Identity-Based Internet Protocol Network
David Pisano - MITRE
Apr 24, 2013Size: 81.8MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractThe Identity-Based Internet Protocol (IBIP) Network project is experimenting with a new enterprise oriented network architecture using standard Internet Protocol to encode identity (ID) information into the IP packet by a new edge security device referred to as the IBIP policy enforcement point (PEP). This is a variant of a network admission control process that establishes user and host identities as well as provides optional information on host visibility, organizational affiliation, current role, and trust metric (associated with the user and host endpoints). Our motivation is to increase our security posture by leveraging identity, reducing our threat exposure, enhancing situational understanding of our environment, and simplifying network operations. In addition to authentication, we leverage strong anti-spoofing technology to improve accountability. We reduce our threat surface by “hiding” our client hosts and making all infrastructure devices inaccessible. Any attempt to access a hidden host or infrastructure device results in a policy violation attributable to the user/host that caused the violation and provides enhanced situational awareness of such activities. Our servers can also have a “permissible use” policy that ensures that the server only operates across the network per that policy. Finally, as users log in and servers are added to the network, all dynamic configurations for access control initiated by such changes are automatically carried out without manual intervention, thereby reducing potential vulnerabilities caused by human errors.1
1.Extracted from “Nakamoto, G.; Durst, R.; Growney, C.; Andresen, J.; Ma, J.; Trivedi, N.; Quang, R.; Pisano, D., "Identity-Based Internet Protocol Networking," MILITARY COMMUNICATIONS CONFERENCE, 2012 - MILCOM 2012 , vol., no., pp.1,6, Oct. 29 2012-Nov. 1 2012.
About the SpeakerDavid Pisano is a Senior Network Engineer at the MITRE Corporation, where he has been employed for the last two and a half years. David has devoted most of this time working on networking and networking security challenges. He has been a contributor to The Honeynet Project since 2009. Prior to joining MITRE David earned a Masters in Networking and Systems Administration at the Rochester Institute of Technology (R.I.T.) David completed his undergraduate degree in Applied Networking and Systems Administration with a minor in Criminal Justice, also at R.I.T. David is coauthor on two papers on networking and networking security published in peer-reviewed journals.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.