Maintaining a secure network system, while properly accommodating users is a challenge for many organizations. "User-centric networking" can help solve these problems by incorporating security policies into the network hardware and giving users the tools they need.
September 1, 2001
Every individual within an organization plays a distinct role. This means every user on the network requires a set of clearly defined resources to perform a particular job. All departments may need e-mail, while only those in the market analysis division may need access to the analytical applications, and only those in the finance department may need access to the accounting applications.
At the same time, organizations have various policies that govern everyday activities. These policies address a variety of security issues, such as which documents are confidential and who can or cannot address certain information.
The current challenge for organizations, as new technology is installed and implemented, lies in maintaining an extremely secure network system that allots resources according to department, division or user, and accommodates the growing number of mobile users.
A new technology concept — “user-centric networking” — incorporates an organization’s security policies into the network hardware in order to align users with the tools they need. User-centric networking solves security and mobility problems by allocating resources based on who the network’s users are, what their roles are, and what they can or cannot access — regardless of their location, or which computer they are using.
Along with aligning IT with the business, user-centric networking solves many high-level issues that organizations face today. It allows an organization to set up user-specific quality of service and bandwidth specifications, as well as maintain them when an employee changes workstations or departments. This ensures the network delivers the service that each member of the department requires, while also executing the institution’s security policies.
This type of network further extends the life of the organization’s IT investments by better conserving its network resources on a per-user and per-department basis. Network managers can maximize their systems’ uptime by customizing bandwidth so that time-critical applications, such as e-mail or e-commerce, receive priority over non-business activities like Internet radio.
At the same time, user-centric network architecture increases productivity by giving employees immediate access to the resources they need, regardless of where they log on to the network. This also eliminates the need to reconfigure a computer to accommodate an employee’s security allowance each time the employee changes workstations. Determining which resources or databases employees can access further increases network security and ensures vital information is kept secure. This prevents both internal users and external infiltrators from misusing resources and accessing confidential information.
What makes this concept so revolutionary is that a company’s own rules are integrated into the hardware of the network, as opposed to being programmed into the software of the individual computers.
A system like this should consist of three components: authentication, role-based administration, and the service-enabled edge.
While authentication, or user login, is usually seen as a security function rather than part of the network system, it is the only reliable method for identifying a person on the network. Authentication is extremely secure: if the system does not recognize the employee, he or she cannot gain access to the network.
Authentication works in one of two ways, depending on what type of operating system the organization is using. In the future, most new operating systems will support the Institute of Electrical and Electronic Engineers’ (IEEE) authentication standard known as 802.1x for enterprise environments. A network can use the 802.1x protocol to communicate between the employee (and the operating system) and the first switch encountered. The switch processes the information by connecting to a back-end RADIUS server, which in turn communicates to a central network directory server.
If the agency does not have an operating system that supports 802.1x today, the employees can log in using a Web browser window, allowing mobile users to access the network.
This authentication system also helps to prevent denial of service attacks, which usually happen when a Web server is flooded with false requests for information, overwhelming the system and crippling it.
Traditionally, IT administrators determined the identity of a user by either a MAC (Media Access Control) or IP (Internet Protocol) address. Both numbers help identify a particular network on the Internet, as well as the particular device, such as a computer, within that network. But because MAC and IP addresses can change frequently, either by switching workstations or by using IP addressing software, they are not sufficient in determining the identity of a person, especially as the workforce becomes increasingly mobile. Therefore, authentication is a better indicator of a user’s identity, and a solid mechanism with which to enforce the agency’s policies.
Once a user is authenticated, role-based administration can be achieved through a policy management application that allows the network to couple business roles with IT capabilities and simulate the organizational structure. From there, the IT manager can allocate various software applications for one executive and Web access for another. Through the distribution of services, both the IT staff and the business staff can have productive conversations about how IT can better serve the goals and needs of the organization.
Historically, it was the IT infrastructure that dictated how the organization would use the network. The network and its language were foreign to executives, managers and department heads who essentially had to trust the network manager to configure the enterprise in the face of a changing business environment. With architecture designed for user-centric networking, the rules of the network are decided according to what is best for the agency. While network managers remain integral to implementing policies and classification rules, corporate executives are able to help configure the network to precisely match the goals of the organization.
A service-enabled edge allows the IT manager to implement complex policy rules at the point of entrance into the network — as opposed to the network core — where the switches then filter and forward information to the user. This is essentially where roles are defined in a user-centric network system. The entire organization is modelled in the system software using a simplified policy manager to provide a user-friendly graphical view of the entire enterprise.
It is no secret that the network has become a strategic business asset for any organization. It allows employees and departments to share valuable information, services and resources, thereby increasing productivity and decreasing material costs. However, by doing so it poses a security risk for enterprises that house confidential documents and information within their networks. For many organizations, that security risk is intensified and can have serious repercussions if it is breached.
Programming individual computers to accommodate various employees can be a costly and time-consuming procedure, as well as an unreliable one when it comes to mobile users. Consequently, the network must be engineered, configured and managed to meet the demands of the work environment, while aligning with corporate security policies.
Increased security, greater productivity and mobile accessibility can be achieved with a network that understands the concept of people and can accommodate individual users and departments.CS
Kelly Kanellakis is director of technology for Enterasys Networks, a leading innovator in business communications networks. Mr. Kanellakis can be reached at firstname.lastname@example.org.