Identity Driven Networking - How IT Might Work

How It Might Work

Before a user gets to the network there is usually some form of machine authentication, this probably verifies and configures the system for some basic level of access. Short of mapping a user to a MAC address prior or during this process (802.1x) it is not simple to have users authenticate at this point. It is more usual for a user to attempt to authenticate once the system processes (daemons) are started, and this may well require the network configuration to have already been performed.

It follows that, in principle, the network identity of a device should be established before permitting network connectivity, for example by using digital certificates in place of hardware addresses which are trivial to spoof as device identifiers. Furthermore, a consistent identity model has to account for typical network devices such as routers and switches which can't depend on user identity, since no distinctive user is associated with the device. Absent this capability in practice, however, strong identity is not asserted at the network level.

The first task when seeking to apply Identity Driven Network controls comprises some form of authentication, if not at the device level then further up the stack. Since the first piece of infrastructure placed upon a network is often a network operating system (NOS) there will often be an Identity Authority that controls the resources that the NOS contains (usually printers and file shares). There will also be procedures to authenticate users onto it. Incorporating some form of single sign-on means that the flow on effect to other controls can be seamless.

Many network capabilities can be made to rely upon authentication technologies for the provisioning of an access control policy.

For instance; Packet filtering -firewall, content-control software, Quota Management systems and Quality of service (QoS) systems are good examples of where controls can be made dependent upon authentication.