amazon]

Identity driven networking (IDN) is the process of applying network controls to a
network device Networking hardware, also known as network equipment or computer networking devices, are electronic devices which are required for communication and interaction between devices on a computer network. Specifically, they mediate data transmission in ...
access based on the identity of an individual or a group of individuals responsible to or operating the device. Individuals are identified, and the network is tuned to respond to their presence by context. The
OSI model The Open Systems Interconnection model (OSI model) is a conceptual model that 'provides a common basis for the coordination of SOstandards development for the purpose of systems interconnection'. In the OSI reference model, the communications ...
provides a method to deliver
network traffic Network traffic or data traffic is the amount of data moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network. Network traffic is the main c ...
, not only to the system but to the application that requested or is listening for data. These applications can operate either as a system based user- daemon process, or as a user application such as a
web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
.
Internet security Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules a ...
is built around the idea that the ability to request or respond to requests should be subjected to some degree of
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
,
validation Validation may refer to: * Data validation, in computer science, ensuring that data inserted into an application satisfies defined formats and other input criteria * Forecast verification, validating and verifying prognostic output from a numerica ...
,
authorization Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
, and
policy Policy is a deliberate system of guidelines to guide decisions and achieve rational outcomes. A policy is a statement of intent and is implemented as a procedure or protocol. Policies are generally adopted by a governance body within an organ ...
enforcement. Identity driven networking endeavors to resolve user and system based policy into a single
management paradigm Management fad is a term used to characterize a change in philosophy or operations implemented by a business or institution. The term is subjective and tends to be used in a pejorative sense, as it implies that such a change is being implemented ...
. Since the internet comprises a vast range of devices and applications there are also many boundaries and therefore ideas on how to resolve connectivity to users within those boundaries. An endeavor to overlay the system with an identity framework must first decide what an Identity is, determine it, and only then use existing controls to decide what is intended with this new information.


The Identity

A
digital identity A digital identity is information used by computer systems to represent an external agent – a person, organization, application, or device. Digital identities allow access to services provided with computers to be automated and make it possibl ...
represents the connectedness between the real and some projection of an identity; and it may incorporate references to ''devices'' as well as ''resources'' and ''policies''. In some systems, policies provide the entitlements that an identity can claim at any particular point in time and space. For example, a person may be entitled to some privileges ''during work from their workplace'' that may be denied ''from home out of hours''.


How it might work

Before a user gets to the network there is usually some form of machine authentication, this probably verifies and configures the system for some basic level of access. Short of mapping a user to a
MAC address A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking techno ...
prior or during this process (802.1x) it is not simple to have users authenticate at this point. It is more usual for a user to attempt to authenticate once the system processes (daemons) are started, and this may well require the network configuration to have already been performed. It follows that, in principle, the network identity of a device should be established ''before'' permitting network connectivity, for example by using
digital certificates Digital usually refers to something using discrete digits, often binary digits. Technology and computing Hardware *Digital electronics, electronic circuits which operate using digital signals **Digital camera, which captures and stores digital i ...
in place of hardware addresses which are trivial to spoof as device identifiers. Furthermore, a consistent identity model has to account for typical network devices such as routers and switches which can't depend on user identity, since no distinctive user is associated with the device. Absent this capability in practice, however, strong identity is not asserted at the network level. The first task when seeking to apply Identity Driven Network controls comprises some form of authentication, if not at the device level then further up the stack. Since the first piece of infrastructure placed upon a network is often a
network operating system A network operating system (NOS) is a specialized operating system for a network device such as a router, switch or firewall. Historically operating systems with networking capabilities were described as network operating systems, because they al ...
(NOS) there will often be an Identity Authority that controls the resources that the NOS contains (usually printers and file shares). There will also be procedures to authenticate users onto it. Incorporating some form of
single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...
means that the flow on effect to other controls can be seamless. Many network capabilities can be made to rely upon authentication technologies for the provisioning of an access control policy. For instance; Packet filtering -
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
,
content-control software An Internet filter is software that restricts or controls the content an Internet user is capable to access, especially when utilized to restrict material delivered over the Internet via the Web, Email, or other means. Content-control software det ...
, Quota Management systems and
Quality of service Quality of service (QoS) is the description or measurement of the overall performance of a service, such as a telephony or computer network, or a cloud computing service, particularly the performance seen by the users of the network. To quantitat ...
(QoS) systems are good examples of where controls can be made dependent upon authentication.


See also

*
AAA protocol AAA refers to Authentication (to identify), Authorization (to give permission) and Accounting (to log an audit trail). It is a framework used to control and track access within a computer network. Common network protocols providing this functi ...
s such as
RADIUS In classical geometry, a radius ( : radii) of a circle or sphere is any of the line segments from its center to its perimeter, and in more modern usage, it is also their length. The name comes from the latin ''radius'', meaning ray but also the ...
*
LDAP The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory servi ...
* EAP


References

{{DEFAULTSORT:Identity Driven Networking Computer access control