Effective User identification on the Firewall

Effective User identification on the Firewall

A firewalls user identification features allow you to identify network traffic by user using a variety of methods and integrations.

This is a critically important firewall feature to get right as it allows for improved realtime visibility, policy control by user or groups of users, and effective logging, reporting and forensics.
It is oftentimes used to facilitate time based controls for groups of users enabling more or less restrictive policies at certain times of the day or week, or other schedule or just apply different policies to groups of users: – pupils, teachers, support staff, guests, technical staff, senior management etc.
Care must be taken to ensure that all desired Internet traffic is associated with a user, so that correct policies can be applied to implement safeguarding and other controls, and that users cannot circumvent these controls.
Typically, the exceptions to this will be inbound traffic from the Internet to any Internet facing services are hosted locally.

Examples of circumvention of these kinds of controls:

Students or guests using staff Wifi keys or credentials on their personal devices.
Students sharing credentials or Wifi keys.
Students using guest access to network / Wifi and obtaining ‘adult guest’ policies rather than student policies.
Timeouts in the system, disassociating a device, or Client IP address from the user that originally logged into it.
Incorrectly configured firewall policies allowing Internet or network access without adequate user identification.
Connecting devices, including rogue Wifi access points, to Ethernet ports / VLANS that are not properly controlled, for example to a server VLAN, allowing Internet access without a user association.
Installing virtualisation software on a computer and using remote access to guest operating systems to gain the same user access as the host operating system.
Spoofing SYSLOG ‘messages’ to trick the firewall into a false association of a user to and an IP address for a period of time.

The complete ecosystem must facilitate a workable and practical solution for Wifi and network connected devices which is hard or impossible for users to circumvent.