Home >> Insights  >>

Identity Aware Enterprise Network

by Bibhuti Kar, - Sr Director, Engineering (Security Technologies), Cisco March-2018

Today’s enterprise is way more accommo­dating than it used to be a few years ago. Unprecedented pursuit for productivity has shaped a work culture of real time information, decimation and consump­tion. This has also blurred the boundary between “personal vs. work”, both in space and time.

An employee gets critical information relating to work on his own devices (BYOD) both inside and out­side the work boundary. He / She also takes his per­sonal IOT devices (like a blood sugar monitor or a smart watch) to work and hooks it to the enterprise network. Through hard configured network segmentation or VLANs, traditional enterprise network has been keep­ing up with this change. Each user (or device) group has its own VLAN to have the necessary isolation between groups. Each VLAN requires address space and provi­sioning, and needs to be mapped to an upstream routed network interface, which may need to use static access control lists (ACLs) or virtual routing and forwarding (VRF) functions to maintain the isolation. If some in­teraction between user segments is desirable or shared services are delivered to multiple user groups, controlled interactions tend to be defined in static switch and router configurations, which can become complicated, time consuming and error prone. Moreover, controlling communication within a VLAN or segment is difficult to enforce. IP Address based access list may look easy to deploy, but as the access roles start becoming com­plex to reflect dynamic business rules, it becomes more complex. The IT department needs to create policies on Firewall, Web proxy, NAC etc.

Having a completely open enterprise network opens itself to insider security threats. As per the 2016 mid-year Security Report, close to 50 percent of the cyber attacks are originated by insiders. Some are malicious, but most of them are negligent and purely accidental. To begin with, today’s enterprise network needs per­vasive identity awareness. When the user accesses a network, he is authenticat­ed using 802.1x and AD credentials. These credentials collected once at the ingress into enterprise network can be carried across the entire network, so that different entities like firewall, NAC or web proxy do not need to gather the identity again and again. Technology such as Cisco TrustSec provides the ability to tag each Ethernet frame ingressing the enterprise from the user’s (employ­ee or guest) device with a security group tag (SGT). In essence, each frame entering the network has inbuilt identity awareness.

Once we have identity awareness at the L2 frame lev­el, identity aware policies can be applied to these frames by any node or appliance in the network. Cisco TrustSec can use location awareness, time-range, access type, AD attributes like member-of, and compound condition statements to make a security group tag decision. Once the decision is made you can then enforce policy using VLAN assignment, down­loadable ACLs and security group ACL policies. For example, if an employee from HR department accesses the network using his wired laptop at work­place, or a personal iPAD, his AD credentials will have member of “HR Group” attributes. A policy server then sends down a SGT (say 130 for HR group) for that port of the access switch. The switch then puts the SGT of 130 in every Ethernet frame that originates from the employ­ees device. As that frame traverses the network head­ing toward its destination any network device in its path can read the SGT and apply a security policy to it. One of the options today is to apply a security group ACL (SGACL) to the frame. If the frame is destined for a server that is a member of SGT 110 (Say Finance Dept), the admin can set a policy that says if SGT 130 talks to SGT 110 then deny all TCP ports 443. TrustSec creates an ACL based on STG values and not IP addresses. We no longer have to create ACLs based on IP addresses and instead use a group based identity tag that is a part of the frame. This is the beginning of business-rules based access and security policy management.

Overall, an identity aware enterprise network has multiple benefits:

Reduction in Opex: Through automated, simple and agile firewall and access control administration.

Policy Simplification: Based on business rules and roles instead of VLANs and other networking details.

Enhanced Security: By keeping a trace of creden­tials in every frame from the time of access. It also eliminated admin and human errors, negligence and accidental vulnerabilities.