I have heard the term "Identity-based Networking" in relation to LAN Security. What is the relationship between identity management and securing the LAN?

The term "identity-based networking" has actually been around for many years, referring to the idea that a user's identity is somehow tied into the networking services that user can receive. When wireless LAN controllers first emerged, for example, they applied they concept of identity-based networking by not only authenticating users joining the wireless network but also by placing them into the appropriate virtual LANs (VLANs).

Identity management, often referred to as identity and access management (IAM), is slightly different, though its goals are similar. IAM systems consolidate both user names and individual access rights across multiple disparate applications. IAM systems are used to establish new user identities, grant those rights across the enterprise's applications, and then eliminate those identities and access rights when employees leave the company.

In its relation to LAN security, the fundamental meaning of identity-based networking remains the same - controlling a user's access rights on the LAN based on that user's identity. Of course, the notion of "identity" has broadened, and IT now has many more options for "controlling" users than simply placing them into VLANs.

One way to look at the expanding control options is to look at NAC systems, which have emerged a major element of LAN security over the last couple years. NAC incorporates pre- and post-admission tasks. Pre-admission tasks include authenticating a user and validating that the user's machine complies with corporate security policy. Clearly, authentication and posture check are valid components of a user's identity.

Post-admission tasks can include functions such as learning a user's group affiliation or role in the company, associating that role with access rights, and watching that user's behavior for anomalous activity. Many of these post-admission tasks can also contribute to defining a user's identity. Certainly a user's role or group membership is a vital component, but in applying access rights to that user, elements such as the application in use, a user's location, and time of day can also enrich the notion of a user's identity.