Why Should I Care About Identity?
The majority of resource misuse and unauthorized access to traditional networks comes from internal sources. Identifying users and devices attempting to access the corporate network is the first step of any security solution.
Validating the identity of users and devices can also let network administrators provision services and allocate resources to users based on their job functions.
To be truly effective, the security policy must use identity in a way that does not disrupt business or make authorized access prohibitively difficult.
What Are the Problems to Solve?
A comprehensive network-security policy must keep the outsiders out and the insiders honest. Specific goals should be
Preventing external hackers from having free rein in the network
Allowing only authorized users into the network
Preventing network attacks from within
Providing different layers of access for different kinds of users
What Is 802.1x?
802.1x is a set of standards that describe a Layer 2 protocol used for transporting higher-level authentication protocols. It is language used to carry the information payload (e.g. name and password) between an endpoint (client) and the authenticator (server).
Extensible Authentication Protocol
The Extensible Authentication Protocol (EAP) is a flexible protocol that carries authentication information. The authentication information can include user passwords or predefined security keys.
The EAP typically rides on top of another protocol, such as 802.1x or Remote Authentication Dial-In User Service (RADIUS), which carries the authentication information between the client and the authenticating authority.
What Does Identity Do for Me?
Identity not only prevents unauthorized access, but it also lets you know who and where your insiders are. After you know who is on the network, you can apply policies on a per-user basis. This solid, comprehensive security solution actually enhances the usability of the network rather than reduce it. Some examples of the advantages of an identity-based security solution appear in the following figure.
Preventing Unwanted Access
Working with Authentication Servers
802.1x is only half of the identity story. A service must authenticate the information carried by 802.1x. This authentication can come from name and password validation using a RADIUS or Terminal Access Controller Access Control System (TACACS) server or from digital signatures confirmed by a third-party validation service such as public-key infrastructure (PKI).
RADIUS is a protocol that communicates between a network device and an authentication server or database. RADIUS allows a network device to securely pass login and authentication information (username/password), as well as arbitrary value pairs using vendor-specific attributes (VSAs). RADIUS can also act as a transport for EAP messages. RADIUS refers to the server and the protocol.
PKI provides identity authentication between two parties via a trusted third party. A PKI certificate is "proof" of identity signed by the third party. It is the network equivalent of a valid passport trusted by the customs agents of other countries. Just as a passport signed by the passport office states your verified identity and citizenship, a PKI certificate signed by a certificate authority states your verified identity and network associations. Unlike passports, PKI certificates can't be forged.