AuthenticationWorld.com

The business of authentication

Site Map
Privacy Policy
Link To Us
Resources

Network Access Control


The challenge facing modern enterprise network administrators is how to handle the different types of users and their devices who are entering the network remotely as well as within the enterprise.  How is an enterprise to manage the identities of users, devices, locations, applications, and at the same time perform host integrity checks?  How do enterprises create a single point of policy enforcement and eliminate the existing security policy silos?  The answer lies in using layered identity based enterprise security. 

First Layer - Identity Registration



The first layer is to do identity checks on workers who will be enterring the enterprise electronically. Remembering the adage that 80% of attacks come from within the enterprise, it's important to screen out people with a criminal past.  As well, you should be doing the same for your janitors (review the paper "Why your use of id and password is likely a joke").

Second Layer - User Training


Are you currently doing any ongoing training with your users about email, trojans, phishing and pharming attacks?  If not, why not?  One of the easiest ways to break into an enterprise is to use email with a MS Office attachment containing malware.  When the user clicks on it, the malware is released behind the firewall. At the minimum, you should be doing some kind of regular training to remind workers to be very vigilent on what they click on in an email.

Third Layer - Device Security


The third layer is the actual device or appliance the user is coming in from. A modern enterprise uses network hardware/software appliances that intercept all enterprise network requests. The appliance then determines the integrity of the host by scanning the user's PC, laptop, wireless or handheld device to see if the device meets acceptable security configurations.Devices that don't meet the configuration are immediately transferred into a quarantine area where remediation is offered to the device.

Fourth Layer - User's Identity Initial Authentication


The next security layer is to take the user's identity and determine what network access is applicable using the users' access rights. This layer of security interacts with the enterprise identity authentication, authorization and audit security engines to determine the authentication required. Normally, the hardware device and/or the enterprise single sign on system challenge the user for the required authentication. The authentication response is then normally checked against the enterprise LDAP (Lightweight Directory Access Protocol). This often involves multi-factor authentication using user id's, passwords, digital certificates, security tokens, smart cards and biometrics.

Fifth Layer -  Quick Provisioning and De-provisioning

When a user no longer requires access to your enterprise, an application, building, room, network, etc., how long does it take until they are de-provisioned?  Many enterprises have very weak to poor provisioning and de-provisioning processes.  In today’s age, this puts the enterprise at greater risk, since a user who is gone may still have access to the enterprise.  Put in place the infrastructure to quickly add, adjust or remove someone from having physical or electronic access to your enterprise

Sixth Layer - Stronger Authentication

As the enterprise risk rises for networks, applications and information access, so too must the layers of authentication strength.  The financial system, payroll and payables are all higher risk.  So too are users who hold super-user privileges like senior network administrators. 

For all of the medium and higher risk applications, your enterprise should be using a graded series of stronger authentication.  For instance, low to medium risk might be addressed by the user providing their id, password and a digital certificate. Medium risk should be addressed by the user providing things like a secureID token along with their id and a password. Medium to high risk should be addressed by the user providing something like a smart card, a secure id token, a biometric and a second unique password.

Seventh Layer - Re-Imaging Network Operating Systems


When your enterprise gets hit by a successful rootkit attack in the future, what are you going to do?  Currently, Microsoft recommends re-imaging all infected computers on the network.  This could effectively slow down the enterprise and stop most IT department activities as personnel scramble to deal with the rootkit.  Avoid this by having a plan in place that will quickly, at a low cost, re-image the network and stop the infection from spreading or worse, re-appearing.

Eighth Layer - Transaction Authentication


You must assume that all the previous layers have been breached.  How do you protect your enterprise crown jewels.  You need to deploy transaction authentication for your high risk information, applications and networks.  

In transaction authentication, software watches the following:

  • IP address being used by the user
  • Geo-location of the user
  • Time of day the event is occurring
  • Historical user pattern
  • Computer hardware the user is using

 If any of these criteria are different than expected, even with a successful authentication, the transaction authentication software will start alarm bells ringing in the enterprise. This may result in:

  • The user being asked all sorts of personal questions to verify it is really them
  • Security or business managers being paged in real time
  • The event, process or transaction refused


Ninth Layer


The final layer of defense is the ability to quickly go back in minutes, hours, days, weeks or months to find out every network, application, information resource, type of device used, building and room the identity used at a specific point in time.  All too often, the audit data is very hard to interpret from an application audit trail and worse, hard to integrate with other audit data from other applications. 

Get a team organized on trying to provide an end to end user audit that is quickly available, easy to access and use.  This will help you find out where problems and breaches occurred and then prepare remedial action.



CONCLUSION


Controlling network access is therefore heavily dependant upon the underlying identity infrastructure since this information is used to authenticate and authorize the user from enabling them to access network, systems, applications and information. A layered network access control security strategy is required in order to adequately protect the enterprise based on its own internal risk assessment.

Network Access Control Security Strategy 2006 - A white paper

Authentication - Enterprise Security

Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing


Copyright, 2006 Huntington Ventures Ltd.