Skip the navigation

What is policy enforcement, and why should we care?

By Tina Bird, InfoExpress
December 9, 2004 12:00 PM ET

Computerworld - There's a new kid on the network security block, and it seems to have a lot of names.
Cisco Systems Inc. can't decide what to call it, sometimes using Network Admission Control and sometimes referring to Self-Defending Networks. Microsoft Corp. is using Network Access Protection.
These names, along with those chosen by niche players in the market -- Check Point Software Technologies Ltd. and its subsidiary, Zone Labs LLC, Endforce Inc. and InfoExpress Inc., among others -- all refer to a suddenly conspicuous technology most folks refer to as policy enforcement.
What's all the fuss about? Let's take a look.
Security administrators typically consider "authorization" in the context of user identities, which are verified via passwords or randomly generated codes or iris scans. Once identity has been validated, it's used to establish appropriate levels of access to computers, network resources and information. People with networking and Web server experience may go so far as to include certificates in their understanding of "authentication" and authorization, since IPsec and SSL/TLS both rely on certificates for validation of machine identities.
But authorization can be interpreted far more broadly. Possession being nine-tenths of the law, I can reasonably call myself an "authorized" driver of my car since I possess the car's title, and perhaps more importantly, the ignition key. In the early days of TCP/IP networking, an authorized network node could be defined operationally as "any machine with physical access to my Ethernet network," since the network implementations of the time required little more than plugging in a cable and maybe configuring an address or two to establish connectivity.
The advent of widespread wireless networking has made that informal, physical definition even more permissive, since cabling is no longer required to get online.

Most network architectures and operating systems still rely solely on relatively simple-minded identity-based mechanisms to grant access. As mentioned above, IPsec and other remote access technologies, SSL/TLS and 802.1x (in most currently shipping implementations) enable decisions based on user and host identity to grant network connectivity. These tools greatly increase enterprise security. They allow access decisions to be based on an endpoint's identification as a trusted participant in the organization, no matter where the endpoint is located. But we've learned the hard way that identity-based authorization isn't enough.
Identity-based authorization doesn't help much with a Blaster-infected laptop. Once that machine connects to your network, the infection will spread to whatever it can reach behind your firewall -- the fact that the user logged into the domain first usually doesn't protect you. In fact, in some situations user authentication makes

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!