Identity and Access Control Deployments

Validating user authentication should be implemented as close to the source as possible, with an emphasis on strong authentication for access from untrusted networks. Access rules should enforce policy deployed throughout the network with the following guidelines:

■ Source-specific rules with any type destinations should be applied as close to the source as possible.

■ Destination-specific rules with any type sources should be applied as close to the destination as possible.

■ Mixed rules integrating both source and destination should be used as close to the source as possible.

An integral part of identity and access control deployments is to allow only the necessary access. Highly distributed rules allow for greater granularity and scalability but unfortunately increase the management complexity. On the other hand, centralized rule deployment eases management but lacks flexibility and scalability.

Practicing "defense in depth" by using security mechanisms that back each other up is an important concept to understand. For example, the perimeter Internet routers should employ ACLs to filter packets in addition to the firewall inspecting packets at a deeper level.

Figure 14-5 shows the importance of the authentication databases and how many network components in the Enterprise rely on them for authentication services.

Figure 14-5 Identity and Access Control

Firewall and Router Access Control Lists

Figure 14-5 Identity and Access Control

Firewall and Router Access Control Lists

Enterprise Edge

DMZ/E-Commerce

Remote Access

SSH Authentication WAN Peer Authentication

SSH Authentication WAN Peer Authentication

Enterprise Edge

DMZ/E-Commerce i1 y

Internet

Remote Access

WAN/MAN

Internet/WAN

ISP 1

ISP 2

PSTN

Frame/TDM/ ATM/MPLS

Was this article helpful?

0 0

Post a comment