www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Trust and Identity Management is part of the Cisco Self-Defending Network, which is crucial for the development of a secure network system. It defines who and what can access the network, as well as when, where, and how that access can occur. Access to the business applications and network equipment is based on the user level rights granted to users. Trust and Identity Management also attempts to isolate and keep infected machines off the network by enforcing access control. The three main components of Trust and Identity Management are trust, identity, and access control, as shown in Figure 13-6. The following sections cover these components in detail.
Trust
Trust is the relationship between two or more network entities that are permitted to communicate. Security policy decisions are largely based on this premise of trust. If you are trusted, you are allowed to communicate as needed. However, at times security controls need to apply restraint to trust relationships by limiting access to the designated privilege level. Trust relationships can be explicit or implied by the organization. Some trust relationships can be inherited or passed down from one system to another. However, keep in mind that these trust relationships can also be abused.
Domains of Trust
Domains of Trust are a way to group network systems that share a common policy or function. Network segments have different trust levels, depending on the resources they are securing. When applying security controls within network segments, it is important to consider the trust relationships between the segments. Keep in mind that customers, partners, and employees each have their unique sets of requirements from a security perspective that can be managed independently with Domains of Trust classifications. When Domains of Trust are managed in this way, consistent security controls within each segment can be applied.
Figure 13-7 shows two examples of Trust Domains with varying levels of trust segmented. The lighter shading indicates internal higher security and more secure networks and the darker areas represent less secure areas and lower security.
Trust levels such as the internal network can be very open and flexible, whereas the outside needs to be considered unsafe and thus needs strong security to protect the resources. Table 13-3 shows different levels of trust, going from low to high.
| Domain | Level | Safeguards Required |
|---|---|---|
| Production to lab | Low risk | ACLs and network monitoring |
| Headquarters to branch (IPsec VPN) | Medium risk | Authentication, confidentiality, integrity concerns, ACLs, route filtering |
| Inside (private) to outside (public) | High risk | Stateful packet inspection, intrusion protection (IPS), security monitoring |
Identity
Identity is the "who" of a trust relationship. This can be users, devices, organizations, or all of these. Network entities are validated by credentials. Authentication of the identity is based on the following attributes:
- Something the subject knows— Knowledge of a secret, password, PIN, or private key
Passwords
Passwords are used to give users access and allow them to access network resources. Passwords are an example of the authentication attribute called "something you know." Typically, users do not want to use strong passwords; they want to do what is easiest for them. This presents a problem with security and requires you to enforce a password policy. Passwords should not be common dictionary words and should be time-limited. Passwords should never be shared or posted on a computer monitor.
Tokens
Tokens represent a way to increase security by requiring "two-factor authentication." This type of authentication is based on "something you know" and "something you have." For example, one factor may be a six-digit PIN, and another would be the seven-digit code on the physical token. The code on the tokens changes frequently and is not useful without the PIN. The code plus the PIN is transmitted to the authentication server for authorization. Then the server permits or denies access based on the user's predetermined access level.
Figure 13-8 shows two-factor authentication using a username and password along with a token access code.
Certificates
Certificates are used to digitally prove your identity or right to access information or services. Certificates, also known as digital certificates, bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. A digital certificate is signed and issued by a certification authority (CA) with the CA's private key. A digital certificate contains the following:
- Owner's public key
- Owner's name
- Expiration date of the public key
- Name of the certificate authority
- Serial number
- Digital signature of the CA
Certificates can be read or written by an application conforming to the X.509 CCITT international standard.
Access Control
Access control is a security mechanism for controlling admission to networks and resources. These controls enforce the security policy and employ rules about which resources can be accessed. Access control ensures the confidentiality and integrity of the network resources.
No comments:
Post a Comment