|
| |
» |
|
|
|
|
 |
|
|
|
|
|
|
| |
|
|
|
With a longstanding emphasis on facilitating the connection between user devices and the corporate infrastructure, companies have traditionally ignored the unique needs of individuals and groups utilizing the network. Not only does this hinder workforce productivity, it also creates problems associated with network security, management and performance.
A new strategy is to implement identity driven management (IDM) functionality that is able to automatically configure the network edge through security and management policies defined in a centrally administered database. These IDM solutions facilitate business-driven networks that behave uniquely and appropriately for every user.
This paper describes traditional network access management strategies, and defines ProCurve Networking by HP's approach to a new, identity driven methodology. It also highlights the benefits that can be attained by deploying ProCurve IDM solutions.
» Return to top
|
| |
| | |
|
|
| |
|
|
|
Network management and operation has traditionally, and quite obviously, been a technology-focused endeavor. Getting enterprise networks up and running and maintaining performance over time has required a distinct focus on connection facilitation. The emphasis has been making sure various clients, such as personal computers (PCs), laptops and personal data assistants (PDAs), can link to the network from various locations, such as a local area network (LAN) or dial-up connection.
The network's principal responsibilities, therefore, have been discovering devices, ensuring they are properly configured and facilitating the linkage between those devices and the services residing on the network. Largely disregarded, however, have been users' varying access, application, bandwidth and quality of service (QoS) needs.
Through this old model, all network intelligence and decision-making abilities are placed in the core devices, handling device identification and enforcement of access and security policies. Basic, simplistic configuration is employed for basic, simplistic connectivity across multiple domains to ensure the core switches can handle all identification and connection decisions. Conversely, edge devices are essentially brainless and unable to assist in the authentication and connection process. They are only able to pass packets to the core routing switch, with no recognition or decision-making capacity.
As a result, the infrastructure behaves uniformly no matter what user is connecting to the network, whether it is a guest or a CIO. In fact, the network is unable to distinguish among different users, and is only capable of recognizing the devices through which these users are trying to connect. This traditional model of network management and access facilitation not only hinders workforce productivity, but also creates several problems and limitations. Chief among them are challenges associated with network security, management, performance and operation.
» Return to top
|
| |
| | |
|
|
|
Security
| |
|
|
|
| Security is frequently compromised and difficult to manage with traditional network access strategies. Since the infrastructure is only able to recognize clients connecting to the network, there are no safeguards to identify the people operating these clients. And since all decision-making and access enforcement responsibilities reside in the core devices, users are oftentimes already on the network before the core routing switches are able to identify and approve their clients' access rights, if at all. Furthermore, networks are frequently left wide open within a building or campus, with security gates being relegated to users logging on remotely, and few, if any, safeguards at the port level. Consequently, most enterprise networks offer minimal, inconsistent security checks, clearing the way for malicious traffic to infiltrate the infrastructure. |
| |
| | |
|
|
|
Management
| |
|
|
|
|
The traditional model of device- and connection-centric infrastructure also renders network management complex and expensive. Network administrators have to manually configure each core routing switch and edge switch to behave a particular way for a particular client or service. There is no specificity of network behavior based on individuals or groups with varying network requirements. The result is a static, rigid infrastructure that, once configured, does not change or adapt.
Nevertheless, change is an inescapable truism in the business world. With organizational and technological needs continually evolving—new applications and network services, new edge switches, new clients that connect to the network, new employees, etc.—companies get locked into an ongoing, time-consuming, expensive cycle of network reconfigurations, redesigns and upgrades.
» Return to top
|
| |
| | |
|
|
|
Performance
| |
|
|
|
| Network performance can also be compromised through this model because certain individuals and groups have diverse networking needs. For example, an engineering organization may need constant, uninterrupted access to high-bandwidth services such as computer-automated design (CAD) applications, whereas guests may only need Internet access. However, with the network behaving uniformly for every user, there is no prioritization for these particular individuals or the groups with which they are associated. This hinders an organization's ability to create efficiencies and maximize network performance based on factors such as traffic, bandwidth and QoS propagation. |
| |
| | |
|
|
|
|
| |
|
|
|
Pioneered by ProCurve, a new model of network management and access facilitation is to push intelligence from the center of the network to the edge, where users connect and policies are enforced. In doing so, organizations can implement intelligent network access through IDM.
IDM helps companies maximize network resources and improve productivity by enabling automatic configuration of the network edge through security and management policies defined in a centrally administered database. IDM solutions make this possible by allowing network administrators to dynamically apply security and performance settings to network infrastructure devices based on user, location, time and other variables. The result is a unified management infrastructure and a more secure, mobile and converged network.
IDM is the groundwork for creating an intelligent network that is able to prevent unauthorized use, and deliver an adaptive, user-friendly experience for a more productive workforce.
» Return to top
|
| |
| | |
|
|
|
| |
|
|
|
ProCurve is a leader in enabling business-driven networks that behave uniquely and appropriately for every user. The foundation of such a network is the ProCurve Adaptive EDGE Architecture, which delivers continuous command from the center with control to the edge.
With intelligence pushed to the edge, security is enhanced, traffic prioritization is improved, and users can connect anytime, anywhere with a singular view of the network. With command from the center, companies have centralized control of network configuration, making it easier to implement new applications and support new traffic types across the enterprise.
More importantly, with command from the center and control to the edge, the network is able to adapt dynamically to business and user needs.
ProCurve IDM solutions utilize command from the center to dynamically automate the configuration of the edge to provide unique behavior for every individual or group. Control to the edge allows switch and access point features to make correct decisions at the perimeter of the network. This creates the ability to easily manage and facilitate:
Access Control – Based on users and their business needs, not their clients or physical location.
Access Rights – Not only based on the individuals and their group associations, but also day, time, location, applications and services.
Policy Enforcement – On a per-user, per-session basis.
Some have argued intelligence at the edge of the network poses unmanageable complexity for an IT organization to handle. They contend it is conceptually easier to implement and manage intelligence at the core in a couple of switches versus the edge, where there are potentially thousands of ports and even more users.
However, if the configuration and desired behavior of that intelligence is automated, and the complexity remains behind the scenes, network management becomes simpler and the user experience is enhanced.
Just as configuring each switch and port for every potential user is unrealistic, so is manually creating unique profiles for each user. Creating communities based on common user needs is the more reasonable solution. Communities are formed around particular user groups that have common networking requirements. They contain specific resources as well as specific users that need those resources.
» Return to top
Users can be defined by a particular department, such as marketing, or task, such as purchasing. Resources include applications, servers, printers, Internet, intranet, etc. Attributes define when, where and how the users and resources connect.
These communities are dynamic. Users, resources and attributes can all be added, removed or adjusted (command from center), creating flexibility and allowing the communities to change in accordance with business needs (control to the edge).
Based on a particular community's parameters—users, resources and attributes—the network is able to authenticate the user and adapt itself to that person uniquely, no matter where they connect or what device they are using.
Through IDM authentication, the network determines the following and subsequently provides the proper resources and levels of access for each user:
- Who is the user?
- Where is the user (switch/port)?
- With what community(s) is the user associated?
- What resources are connected to that community(s)?
- What attributes are assigned to that community(s)?
Based on these parameters, the appropriate information and access rights flow from the centrally administered database (where they're created and stored) to the edge (where they're implemented and enforced).
This approach is significantly different from the traditional strategy, where a particular switch and particular port were configured to act a particular way. This new methodology enables any switch and any port to act uniquely for each individual. It provides the user with the same network functionality, resources and view no matter where or how they connect.
This is the essence of an intelligent, adaptive network in general, and IDM in particular. The network no longer behaves uniformly—it behaves differently for each user.
» Return to top
|
| |
| | |
|
|
|
| |
|
|
|
ProCurve solutions are inherently flexible and enable companies to enhance their networks over time, not continually rip and replace as new technologies become available.
Today's ProCurve IDM solutions authenticate individuals using RADIUS-based technologies already in place. Traditional authentication processes were a yes/no affair. If a user successfully authenticated, he or she was allowed on the network largely without restriction. If not, he or she was simply denied access. Conversely, ProCurve IDM solutions authenticate users based on several factors, including their identity, client, location, time of day and services for which they are given access rights.
Once a user is authenticated, IDM software automatically configures the particular edge switch so the individual is only able to see the parts of the network appropriate to his or her job. Because of this intelligent auto-configuration of the network edge, connectivity is location and media independent. Network access is determined and granted purely based on the user and the services to which they have privileges.
Tomorrow's ProCurve IDM solutions will advance this process further. Access Control Lists (ACLs) will be utilized to facilitate network behavior based on more detailed access rights. IDM solutions will also employ Application Control, which will create further options for facilitating application behavior on a per-user basis.
In addition, the network will be able to check the state of a particular client and grant or deny network access accordingly. For example, if a user attempts to connect to the network with a virus-infected laptop, the network will be able to identify the virus at the intelligent edge, place the user in a temporary quarantine zone where the laptop is unable to infect the network, and offer various solutions, such as software updates.
» Return to top
|
| |
| | |
|
|
|
| |
|
|
|
The benefits of moving toward an identity driven network access management model are significant. Network security is dramatically increased, with particular users being identified rather than the clients through which they are attempting to gain network access. Furthermore, users are authenticated before they are on the network, not after they have been placed on the network and directed to the core routing switch.
Network management and usage also improves through IDM. Since the core is able to automatically and dynamically configure the intelligent edge, network management is vastly simplified. In addition, with the network behaving uniquely for each individual and the complexity behind such behavior remaining transparent, network usage becomes easier.
Network performance can also be enhanced through IDM with traffic, bandwidth and QoS prioritization. This gives different groups varying levels of service to create efficiencies and maximize network operation.
Last but certainly not least, ProCurve IDM solutions ensure appropriate network usage and improve workforce productivity. With an adaptive infrastructure that configures itself based on each individual and their particular access rights and service needs, the network better serves business and user objectives rather than simply facilitating technology connectivity.
» Return to top
|
| |
| | |
|
|
|
