Trust and Identity Technologies Best Cisco CCSP Bootcamp Training Center in Gurgaon

Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192

Trust and identity technologies are security controls that enable network traffic security. The following are examples of technologies used to support trust and identity management:

• Access control lists— ACLs are used on routers, switches, and firewalls to control access. For example, ACLs are commonly used to restrict traffic on the ingress or egress of an interface by a wide variety of methods, such as using IP addresses and TCP or UDP ports.
• Firewall— A security device designed to permit or deny network traffic based on source address, destination address, protocol, and port. The firewall enforces security by using the access and authorization policy to determine what is trusted and untrusted. The firewall also performs stateful packet inspection (SPI), which keeps track of the state of each TCP/UDP connection. SPI permits ingress traffic if the traffic originated from a higher security interface, such as the inside.
• Network Admission Control (NAC)— Protects the network from security threats by enforcing security compliance on all devices attempting to access the network.
• 802.1X— An IEEE media-level access control standard that permits and denies admission to the network and applies traffic policy based on identity.
• Cisco Identity-Based Network Services (IBNS)— Based on several Cisco solutions integrated to enable authentication, access control, and user policies to secure network infrastructure and resources.

The following sections cover some of these trust and identity technologies in more detail.

Firewall ACLs

Firewalls are used to control access to and from the Internet and to provide interaction with customers, suppliers, and employees. But because the Internet is insecure, firewalls need to use ACLs to permit and deny traffic flowing through it. Firewalls use security zones to define trust levels that are associated with the firewall's interfaces. For example, the trusted zone is associated with an interface connected to the internal network, and the untrusted zone is associated with an interface connected to outside of the firewall. Common security zones include the inside, outside, and DMZ, but others can be created as needed.

Figure 14-3 shows a PIX firewall with three zones and the permitted policy and flow of the traffic.

The policy for the firewall shown in Figure 14-3 includes the following:

• Allow HTTP and HTTPS to the Internet
• Allow HTTPS and FTP to the public web and FTP server
• Allow HTTPS to the public e-commerce server

NAC Framework and Appliance

Cisco NAC Framework and Cisco NAC Appliance are two ways to deploy NAC and meet the organization's technology and operational needs. The NAC Framework is an integrated solution led by Cisco that incorporates the network infrastructure and third-party software to impose security policy on the attached endpoints. The NAC Appliance is a self-contained product that integrates with the infrastructure to provide user authentication and enforce security policy for devices seeking entry into the network. NAC Appliances can also repair vulnerabilities before allowing access to the network infrastructure.

NAC can restrict access to noncompliant devices but permits access to trusted wired or wireless endpoints such as desktops, laptops, PDAs, and servers.

Both of these deployment options use the common NAC infrastructure and have considerations for timeframes and customer requirements.

Cisco Identity-Based Network Services

The Cisco Identity-Based Network Services solution is a way to authenticate host access based on policy for admission to the network. IBNS supports identity authentication, dynamic provisioning of VLANs on a per-user basis, guest VLANs, and 802.1X with port security.

The 802.1X protocol is a standards-based protocol for authenticating network clients by permitting or denying access to the network. The 802.1X protocol operates between the end-user client seeking access and an Ethernet switch or wireless access point providing the connection to the network. In 802.1X terminology, clients are called supplicants, and switches and APs are called authenticators. A back-end RADIUS server such as a Cisco Access Control Server (ACS) provides the user account database used to apply authentication and authorization.

With an IBNS solution, the host uses 802.1X and Extensible Authentication Protocol over LANs (EAPoL) to send the credentials and initiate a session to the network. After the host and switch establish LAN connectivity, username and password credentials are requested. The client host then sends the credentials to the switch, which forwards them to the RADIUS ACS.

The RADIUS ACS performs a lookup on the username and password to determine the credentials' validity. If the username and password are correct, an accept message is sent to the switch or AP to allow access to the client host. If the username and password are incorrect, the server sends a message to the switch or AP to block the host port.

Figure 14-4 illustrates the communication flow of two hosts using 802.1X and EAPoL with the switch, AP, and back-end RADIUS server.

Identity and Access Control Deployments

Validating user authentication should be implemented as close to the source as possible, with an emphasis on strong authentication for access from untrusted networks. Access rules should enforce policy deployed throughout the network with the following guidelines:

• Source-specific rules with any type destinations should be applied as close to the source as possible.
• Destination-specific rules with any type sources should be applied as close to the destination as possible.
• Mixed rules integrating both source and destination should be used as close to the source as possible.

An integral part of identity and access control deployments is to allow only the necessary access. Highly distributed rules allow for greater granularity and scalability but unfortunately increase the management complexity. On the other hand, centralized rule deployment eases management but lacks flexibility and scalability.

Practicing "defense in depth" by using security mechanisms that back each other up is an important concept to understand. For example, the perimeter Internet routers should employ ACLs to filter packets in addition to the firewall inspecting packets at a deeper level.

Figure 14-5 shows the importance of the authentication databases and how many network components in the Enterprise rely on them for authentication services.