To start the integration process for your identity systems, you first must understand the different forms identity can take in an organization. Some should be obvious to you; others you might not have considered.
Several mechanisms provide security for the physical access points to a facility. These techniques are defined in Chapter 6, "General Design Considerations," and include the following:
All of these systems are capable of limiting access to a physical location; however, only smart cards afford the direct capability of integrating with the rest of the network. That's not to say that other identity systems don't rely on physical identity controls. In fact, it is often the opposite. As discussed in Chapter 6, various physical security techniques create different network security requirements for the location protected by a given control. In general, though, physical access to a facility usually implies at least some elevated access. This means that having access to a facility is a form of network identity.
Your MAC address is a form of network identity. Because a MAC address is a Layer 2 (L2) convention, generally only L2 devices take advantage of it. Because a MAC address is assigned to a network interface card (NIC) and not a user, it can be used for device identity but cannot be used for user identity without an additional authentication factor (such as username/password). Some examples of MAC address authentication include port security (discussed in Chapter 6), WLAN authentication (discussed in Chapter 11), and IEEE 802.1x.
A MAC address by no means provides strong authentication. MAC addresses can be easily changed to spoof a valid client. Also, using MAC addressbased authentication can be challenging because managing the list of "good" MAC addresses is cumbersome. Each time a NIC is changed on a system, the database must be updated.
An IP address is a more solid, useful form of network identity as compared to a MAC address. Again, it focuses on the identity of a device as opposed to a user. But because an IP address for a client tends to be identifiable throughout the network, more interesting things can be done with IP address identity. When paired with a username/password combination, an IP address can validate whether an administrator is allowed to connect to and manage a given network resource and whether the administrator is connected to the device through the management network.
Effective IP address identity enforcement requires the comprehensive implementation of RFC 2827 filtering within the network. (RFC 2827 is discussed in Chapter 6.) Although RFC 2827 won't stop an attacker from spoofing the host portion of the IP address, most network identity decisions using IP addresses are made on the basis of the subnet, not the individual host IP.
Layer 4 Information
Although not traditionally thought of as such, Layer 4 (L4) information (TCP, UDP, and so on) provides identity as well. L4 information can include port numbers and sequence numbers, the latter only with TCP. When the authorized client sends traffic to a server, the correct sequence and port numbers indicate that the device currently communicating is the same one that initiated the connection. This is part of the reason TCP is considered more secure than UDP. Without sequence numbers, UDP doesn't have as much information to validate the identity of the client.
Keep in mind that this identity is by no means "strong" and only augments the identity you enforce at the application layer. For applications such as Telnet, though, once the initial authentication has occurred, it is only the L4 information that keeps an attacker from hijacking a session. This is different than an application such as SSH, which continually authenticates the client and server through cryptographic mechanisms.
A username is the most obvious form of identity used in networking today. Most users have several different passwords for the different systems that request a username. As discussed previously, these can be merged to a certain extent with AAA servers and central identity stores. Username identity can be strengthened with the use of OTP.
Digital certificates are potentially the strongest way to provide identity, but as discussed in Chapter 4, there are definite detractions from a deployment standpoint. Without a second factor such as a personal identification number (PIN) or smart card, certificates are able to authenticate only the device, not the user. This does, however, make them appropriate for deployments such as site-to-site VPN services.
When a smart card or other additional authentication factor is introduced, digital certificates can be made to authenticate individuals.
For most networks, the potential benefit that biometrics provides is far outweighed by the risks and immaturity of the technology. As such, this book does not show biometrics in any of its base designs, though the designs are not incompatible with biometrics. See Chapter 4 for biometric considerations.