Identity-based Policy Enforcement.

Citation

• A LAN Security Best Practice Whitepaper by Nevis Networks

Abstract

This whitepaper focuses on the evolving nature of LAN security in today’s enterprise in light of a dissolving network perimeter and the need for an identity-based solution to address new requirements. Network security policies arise from compliance and risk management initiatives across multiple lines of business throughout the organization. Security, compliance and business requirements are articulated in a readable policy built up from basic identity, role and group definitions, or can be read as network security access decisions that are mapped to user profiles. Identity is at the core of enterprise policies.

Network infrastructure, and network security solutions built on top of the infrastructure, is not identity-aware, since network packet headers provide information about machine addresses and location, not user information. Enforcing identity-based policies with identity-blind systems has proven to be a futile endeavor, in light of increasingly complex security policies, open networks, mobile systems, and unmanaged endpoints. The dilemma facing network security administrators has become an insurmountable obstacle and cash drain, resulting in poorly designed security models being implemented at the wrong places in the network. Exacerbating the problem is that without an identity-aware network infrastructure, it is almost impossible to demonstrate compliance with the identity-based policy initiatives. The events of interest are occluded in the network cloud of machine-address-based technology.

The solution is to build user identity knowledge into the network fabric, and enforce identity-based policies within the secure network. Network security policies can then be easily mapped from the definition stage into the network security architecture, with clear visibility to user activity through the enforcement, remediation and reporting phases. This offers a clear ROI by greatly improving network administration and user management costs, reducing the complexity of ill-fitting network security infrastructure, as well as reducing the costs of managing policy breaches and compliance reporting. Security policy enforcement is moving into the network to address the dissolving network perimeter problem, and when it does, the network infrastructure and the security policy enforcement layer must be identity-aware.

Annotations

• Identity is at the core of enterprise policies
• internal firewalls and VLANs are not identity-aware.
• underlying network infrastructure has no notion of the identity of the user.
• enforce in the network rather than on the untrusted endpoint.
• without making expensive, unmanageable changes to the network itself.
• Policy definition phase
• Policy enforcement phase
• Monitoring, Reporting and Incident Response Phase