Creating The Most Secure Network – Part 4

by Sorell Slaymaker

Integrating Active and/or LDAP directories into routing is the fourth critical step in creating a world class, secure network.

Quick Recap: 

  1. Create a network that Denies All packets unless there is an explicit policy to allow them on the network.  This creates a Zero Trust network that does not have broadcast domains nor default routes that can propagate malicious traffic.
  2. Integrate Routing and Security into the same software stack so that the two can work together.  Today’s world where routers forward packets and firewalls block packets is too complex, cumbersome, and costly.
  3. Use Named Addressing in a network so that routing and security policies can transit a firewall/NAT boundary and policies can be understood by humans and applications, which is one of the foundations for Intent Based Networking.

The fourth step is to use the existing enterprise directories as part of the naming schema for the routing and security policies which defines who (on their many devices) has access to what (the many applications, websites, and other users).

Identity and access management are core foundational elements for security, and this information is stored in directories.  It is only logical then that routing should leverage this information in the decision on whether to forward a packet on a network or not.

Network Admission Control (NAC) is an attempt to do this, but does not work in the real world where users are mobile and applications are everywhere, resulting in using networks that one does not own or control.  Plus, once you are on the network you can go anywhere.

Directories allow for a standard way to segment an organizations users, devices, and applications along with federation that enables this across organizations.  Forests, Trees, Domains, Organization Units, Objects, Attributes, and Services provide a hierarchical segmentation model that can be used for routing and security policies.

Instead of having to create thousands of Access Control Lists in routers and firewalls, a directory can be imported and used for routing and security policies.  As the users and applications change, the directory gets updated and then downloaded by the secure routed network and automatically distributed for enforcement.

Network security starts at the very edge of the network, and until enterprises and service providers realize this, their networks will remain vulnerable.