Effective User identification on the Firewall

A firewalls user identification features allow you to identify network traffic by user using a variety of methods and integrations.

This is a critically important firewall feature to get right as it allows for improved realtime visibility, policy control by user or groups of users, and effective logging, reporting and forensics.
It is oftentimes used to facilitate time based controls for groups of users enabling more or less restrictive policies at certain times of the day or week, or other schedule.
Care must be taken to ensure that all desired Internet traffic is associated with a user, so that correct policies can be applied to implement safeguarding and other controls, and that users cannot circumvent these controls.
Typically the exceptions to this will be inbound traffic from the internet to any Internet facing services you host locally and local servers.

Examples of circumvention of these kinds of controls:

  • Students or guests using staff Wifi keys or credentials on their personal devices.
  • Students sharing credentials or Wifi keys.
  • Students using guest access to network / Wifi and obtaining ‘adult guest’ policies rather than student policies.
  • Timeouts in the system, disassociating a device, or Client IP address from the user that originally logged into it.
  • Incorrectly configured firewall policies allowing Internet or network access without adequate user identification.
  • Connecting devices, including rogue Wifi access points, to Ethernet ports / VLANS that are not properly controlled, for example to a server VLAN, allowing Internet access without a user association.
  • Installing virtualisation software on a computer and using remote access to guest operating systems to gain the same user access as the host operating system.
  • Spoofing SYSLOG ‘messages’ to trick the firewall into a false association of a user to and an IP address for a period of time.

The system must facilitate a workable and practical solution for Wifi and network connected devices which is hard or impossible for users to circumvent.

Aside from being important for effective policy control :-
If we process your firewall logs on your behalf to identify commercial VPN users, or other more specific processing, including the user identity and matched policy in the firewall logs will identify the user without the need to process additional logs from DHCP servers for example to match a user to a client IP address at a specific point time, this can be a laborious process to not automate.
You should avoid network architectures and other technology or software solutions that defeat the ability to reliably map a user to every outbound connection from your network as far as possible.