Most enterprise networks are anonymous — that is, the types of users (employee, guest or contractor) are not identified. Network managers can gain more visibility and control over user traffic by adding identity awareness to their networks.

• Adding identity awareness to a network enables visibility into user behavior and adds another layer of protection for critical resources.
• Network managers can add identity awareness to their networks by integrating network access control (NAC), and identity and access management (IAM) technologies.
• Guest networking is the most basic form of identity-aware networking.
• Identity-aware networking is an emerging concept. There are multiple approaches to building an identity-aware network, but there is no clear winner at this early stage.

• To gain more information about the identity of users and their behavior on the network, network managers should consider integrating NAC technologies with IAM technologies.
• Enforcing application access from the network level must be synchronized with application-level access controls to add value and not disrupt business.
• Network managers can add identity-aware networking solutions to the network infrastructure. If they are deploying a new network infrastructure, then they should consider newer infrastructure solutions that embed identity-aware technology.
• Identity-aware networking is not a mature concept. Start with the most basic form of an identity-aware network, the guest network, before adding more-sophisticated, role-based enforcement.

An anonymous network only has visibility at the Internet Protocol (IP) or media access control (MAC) address level, and cannot determine whether a user is a contractor, a guest or an employee. This level of security has been acceptable to many organizations, because applications and other critical resources are protected via authorization and authentication processes (usually user ID and password) and IAM solutions. However, because networks are blind to a user's identity, the risk is that users "see" applications that they are not authorized to access (see Figure 1). For example, a contractor who has been granted network access could "go exploring" (undetected) and attempt to access sensitive information.

Networks that are "identity-aware" can offer another line of defense to critical resources. In an identity-aware network, users who are not authorized to access an application are blocked from seeing that application. Traffic from their PCs will never reach the server, and the users will not even be presented with the login screen.

Gartner defines identity-aware networking as: "A network that can monitor a user's behavior by mapping IP addresses to user IDs. Policy enforcement points within the network may be used to control a user's traffic based on IAM policies attributed to that user."

Figure 2 represents an identity-aware network.

There are a number of business justifications for adding identity awareness to enterprise networks. The leading drivers are:

• Guest networking — The most basic form of an identity-aware network is one that can ask the question "Are you one of us?" Organizations are increasingly adding authentication to all network access methods (wired, wireless and virtual private network [VPN]) so that they can keep guests off their primary network and restrict them to a guest network, where they are only allowed Internet access (see "Findings From the 'Security' Research Meeting: Go Beyond Guest Networks to Achieve NAC Benefits").
• Protecting intellectual property — Many organizations are concerned about insider threats. They seek to improve their ability to audit and protect access to their intellectual property.
• Regulatory compliance — Organizations need to prove to regulatory auditors that only authorized users can access sensitive information. Adding identity awareness to a network can help an organization develop the audit trails requested by many auditors for regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS). In many cases, it is less expensive to add identity awareness to a segment of the network than it is to modify a legacy application to be compliant.
• Xenophobia threat — Network managers of large multinational corporations often express concerns about their lack of visibility into remote offices in developing nations. They lack the tools to monitor "who is doing what" on these LANs.

Network managers can add identity awareness to their networks by integrating NAC and IAM technologies. An important element of NAC is the ability to build and enforce device-based policies (for example, ensuring that patches and antivirus signatures are up-to-date). Some of the key elements of NAC (policy server and policy enforcement points [PEPs]) can be repurposed to build and enforce user policies (see Figure 3). Many vendors offer policy servers that can import user and role information from directories to build user-based policies. For example, the policy server could be configured with a rule that states "only users in the HR department are allowed to access the salary database." The PEPs then enforce this policy by ensuring that only traffic from users in the HR department is allowed to flow to the LAN segment containing the salary database.

An important attribute of an identity-aware network is the ability of the network to identify a user. Approaches for the network to learn a user ID as an individual authenticates to a directory are:

• 802.1X — This standard authenticates a device via machine certificates or authenticates users via user credentials (for example, user ID and password). Sample 802.1X supplicant vendors: Cisco, Juniper Networks, Microsoft, OpenSea Alliance (open source).
• Captive portal — This approach is often used as an alternative to 802.1X. If an endpoint does not support a supplicant, then a captive portal can be used to capture the credentials and act as a proxy to an authentication server. Many wireless LAN (WLAN) vendors and Remote Authentication Dial-In User Service (RADIUS) solutions support captive portal options.
• Snooping — By monitoring the sign-in process, identity-aware networking solutions can determine user IDs. In-band and out-of-band network appliances can monitor the user authentication process.
• Directory integration — Some solutions run agents on Microsoft Active Directory servers. These agents capture user IDs as users authenticate to the directory. Several network behavioral analysis vendors offer directory integration.
• Endpoint agents — Some agents have the ability to check a Kerberos ticket after a successful Windows authentication and make the user ID available to the NAC system. Some NAC vendors offer this functionality.

Another important attribute of an identity-aware network is the ability to enforce user-based policies. A wide range of PEP technologies are available:

• Deep packet inspection — These are in-line appliances and firewalls that utilize deep packet inspection technology to identify user traffic and enforce policies (by dropping and filtering packets). Sample vendors: ConSentry Networks, Enterasys Networks, Juniper Networks (Unified Access Control) and Sourcefire (Real-Time User Awareness).
• Packet tagging — This refers to agent-based or agentless solutions that cryptographically stamp packets with user identity. Appliances or LAN switches that act as "identity firewalls" then allow or deny packets based on the tags. Sample vendors: Applied Identity, AEP and Cisco (TrustSec).
• Proxy server — A proxy server can be positioned in the data center and can enforce policies by proxying traffic and terminating or allowing sessions. Sample vendor: Rohati Networks.
• IPsec — This approach relies on IPsec as a software-based PEP. It uses certificates and IPsec to create trusted domains that limit user access to key resources. Sample vendors: Microsoft (Server and Domain Isolation) and Apani Networks.
• VLAN-based enforcement — This refers to 802.1X-based solutions that use role information to assign users to VLANs. Multiple NAC and switch vendors.
• Access control lists — Layer 3 switches and some firewall vendors can also map user IDs to IP addresses and enforce user policies by allowing/denying packets. Multiple NAC, switch and firewall vendors.
• Secure Sockets Layer (SSL) — The same gateways that are commonly used to provide remote access can also be positioned in front of server farms to control access to data center resources. Multiple SSL VPN vendors.

Enforcing application-level access at the network level cannot be done in a vacuum. Network managers often do not have the responsibility or authority to block user access to business applications. For an identity-aware networking approach to be successful, the network-level access controls must stay in sync with application-level access.

The identity-aware networking concept is still in the early stages (see "Hype Cycle for Infrastructure Protection, 2008"), and none of the PEP options listed in this research have emerged as a clear winner. Among the challenges to success are:

• SSL and VLAN-based solutions typically don't scale well for identity-aware networking.
• Access control lists are difficult to manage (although some vendors have made improvements).
• IPsec is relatively unproven in internal networks.
• Special-purpose identity-aware networking appliances are expensive to deploy enterprisewide.

Network managers will need to carefully weigh scalability, manageability and pricing as important identity-aware networking decision criteria.