Network Switch Device

High Level Access Matrix

Trying to solve the problem of controlling such a diverse infrastructure head-on by writing down the rules on each infrastructure device (access point, switch or router) on the principle of “Node A allow access to Node B”, we can, but already on the 10th device we realize that we got excited ( with the number of devices on the Cisco network described above). This will not only take time to register and check access control lists, but also reduce the performance of network devices that will be forced to check every incoming frame or packet for ACL compliance. And if we recall the mobility of our employees, which can be located in different places of the corporate network or outside it (all this within one day), then setting static rules is not only inefficient, but also impossible. Ultimately, all the rules will turn into a classic “everything is allowed to everyone and everywhere”, which is clearly not an example of what it is worth striving for.

Therefore, we began to solve the problem in parts and from top to bottom. First, a “large-scale” policy was defined using only two attributes — the level of trust and accessibility. The result was a high-level matrix, which made it possible to group all the above types of devices and users into only 4 large blocks. This matrix allowed us to determine the answer to the question “who / what to let into our network”.

However, we did not limit ourselves to the banal authentication of users or devices (although this is already a lot). Still, at the same level of mobility of Cisco employees, a situation is possible when being a week or two (and there are monthly business trips) away from the corporate network, an employee can catch any infection on his laptop or tablet. Therefore, in addition to authentication, it was also necessary to check the status of the device – the presence of the necessary protection means, antivirus, up-to-date antivirus databases, patches, and for smartphones or tablets also the presence of a jailbreak, encryption enabled, an established PIN code of a certain length, etc.

Leave a Reply

Your email address will not be published. Required fields are marked *