This section covers the common functionality that all ENC nodes have to perform in order to participate in the ENC virtual infrastructure. The common functionality is split into three distinct phases: physical connection, authentication, and finally, authorization.
All nodes are required to be listed in the IP Address white-list table to be allowed to connect to the target ENC node in the first instance. On each connection established to an ENC node, the authorization component is called to check if access should be allowed or denied. If denied, the connection will be terminated immediately.
Once a network transport connection has been established, both peers in the conversation will utilize the TLS protocol to authenticate to each other, validate that the authenticated identity is trusted via a trusted third-party certification authority, and that the identity is currently valid.
Subsequent to the authentication phase, the authenticated identity is passed through to the authorization component for the 'Authenticated Connection' event check. The secured object for this event is the target ENC node. An access rule to allow (or deny) this operation can be specified with the individual computer as the secured object, a group of computer names as specified via a pattern matching expression, or via realm membership.
Any failures in the above sequence will be audited by the security auditing subsystem, if the appropriate category or messages are enabled. The auditing component can also be configured to record all successful operations as well.
Each ENC node, whether it is a server, router, or client agent, all perform registration to the nodes they are connecting to. A separate event is defined for each registration type as only ENC Gateway Server nodes should be allowed to perform a Server registration operation; only ENC Gateway Routers should be allowed to perform a Router registration, and so on.
Dependent on your infrastructure, you can create individual access control entries for each event and/or each secured object or you can group together events and computers within a realm for more coarse-grained access control.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|