Identity Based Networking Services (IBNS) December TechChat – Technology Foundation: Part III
This is part III in the series of technical foundation posts leading up to our December 11 TechChat“Networks That Know You: Cisco Identity-Based Networking Services”.
Have you ever left the house and forgotten to lock the front door? It can ruin your day, especially if you remember it as you’re pulling up to the office after a grueling commute. But maybe, being a security geek, you’ve installed a security web-cam over the front door. So you fire up your browser and monitor the house. You may not be able to lock the door remotely, but you can at least see if anyone tries to break in.Authenticating someone’s identity without enforcing some form of authorization is like having an unlocked door with a web-cam: you can’t physically prevent anyone from gaining access, but you can see who goes in and out. This kind of visibility is a non-trivial asset. Knowing that someone is watching may be enough to deter some intruders. Still, authentication (the web-cam) by itself may not be an adequate long-term security policy for most homeowners. The same goes for networks. Once you’ve authenticated endpoints and users with IEEE 802.1X or MAC-Authentication Bypass (MAB), it’s time to enforce network access restrictions based on the established identity of that user or endpoint. The rest of this blog looks at the different forms of authorization in Identity-Based Networking Services (IBNS) today.Default Authorization: The default authorization in an 802.1X-enabled network is binary: on or off. All endpoints and users that pass authentication get full access to the statically configured VLAN on the port. Those that can’t authenticate get no access. This is how 802.1X was originally designed to work. However, this default authorization policy may be too black-and-white for real world networks. In the real world, giving every authenticated user and device the same level of access in the statically configured VLAN may not offer enough granularity to meet the goals of your security policy. In addition, you may have good reasons to offer limited access to users who can’t authenticate. Other forms of authorization can be used to accomplish these goals.Dynamic Authorization: Instead of putting all authenticated users into the same static VLAN, some corporations need to be able to grant differentiated access, where one group of known users (“œEngineering”) gets access to different network resources than another (“œFinance”). Dynamic VLAN assignment is a form of dynamic authorization where the AAA server (the centralized security policy server) tells the switch to assign a VLAN to the port based on the identity of the user or device that authenticated. Engineers go in the Engineering VLAN, accountants go in the Finance VLAN. While this form of dynamic authorization is a powerful tool for differentiating access for different user groups, it comes at a cost. Supporting multiple VLANs on every switch may require changes to the network architecture and addressing scheme. In addition, VLANs isolate traffic at Layer 2 in the OSI stack so dynamic VLAN assignment by itself cannot restrict access to specific subnets (at Layer 3) or applications (Layer 4 and above). However, dynamic VLAN assignment does provide the foundation for virtualizing IT resources using Network Virtualization Solutions. Get more information on how Network Virtualization can increase security with path isolation and virtualized services. Local Authorization: With local authorization configured, the switch can allow access to the port in special VLANs in the absence of a successful authentication: endpoints that are not 802.1X capable can be assigned to the Guest VLAN; endpoints that fail 802.1X can be assigned to the Auth-Fail VLAN, endpoints that can’t authenticate because the AAA server is unavailable can be assigned to the Critical-Auth VLAN. With local authorization, endpoints that would otherwise be denied network access entirely can get some form of access. Different networks need different kinds of authorization policies. Many large customers have successfully deployed 802.1X and IBNS on wired networks using the techniques I described above. But other customers still find it challenging to deploy 802.1X. In our Second Life TechChat next week, we’ll talk about new and upcoming innovations in all three kinds of authorizations -default, dynamic and local -that will make IBNS simpler to deploy and easier to customize.Written by Shelly Cadora, PhD**Shelly will be one of our speakers during the December Cisco Live in Second Life TechChat. She is a technical marketing engineer for Identity-Based Networking solutions. She is a 10 year Cisco veteran with a CCIE in Routing and Switching (#16318). Prior to becoming involved with Identity and 802.1X, she was involved in the development of the ASA firewall and Cisco IP Telephony solutions