In case you have an aversion to the PDF format my article was originally posted in, it is now up in HTML form. I haven’t seen the print version in the mail yet, but hopefully that will be soon.
Technorati Tags: AAA, Identity Management
Archive for April, 2007
Cisco IPJ Article in HTML Form
Tuesday, April 24th, 2007Identity Management for Networks on the Rise
Tuesday, April 24th, 2007The notion of applying the same concepts to networks as found in IdM for applications is gaining momentum. As I talk to prospective customers and at speaking events I get questions like, “How is this different from a RADIUS server?” much less often. Folks are starting to grasp the interdependency of identity, policy, authentication and authorization and the requirement to add a layer of intelligence to networks in a heterogeneous way. Last year Eric Norlin started a conversation about the linkages between NAC and identity management and suggested the terms NIdM and AIdM to describe the two elements and their relationship to the broader IdM space. One of my posts from September of 2006 has all the relevant links. He’s staying abreast of the topic as well with a related post just last month.
Since then I’ve been trying out the NIdM term as a way to describe what my company does and through some trial and error I found that putting the “N” last increases understanding significantly: so I now say “Identity Management for Networks” rather than “Network Identity Management.” Perhaps the latter term has too much of a connotation of IPAM and MAC address databases where as the “for Networks” puts a qualifier on a term that most within IT already understand.
I put together a presentation for the SecureIT conference which attempts to map out what IdM-N is and how it relates to a legacy RADIUS server as well as your traditional IdM investment. I’ve since presented a variation on the same theme last week at the New York Metro chapter of the ISSA. At that conference there was a lot of head nodding as well as a customer presentation on IdM in general by Dennis Brixius (CSO at McGraw Hill). Dennis spoke to the need for identity in networks which was great as we served to reinforce some of each other’s points.
Tomorrow I’m presenting the same topic at the Network Applications Consortium’s spring conference. Many of the presenters and attendees at this conference are well versed in IdM for applications and I expect to learn a lot. While over the mid-term I see IdM merging into a single entity that comprises the entire space, it will take us a little while to get there. In the interim, finding ways to link network and application elements through the adoption of standards makes a lot of sense.
A written version of the components in IdM-N can be found in the IPJ article I referenced in an earlier post.
I expect the next six months to be very telling in terms of what terms take hold with customers and more importantly, what applications they are solving with these technologies.
Technorati Tags: AAA, Identity Management
AAA in IPJ
Friday, April 13th, 2007Part one of a two-part article titled Network Authentication, Authorization, and Accounting was just published in the Internet Protocol Journal. I wrote the article as a survey of the entire AAA space and so it covers a lot of ground without spending too much time in one place. If you are new to AAA or are looking for a conceptual model of AAA to help others grasp its concepts, please take a look. Here’s the opening couple of paragraphs:
Network Authentication, Authorization, and Accounting (AAA, pronounced “triple-Aâ€) is a technology that has been in use since before the days of the Internet as we know it today. Authentication asks the question, “Who or what are you?†Authorization asks, “What are you allowed to do?†And finally, accounting wants to know, “What did you do?†These fundamental security building blocks are being used in expanded ways today. This article, the first in a two-part series, focuses on the overall concepts of AAA, defines the elements involved in AAA communications, and discusses high-level approaches to achieving specific AAA goals. Part two of the article, to be published in a future issue of IPJ, will discuss the protocols involved, specific AAA applications, and considerations for the future of AAA.
AAA, at its core, is all about enabling mobility and dynamic security. Without AAA, a network must be statically configured to control access; IP addresses must be fixed, systems cannot move, and connectivity options should be well defined. Even the earliest days of dialup access broke this static model, thereby requiring AAA. Today, the proliferation of mobile devices, diverse network consumers, and varied network access methods combine to create an environment that places greater demands on AAA.
AAA has a part to play in almost all the ways we access a network today. Emerging technologies such as Network Access Control (NAC) extend AAA even into corporate Ethernet access (historically the “trusted†network that set the benchmark level of security that all other types of access had to match). Today, wireless hotspots need AAA for security, partitioned networks require AAA to enforce segmentation, and remote access of every kind uses AAA to authorize remote users. Continue to IPJ
OSU and Florida Networks
Monday, April 2nd, 2007With the college basketball men’s national championship game tonight, Network World posted a cute article outlining some statistics on both school’s networks. Worth a quick skim at least. Interesting bit of info on the anticipated size of the OSU network:
We are actively building out a Wi-Fi network on the Columbus campus that will reach over 300 buildings, 25 million square feet, and 1,700 acres. The network could scale to 10,000 access points and support 100,000 simultaneous users within five years. Currently we have over 2,500 Aruba access points installed, with 100% of our residence halls covered with wireless. The network is being designed to support 802.11a/b/g and voice services.