What is policy enforcement, and why should we care?
Computerworld - There's a new kid on the network security block, and it seems to have a lot of names.
Cisco Systems Inc. can't decide what to call it, sometimes using Network Admission Control and sometimes referring to Self-Defending Networks. Microsoft Corp. is using Network Access Protection.
These names, along with those chosen by niche players in the market -- Check Point Software Technologies Ltd. and its subsidiary, Zone Labs LLC, Endforce Inc. and InfoExpress Inc., among others -- all refer to a suddenly conspicuous technology most folks refer to as policy enforcement.
What's all the fuss about? Let's take a look.
Security administrators typically consider "authorization" in the context of user identities, which are verified via passwords or randomly generated codes or iris scans. Once identity has been validated, it's used to establish appropriate levels of access to computers, network resources and information. People with networking and Web server experience may go so far as to include certificates in their understanding of "authentication" and authorization, since IPsec and SSL/TLS both rely on certificates for validation of machine identities.
But authorization can be interpreted far more broadly. Possession being nine-tenths of the law, I can reasonably call myself an "authorized" driver of my car since I possess the car's title, and perhaps more importantly, the ignition key. In the early days of TCP/IP networking, an authorized network node could be defined operationally as "any machine with physical access to my Ethernet network," since the network implementations of the time required little more than plugging in a cable and maybe configuring an address or two to establish connectivity.
The advent of widespread wireless networking has made that informal, physical definition even more permissive, since cabling is no longer required to get online.
Most network architectures and operating systems still rely solely on relatively simple-minded identity-based mechanisms to grant access. As mentioned above, IPsec and other remote access technologies, SSL/TLS and 802.1x (in most currently shipping implementations) enable decisions based on user and host identity to grant network connectivity. These tools greatly increase enterprise security. They allow access decisions to be based on an endpoint's identification as a trusted participant in the organization, no matter where the endpoint is located. But we've learned the hard way that identity-based authorization isn't enough.
Identity-based authorization doesn't help much with a Blaster-infected laptop. Once that machine connects to your network, the infection will spread to whatever it can reach behind your firewall -- the fact that the user logged into the domain first usually doesn't protect you. In fact, in some situations user authentication makes
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!