Smart enterprise IT executives know that who you are and what you're doing mean a whole lot more than which device or network port you're using.

This story is part of a special Security Trend Watch issue, in PDF format. Download now.
User-centric security begs for process overhaul. Read more.

Craig Richard, IT director for NaviMedix, a Cambridge, Mass., company that manages electronic communications among health insurers and physicians, gets it. "You may have a port with access to parts of the network that should be protected. But someone could easily plug a device into that port and have that same level of access, even if they weren't authorized to have it. Access needs to tie directly to the user," he says.

Mobility has forced the issue. In the past, ports and IP addresses were reasonable proxies for identities, says Andreas Antonopoulos, a partner at Nemertes Research and Network World "Security Risk and Reward" columnist. "I [once] had a Solaris workstation that weighed 300 pounds and was connected to the network by an Ethernet coaxial cable as thick as my thumb. My mobility was rather limited, and my IP address literally did not change once in three years. So, there was a very direct association between IP address and user," he says.

That has all changed because the types of devices people use and the ways they connect to the network are so varied. "The IP address of my BlackBerry changes every few hours, and the IP address on my laptop changes depending on if I'm using Wi-Fi, 3G, a LAN, a VPN or whatever," Antonopoulos says. "The IP address has become very transient. You might have a dozen users using the same IP address during the period of one day."

That transience is a nightmare for network security teams, especially when they investigate incidents or demonstrate compliance. In either case, being able to link an IP address in a log to a specific user is highly desirable if not outright necessary.

"If you're lucky, you have a DHCP server that keeps good logs of who got which IP address when," Antonopoulos says. "And if you're really lucky, that DHCP server is properly time-synchronized to an atomic clock or [network time protocol] source so those logs can be correlated. And if you're even luckier, all of your other logs sync to the same source. Then you can say that this IP address accessing this application at this second was issued to this user, on this media access control-addressed machine. It's not easy," he says. (See "SIEM: Finding the proverbial needle,")

Getting there

Fortunately, security tools are evolving beyond the simple IP address and IP port focus, and increasingly are becoming more user-centric, working their way slowly up the Open Systems Interconnection stack. Network-access control (NAC) is the primary transportation for this move. Depending on the vendor, NAC handles everything from Layer 2 endpoint security to access control, ID management and behavior-based monitoring at Layer 7 - which all rely on a user's identity and role in the organization. Most of the marketing thunder surrounds such big-name tools as Microsoft's Network Access Protection and Cisco's Network Admission Control; many other NAC flavors offer their own slants on solving the problem. (Compare NAC products.) 

Enterprise interest is plentiful. In a recent Network World survey, 63% of 483 reader respondents said they consider NAC either an important or extremely important piece of their enterprise security plans. Forty-eight percent of respondents have deployed NAC products, while another 11% expect to do so within the next 12 months. NaviMedix is in the former category.

For user-centric security, it uses Bradford Networks' NAC Director, a policy-based appliance. NAC Director works with a company's LAN switches to manage individuals' identities by associating them not only with IP and media access control addresses, but also the individuals' roles in the company and the applications they are authorized to use.

Because NAC Director focuses on identity, it eliminates the problem of insecure ports. "When everything is tied to a user account and identity, it's far easier to secure," NaviMedix's Richards says. "No valid user account, no access. And that means zero possibility for unauthorized users to get to the protected parts of the network."

In addition, NAC Director integrates with Microsoft's Active Directory service, which NaviMedix uses. This integration lets the firm base application access on Active Directory group membership using virtual LANs. "With the VLANs, only certain individuals and departments can get to certain parts of the network," Richards says. "Together, NAC and Active Directory grant authorized individuals access to their data wherever they are in the company. Their VLANs follow them, so they get what they're supposed to get based on who they are. And they get proper access, no matter where they login or what device they use."