Identity Driven Networking

From Wikipedia, the free encyclopedia

Identity Driven Networking(IDN) is the process of applying network controls to the individual or group of individuals. Individuals are identified, and the network is tuned to respond to their presence by context. Thus the behaviour of an identity will stimulate control processes and the control processes will then stimulate the behaviour of the identity.

Contents 1 The need for Identity Driven Networking 2 The Problem 3 The Identity 4 How it might work 5 Vertical and Integrated Solutions 6 Implementations

[edit] The need for Identity Driven Networking

The progression on the various protocols that define networking, and the internet in general, operate around the paradigm of addressing and being able to direct packets around to arrive at a predetermined destination. The addressing mechanics start with MAC address; through IP address; and then DNS; to allow any system in the world to have a unique name, and for this name to be finally resolved for the delivery of packets.

The OSI model provides for a method to deliver the final packets, not only to the system but through to the application that requested or is listening for data. These applications can operate either as a system based user -Daemon process, or they may be a user application such as a web browser. Internet Security is built around the idea that the ability to request or respond to requests should be subjected to some degree of authentication, validation, authorisation, and policy enforcement. In the same sense of conflict that Quantum Mechanics grapples with General relativity (fine grain against course grain) the ideas of incorporation of a user is, to an extent, immiscible with the OSI model Identity Driven Networking IDN endeavours to resolve user and system based policy into a single management paradigm.

[edit] The Problem

Since the internet comprises a vast range of devices and applications there are also many boundaries and therefore ideas on how to resolve connectivity to users within those boundaries. Should the controls be applied at the LAN, WAN, or Internet. Since the bulk of any traffic is TCP/IP (which has no notion of an Identity) any endeavour to overlay the system with an identity framework must first decide what an Identity is, determine it, and only then use existing controls to decide what is intended with this new information. This is why the notions of Identity Driven Networking have become muddied.

[edit] The Identity

One derivative of Identity (philosophy) provides the notion of sameness, or equality, an "I am me" idea. Identity theft involves breaking that equality, and thus the need for validation. A digital identity represents the connectedness between the real and some projection of an identity, it incorporates devices as well as resources and policies. Policies provide the entitlements that an identity can claim at any particular point in time and space. A person may be entitled to some privileges during work from their workplace that may be denied from home out of hours. This then creates the notion of the role of an individual, and its extension to Role-Based Access Control or RBAC. A further extension to access policy, where in the main permission to access a resource is provided or denied, involves entitlements to content, priority, escalation, and management privileges. Many of these ideas are already familiar when dealing with File Server and resource access at that level. Identity Driven Networking brings the same ideas to the Network. This means that true Identity Driven Networking needs to incorporate RBAC across the multiple roles that an identity may assume. IDN must also do so across all the dimensions of network access including content control, bandwidth priority, delegation authority, and time, space or usage quanta.

[edit] How it might work

Before a user gets to the network there is usually some form of machine authentication, this probably verifies and configures the system for some basic level of access. Short of mapping a user to a MAC address prior or during this process (802.1x) it is not simple to have users authenticate at this point. It is more usual for a user to attempt to authenticate once the system processes (daemons) are started, and this may well require the network configuration to have already been performed. The first task then, when seeking to apply Identity Driven Network controls, comprises some form of authentication. Since the first piece of infrastructure placed upon a network is often a Network Operating System (NOS) there will often be an Identity Authority that controls the resources that the NOS contains (usually printers and file shares). There will also be procedures to authenticate users onto it. Incorporating some form of Single sign-on means that the flow on effect to other controls can be seamless. The most commonly adopted standard for extending this identity authority to other systems is LDAP. The structure of LDAP is such that it provides for Identities - each having a unique distinguished name (or "DN" defined by the linked list of Organisational Units to which they belong), and Roles - defined by the DN's LDAP Group membership (such a group is also a form of Digital Identity). One of the difficulties in the past has been the use of OU based matching to RBAC. Since a role can have multiple contexts (the user at home after hours as opposed to at work during work hours) this OU mapping is very inflexible. An ideal IDN system will determine the RBAC and other policies for a user based upon constraints for the various group memberships.

[edit] Vertical and Integrated Solutions

Unified Threat Management (UTM) Network security endeavours to blend network and threat controls into a single appliance under the philosophy of creating a synergy between the processes. Best of Breed solutions provide some notion of sophisticated management over a particular need set. Both technologies have their role with striking a balance between capability and integration The IDN approach is in some ways more aligned with UTM in its provisioning of various controls, except it does so with a focus on the Identity rather than systems.

Many network capabilities can be made to rely upon authentication technologies for the provisioning of a RBAC policy. For instance: Packet filtering -Firewall (networking), Content-control software, Quota Management systems and Quality of service (QOS) systems are good examples of where controls can be made dependent upon authentication and therefore user. As an example of where user authentication may have no pertinence but controls may be required is where Caching proxy services provide distinction between cache-hit and cache-miss. It may be possible to integrate cache or QOS with the Content-control Software, but perhaps not both. There is a challenge to integrate these controls so that users that exceeds a certain download quota can have packet, QOS on cache-hit/miss, and Content Policies that dynamically change based upon where, when and who.

[edit] Implementations

• Identity Driven Networking Explained Blue Reef
• Delivering Intelligent Network Access Through Identity Driven Management HP
• IDN Management intelli7
• Identity-based Control ConSentry Networks