Triple AAA (AAA) The Defining Factors Of Controlled Network Access - Part 1
At the base of network usage in a controlled environment are 3 questions. These questions are not alien to any kind of focused usage – on line or long before the world wide web became a all encompassing factor in business and life.
These questions are
- Who or What are you?
- What you are allowed to do?
- What did you do?
These fundamental security building blocks are not alien to human enterprise and are indeed necessary for ensuring basic security.
In the world of Networking, this process is known as ‘Network Authorization, Authentication and Accounting’ or AAA (popularly known AAA or Triple A). Basically it is the network asking you the same three questions listed above. The three questions that are the basic to having a secure network.
AAA, at its core, is all about enabling mobility and dynamic security. Without AAA, a network must be statically configured to control access; IP addresses must be fixed, systems cannot move, and connectivity options should be well defined. Even the earliest days of dialup access broke this static model, thereby requiring AAA. Today, the proliferation of mobile devices, diverse network consumers, and varied network access methods combine to create an environment that places greater demands on AAA.
Triple A has a part to play in almost all the ways we access a network today. Emerging technologies such as Network Access Control (NAC) extend AAA even into corporate Ethernet access (historically the "trusted" network that set the benchmark level of security that all other types of access had to match).Today, wireless hotspots need AAA for security, partitioned networks require AAA to enforce segmentation, and remote access of every kind uses AAA to authorize remote users.
For most network administrators, the genesis of AAA coincided with the development of the Remote Authentication Dial-In User Service (RADIUS) protocol [2] and today is the most widely accepted AAA protocol.
Before we define the protocol mentioned above, let us understand the core components within the AAA system.
Client: The client is the device attempting to access the network. The client either authenticates itself, or it acts as a proxy to authenticate the user.
Policy Enforcement Point (Authenticator): The Policy Enforcement Point (PEP) is sometimes called the authenticator or dial-in server, VPN concentrator, firewall, gateway General Packet Radio Service (GPRS) support node, Ethernet switch, wireless access point, or an inline security gateway. The PEP is responsible for enforcing the terms of a client's access. This enforcement varies based on the capabilities of the PEP and is discussed later in this article.
Policy Information Point: The Policy Information Point (PIP) is a repository of information to help make the access decision. It could be a database of device IDs, a user directory such as the Lightweight Directory Access Protocol (LDAP), a one-time password (OTP) token server, or any other system that houses data relevant to a device or user access request.
Policy Decision Point (AAA Server): The Policy Decision Point (PDP) is the brain of the AAA decision. It collects the access request from the client through the PEP. It also queries any relevant PIPs to gather the information it needs to make the access decision. The PDP, as its name implies, is the entity that makes the final decision around network access. It also can send specific authorizations back to the PEP that apply settings or constraints to the client's network traffic.
It is important to understand that the preceding cores are logical containers of functions and not necessarily dedicated physical devices. Often elements are combined, such as PEP with PDP, and PDP with PIP.
In subsequent articles we will talk about the process in details with examples. This article will focus on the basic definitions and need.
Authentication Elements
When performing authentication, numerous elements can be evaluated before a PDP reaches its access decision. At a high level, these elements can be broken down into three categories: the principal itself (the user, device, or service requesting access), the credential the principal submits (shared key, one-time password, digital certificate, or biometric credential), and the contextual information describing the transaction (location, time of day, software state, and so on).
Authorization Approaches
At its core, authorization means determining what a client is allowed to do on the network. However, the granularity of this authorization is only as good as the sophistication of the PDP and the enforcement capabilities of the PEP.
Accounting Techniques
Accounting is an increasingly critical step in the overall AAA process. Regulatory controls are starting to mandate better auditing of network access. The last stage of AAA, accounting simply records which clients accessed the network, what they were granted access to, and when they disconnected from the network. Accounting has always been widely used in the Internet Service Provider (ISP) space because auditing network access is the basis for billing ISP customers. Increasingly, accounting is being used as a way to correlate client attribute information (username, IP address, etc.) with actions and events on the network. This is absolutely essential in today’s volatile political and social environment.