How to Protect Your Critical Resources with Identity-based Access Control

Technical Solution Paper
Trusted. Certified. Secure.
How to Protect Your Critical Resources
with Identity-based Access Control
An AEP Networks Technical Solution Paper
Technical Solution Paper
Trusted. Certified. Secure.
Identity-Based Access Control:
An Overview
Background
IT security architects face a sizable challenge when designing a modern network. On one hand, a robust information
access environment that is flexible, resilient and available at any time for a wide variety of constituents has become
a mandatory competitive imperative. On the other hand, broader access to information resources from varied user
communities increases exposure to security threats. The financial, market reputation and lost business impacts resulting
from inappropriate access or loss of control over critical information have become board and C-level management
concerns.
At one time, a perimeter security model implemented with firewalls divided the network and data center resources into
two distinct areas: the “safe” internal LAN, and “unsafe” external networks, such as the Internet. Mission-critical data
and resources were kept within the network, along with most desktop computer-bound users, with a hopefully small
number of access points and firewall ports opened to the outside. In this model, a user outside the perimeter defenses
was the exception, not the rule. Access requirements for those few external users were met by creating a secure data
tunnel that brought them inside the network, creating a virtual private network (VPN).
Today, IT security architects are correctly questioning the notion that the perimeter is the only protection point needed
to secure high-value resources. An increasingly mobile workforce, greater information sharing between business
partners, and globalization trends like outsourcing and off-shoring necessitate an “anytime, anywhere access”
philosophy. In this environment, a perimeter firewall security model becomes insufficient - even obsolete. Threats
from unauthorized user access, malicious code attacks, and compliance auditing initiatives make it necessary to isolate
the most critical data systems and implement additional controls from end to end.
Simply put, traditional perimeter security and “engineered” approaches no longer apply in a world where:
»
Compliance and regulatory considerations force organizations in many industries – healthcare, financial, retail and
government, among others – to prove that they have incorporated effective technology to protect confidential data.
»
Business integrity and reputation concerns surrounding the loss of intellectual property, trade secrets or customer-supplied
information are legitimate; they magnify in the face of potential negative media attention across blogs and other instant
media.
»
Globalization, outsourcing, and off-shoring practices have blurred the boundary between “insiders” and “outsiders”.
Organizations can no longer safely assume that “trusted” employees who are exclusively tethered to the LAN are the
only users accessing their networks.
»
Mobile computing devices leave the building every day. They connect to the Internet and other networks where the
trustworthiness and posture of the device can be lost.
»
The greatest security threats are posed by legitimate network users whose devices may be used inadvertently or intentionally
to access visible corporate resources on open networks.
»
Many threats from the outside have been known to pass directly into the datacenter through opened ports at the perimeter,
such as those used for web and encrypted web traffic.
Technical Solution Paper
Trusted. Certified. Secure.
With these new realities in play, conventional enterprise security methods are no longer sufficient. As a result, IT
professionals are faced with managing remote access, network access control (NAC), branch office network security
and partner extranets in new and innovative ways. Some have turned to contorting existing solutions or engineering
complex infrastructures. Network engineers and network equipment vendors struggle to design add-on controls using
switches, routers and other methods to create so-called “smart” networks. But imposing intelligence in this manner
onto the network is difficult to engineer and implement, costly and unwieldy to maintain, and can limit data bandwidth.
Implementing NAC inside the network fabric is another option, but is similarly difficult to implement and requires
multiple control points that can add to costs and limit NAC’s practicality.
This state of affairs requires a new paradigm governing data access and protection to increase security and simplify
the management burden - an identity-based access control (IBAC) strategy.
What Is Identity-Based Access Control?
The IBAC approach involves identifying the user and making policy enforcement decisions based on identity in order
to fully protect – as well as audit – access to an organization’s most highly valued resources.
Identity-based access control follows these principles:
1. It defines identity and trust policies for who gets access to the corporate network.
2. It stores the identity and access policies of every user in a directory, like LDAP or Active Directory.
3. It authenticates a user’s identity before allowing them to access the network. More advanced IBAC solutions
incorporate identity information at the packet level of the data stream.
4. It incorporates Network Access Control (NAC) functionality by comparing the user’s machine status to the
network’s security policies and takes necessary remediation steps.
5. More sophisticated IBAC solutions provide connectivity depending on the user’s identity and system profile,
and make private data unreachable for who lack the appropriate identity. If the user only has permission to access
email, they won’t be able to retrieve–or even know about–sensitive data on the wider network.
This paper addresses the concerns facing network security architects and introduces AEP IDpoint as an advanced
IBAC solution that meets datacenter security needs and satisfies modern business security challenges.
Technical Solution Paper
Introducing AEP IDpoint: Identity-driven Policy Enforcement
AEP Networks is offering a comprehensive policy enforcement architecture that enables the next generation of enterprise security. The centerpiece of this architecture is the identity enforcement appliance – AEP IDpoint™. IDpoint is a wire-speed, identity-driven, policy enforcement appliance for use in-line with sensitive networked application resources in the datacenter.
As an advanced IBAC product, IDpoint offers organizations an end-to-end security vehicle for real-time provisioning of access
privileges based on the identity, entitlements, and endpoint integrity of the user. Effectively, IDpoint combines the best elements
of traditional security models into a single network device, while infusing the otherwise missing – and critical - element of identity into the network data stream for use as a criteria for making access decisions.
Protected Datacenter
Resources
AEP IDpoint
Any IP Network
IDpoint™
Any User/Any Location
Internal LAN/WAN/Remote User/Branches, Etc.
User Directories
Active Directory
LDAP
AEP PacketTag™: Modifying IP to Meet Modern Business Challenges
In its original design, the Internet Protocol (IP) was written with the goal of connecting everything on the network together easily. Missing from the original definition was any concept of identity. In truth, this represents a shortcoming in the use of IP for
distributed information sharing needs, especially when user-level accountability is a mandate.
IDpoint takes IP one step further by adding identity information directly into the IP payload when needed, and leverages this
information to make policy decisions. IDpoint enforces these identity-based access policies through an innovative technology
called AEP PacketTag.
PacketTag is employed through the IDPoint token, which resides on all client machines that require access to protected resources in the datacenter. The IDPoint token can be manually installed, delivered automatically through software distribution
systems, or provided as a temporary, downloadable agent for guests or remote users who must access high-value resources for
a brief time. Features such as periodic session re-keying, periodic re-authentication and idle timers are built into the token for
added security.
Technical Solution Paper
The token is responsible for collecting the user authentication information and passing it over a secure, encrypted session to
the IDpoint appliance. It is then checked against the appropriate authentication store (RADIUS, Local, RSA, Vasco, Aladdin, PKI certificate, or LDAP, for example). Alternatively, the token can “transparently” capture the user’s Windows NTLM
Domain authentication at initial login.
PacketTag
101100010110001
101100010110001
Protected Resources
AEP IDpoint
10110
PacketTag
10110
IDpoint™
Any User/Any Location
Internal LAN/SAN/Remote User/Branches, etc.
User Directories
Importantly, the token resides silently in the background until an IDpoint-protected resource is requested. When this occurs
the token employs PacketTag technology to inject a digital fingerprint – representing the user’s identity – into only those IP
frames destined for protected resources guarded by IDpoint, enabling non-refutable logging and reporting functions. Only
packets that meet IDpoint’s policy rules are allowed to pass through to the protected data. Other traffic is blocked at the
IDpoint interface and dropped from the network.
Towards Compliance: Reporting for Audits and Regulatory Requirements
Many organizations are compelled through regulatory necessities to prove that they have appropriate mechanisms in place
to protect the confidentiality of private data as well as monitor and track all access attempts to high-value resources. IDpoint
provides such proof through comprehensive logging and reporting of all traffic requiring PacketTag data that traverses the
network; both successful users and denied attempts. This information is available as customizable reports and rolled up to an
executive dashboard to simplify and speed the auditing process, aiding compliance with various institutional regulations.
For example, consider financial institutions compelled under the Payment Card Industry Data Security Standard (PCI) to
protect against security vulnerabilities and threats while controlling access to customer credit card data. In order to limit
the scope of costly audits, financial institutions must prove that they have segmented and isolated resources storing such
information. Given the highly sensitive nature of credit card data, the risk of inappropriate access would be financially devastating and ruinous to an organization’s reputation. Denying inappropriate access from unauthorized users is part of the
task, but financial organizations must also prove that private data was accessed only by appropriate users.
IDpoint solves this challenge by completely isolating the data store and eliminating the possibility of unauthorized user interaction with the information. By tracking the data access by user, IDpoint leaves an extensive audit trail, thus simplifying
compliance auditing for a variety of industries.
Technical Solution Paper
IDpoint: The Benefits of Transparency
Key Benefits of IDpoint
•
•
•
•
•
•
•
•
•
•
•
•
•
Seamless installation: IDpoint pulls in directory
infrastructure already in place and instantly segments
the secure zone.
Stealth mode: Functions as a “transparent”,
undetectable firewall, invulnerable to typical firewall
attacks.
Completely hides and isolates protected resources
making them inaccessible or attackable.
This
greatly reduces the network surface area required for
compliance audits by segmenting a separable “high
security zone” within the enterprise.
Real-time proactive enforcement and control with
comprehensive audit logs
Zero configuration, network transparency: Designed
without IP addresses on the enforcement paths;
allows IDpoint to be placed anywhere on the network,
independent of existing routers, subnets, or IP address
topology
True wire speed enables effective LAN access without
slowing the network
Identity-driven resource access control: User and
group identity harvested from standard directories
(NTLM, Active Directory, LDAP, RADIUS, 2-factor,
smartcards, or AEP proprietary Client-Machine
Identity technology (CMID))
AEP PacketTag™ technology: Digital fingerprint
embedded in all IP packets destined for protected
resources
Targeted NAC endpoint integrity checks: Ensures the
health of the endpoint and incorporates results into
policy decisions before allowing access to critical
systems
Centralized
Policy
Management: Web-based
administration for defining policy sets and rules.
Simplified control in place of complex networkengineered solutions.
Tight integration with AEP Netilla SSL VPN extends
identity-based access control to the network edge
Redundancy and business continuity solutions
available
Built-in logging and reporting aids compliance with
regulatory guidelines
One drawback to deploying a range of network appliances,
routers, switches and firewalls to protect key resources is that
they employ addressable interfaces that advertise their existence across the network, representing obvious targets for attacks, while adding additional network integration and management.
In contrast, IDpoint functions as a transparent, or bridging
“identity firewall”. IDpoint, for example, does not employ IP
addressing on either of its network interfaces. This means:
»
The IDpoint existence on the network is imperceptible to
users, and renders the appliance invulnerable to the exploits
typically launched against network-based security devices,
such as denial of service attacks.
»
With no IP addresses and a wire-speed, bump-in-the-wire
architecture, IDpoint can be installed quickly and easily into
virtually any network topology with zero reconfiguration
of switching, routing, or network equipment. This allows
IDpoint to get to work protecting critical resources with the
lowest possible implementation time.
»
Protected resources are only accessible by packets and users
that meet IDpoint policy; all users who lack the appropriate
identity are unable to even ping – or know about – either the
protected data or the IDpoint appliance itself. Unauthorized
packets lacking the necessary PacketTag identifier are “dropped
on the floor” before they reach protected resources.
Seamless Access Management
Many emerging security architectures seek to “impose intelligence” onto the network with “smart” technology. Unfortunately, this almost always adds complexity and management
headaches, and causes disruption to existing schemes and solutions.
Alternatively, as an inline device, IDpoint integrates into the
network without any modifications to existing designs, simplifying interactions and dependencies among network layer
systems, and providing a single portal for policy management and audit tracking. As part of this philosophy, IDpoint injects
PacketTag identity information into the network stream only when a protected resource is requested, minimizing additional
network overhead.
Technical Solution Paper
Policy Networking: Flexible Intelligence, Invaluable Control Using Existing Directories
Ultimately, the network administrator and business owner’s challenge is to provide access to critical resources while still
retaining fine-grained control. An administrator therefore needs a variety of options for creating access policies to protected
resources. Critically, these options must be simple to configure and maintain, but flexible enough to meet a multitude of
situations.
IDpoint employs this model by supporting a wide range of inputs, not typically available at other points in the network, to
make real-time access control decisions to critical systems. IDpoint starts by leveraging entitlements based on role definitions harvested from leading directory implementations, such as Microsoft ActiveDirectory. This enables the enterprise
to maintain fluid change management processes when people are hired, fired, change jobs or when the job descriptions or
applications themselves transform. Additional inputs effectively combine user identity, target destination, source network,
traditional network-layer firewall functions, device health and machine identity into a single control point where the protection is needed.
Consider an organization that wants remote users on un-managed devices to pass a series of NAC-like endpoint security
tests and authenticate with strong, 2-Factor authentication. These users can be assigned to follow a policy that requires both
functions – as well as the appropriate identity – in order to proceed with access to protected resources.
In another scenario, members of the Finance team need to access customer credit information, while other members of the
organization must not. Indeed, only the highest-ranking members of finance should be able to access such information, and
only from corporate-managed machines inside headquarters, running the latest anti-virus revision. In this scenario, IDpoint
policy can be defined to control access as needed, and log and report all access attempts, both successful and those that
fail.
In the simplest case, IDpoint can be configured to white-list or black-list individual users or groups who access protected
resource under IDpoint’s control. Flexibility and granularity can be easily defined by IDpoint policy.
Importantly, IDpoint policy decisions for user and group associations are based on standard enterprise directory subsystems.
This way, user account maintenance is accomplished though existing workflow systems, and with existing mechanisms.
After access policies are configured in IDpoint, user access is managed within the directory, without increasing the burden
on application owners or system administrators.
Technical Solution Paper
Protecting the Remote User: Extending Identity to the Edge
Providing access to remotely located branches, partners and employees over the public network can expose protected resources to all of the risks residing on the Internet. As a result, VPNs – and in particular, SSL VPNs – have emerged as the
vehicle of choice for extending private resources over the public network, eliminating the need to expose the entire network
to remote users.
In fact, many organizations have already implemented an earlier form of IBAC through an SSL VPN remote access deployment. In this model, only specifically designated resources are “published” on a remote user’s web browser. The rest of
the network is hidden from view. AEP Networks has been offering edge-based policy networking remote access with their
Netilla line of SSL VPNs for many years.
Yet VPN technology by itself is insufficient for protecting high value assets that contain personal data or intellectual property. This is because VPNs pass through the perimeter firewall on encrypted sessions that cannot be monitored by intrusion
detection systems or inspected by firewalls. As a result, remote users bypass an organization’s perimeter security protocols
and are incapable of incorporating identity into the decision-making process.
Applications
A,B,C
Files
X,Y,Z
Protected Resources
Enterprise LAN
AEP Netilla SSL VPN
Internet
or WAN
AEP IDpoint
IDpoint™
Remote Users
(Branch Offices, Partners, Employees)
IDpoint mitigates this danger through tight integration with the AEP Netilla SSL VPN. While other VPNs lose the user’s
identity in the DMZ, IDpoint extends identity enforcement to the WAN by injecting PacketTag information into the user’s
data stream at the remote endpoint. In this way, all members of an organization’s user community can be included in identity-driven access decisions.
Comparing Alternatives
Employing identity to determine access to high-value datacenter resources can represent an integral element of a security
strategy, in part because it facilitates compliance auditing for industries that face such challenges. Given this imperative, a
range of tactics have emerged to address secure access management needs. Choosing the approach best-suited to meet an
organization’s need can be a challenge.
Technical Solution Paper
The following table makes a case for identity-based access control by comparing various security models to the IBAC approach.
Approach
Key Points
Engineering the Network:
(Firewalls, VLANs, static routing)
»
»
»
»
»
»
VPN (IPSec/SSL)
»
»
»
»
Network Access Control (NAC)
»
»
»
»
Identity-based Access Control (AEP IDpoint)
»
»
»
»
»
»
»
»
»
»
»
Predominant methodology in use today
Lacks identity-driven decision making capability
Lacks centralized admin/change control; requires multiple consoles to
change a single policy.
Complex and expensive to manage/troubleshoot/update
Monitoring/auditing/reporting limitations requiring manual consolidation
of multiple reports from multiple sources.
Self-defeating security - creates porous perimeter when accommodating
access needs
Best for WAN/Remote access termination at the network edge
IPSec VPNs lack embedded identity-driven decision making capability
Encrypted traffic defeats Intrusion Protection Systems (IPS), host-asset
or threat-management equipment
Low-bandwidth hardware adds latency and overhead for poor LAN
performance.
Lacks effective auditing/reporting for compliance
NAC is not enough: Once “green-lighted” user is free to ping/discover the
network at will
NAC protects the network, but not data center resources within that
network
Efficient endpoint compliance check (A/V, firewall, device health, patch
level)
Can require costly 802.1x switch upgrades
Highly complex to install/manage/support
Brings security and protection as close as possible to protected
application/resource assets
Injects identity into data stream for wire-speed decision making
Enhances existing perimeter security
Protected resources are invisible to users who lack PacketTag-based token
authority or fail to meet policy rules
Stealth-mode operation eliminates typical firewall attack strategies and
effectively “drops in” existing network infrastructure.
Next-generation targeted NAC: Links user/machine identity, health scans,
AD group policy and authentication for wire-speed access decisions
Greatly simplified network design and management. Combines
authentication, policy, reports and audits into a single console
Delivers end-to-end security from endpoint to data center resources rather
than just network security
Zero overhead for moves, changes and rearrangements of users
Technical Solution Paper
Conclusion
Safeguarding critical network resources and meeting compliance requirements calls for a breakthrough in network technology. What’s needed is an approach that satisfies dynamic business realities and meets expanding security threats. Critical
systems must be isolated and protected before access is granted, while access histories must be gathered as evidence to prove
that strong measures have been deployed to protect the sanctity of high-value data assets.
AEP IDpoint offers a compelling alternative to traditional network security approaches, protecting information from malicious or inappropriate use at all times – both from outside or inside - without overtaxing the IT department in cost, complexity and management.
Contact Us
CORPORATE HEADQUARTERS
347 ELIZABETH AVE., SUITE 100
SOMERSET NJ 08873
TOLL-FREE: 1 877 638 4552
TEL: (+1) 732 652 5200
EUROPE
FOCUS 31, WEST WING
CLEVELAND ROAD
HEMEL HEMPSTEAD
HERTS HP2 7BW U.K.
TEL: (+44) 1442 458 600
GREATER CHINA
(MAINLAND, TAIWAN, HONG KONG)
SHANGHAI, CHINA
TEL: (+86) 136 4626 0288
© 2008 AEP Networks, Inc. All rights reserved. AEP Networks, the AEP Networks logo, IDpoint, PacketTag, and NACpoint are trademarks of
AEP Networks, Inc., with registration pending in the United States. Netilla, SmartGate, SmartPass and SmartAdmin are registered trademarks
of AEP Networks, Inc. All other trademarks or registered trademarks contained herein are the property of their respective owners.
JAPAN, SOUTHEAST
ASIA, AUSTRALIA, NEW
ZEALAND
TEL: (+1) 732-652-5219
www.aepnetworks.com