How can network engineers use privacy tools to protect users?
Suppression is not as helpful as minimization in network operations. Network operations should record the minimal information possible to maintain and optimize the network.
Noise injection might not seem to have a place in network monitoring at first glance. Consider captured packets, however.
There is no reason to keep the data inside the packet. Instead, the packet’s contents could be replaced with generated data with characteristics close to the original.
Aggregation will (obviously) apply to the source and destination IP addresses. Subnet-to-subnet traffic information will often be “good enough” in understanding long-term network performance trends as host-to-host traffic information.
Segmentation might be used in network operations by keeping DNS query information separate from packet forwarding logs and enforcing individual access rights for the two kinds of information.
These tools also can apply over time. For instance, a network operator might implement the policies described in Table 18-2 to protect user privacy.
Table 18-2 Network Logging Retention Policy Example
Information can be removed in various ways throughout the life of logging data, reducing the risk of PII leaking in the case of a data breach.
Authentication, Authorization, and Accounting
The phrase authentication, authorization, and accounting (AAA) describes the steps a user must pass through to access resources. Figure 18-9 illustrates the typical login process using a centralized AAA server.
Figure 18-9 Typical AAA Process
A user at host A attempts to connect to server D. Router C intercepts this request, sending it to an AAA server, B. The AAA server will challenge the user for one or two kinds of authentication:
• Something you have, such as an authentication code from an app, an authentication device, or a badge
• Something you know, such as a password or passphrase
• Something you are, such as being in a specific location, a fingerprint, or face recognition
Passwords and passphrases are considered the weakest form of authentication. Most systems require two-factor authentication (2FA) or multifactor authentication (MFA) when using a password or passphrase to log in. The AAA server returns a token to router C.
Router C matches this token to a set of policies. This set of policies describes whether the user is authorized to access server D. If the user is authorized, C will forward the user’s traffic to the server.
Finally, router C will record, or log, traffic flowing between A and D. This allows the operator to track what the user sends, receives, etc. This step is accounting, which is keeping track of who accesses what data and what data moves where in the network.
The three steps are, then,
• Authentication verifies the user’s identity.
• Authorization verifies the user’s ability to use a resource or access a data source.
• Accounting tracks what the user is doing.
While Figure 18-9 illustrates the AAA process between a router, user, and AAA server, operators configure AAA in other ways, including
• Locally configured username and password files are often used on individual hosts.
• AAA services run locally on each host or service rather than on a network device through which users access the service.
• Large organizations often operate separate AAA services for internal and external users.
Identity Stores
AAA servers rarely have a list of every user, their credentials, and the services they are authorized to use. Instead, AAA servers rely on information from an identity store, a specialized application used to support
• Information technology AAA services.
• Internal and external user directories.
• Internal mail and telephone systems.
Administrators can control many aspects of employee access within a single identity store rather than using many different applications. Some typical identity stores include
• Active Directory is a directory service developed by Microsoft for Windows domain networks. A server running the Active Directory Domain Service (AS DS) provides AAA, a lightweight directory, and other services.
• OpenLDAP is an open-source directory service. Configuring and managing OpenLDAP is (generally) more complex than many commercial identity stores.
• JumpCloud is a SaaS, or cloud-based, identity store.
While Active Directory is the most widely deployed identity store, other options exist for organizations that desire an alternative.