Now all physical ENC infrastructure nodes are operating normally, we consider the operating behavior of the ENC virtual network. In the default state, no connections or name lookups are allowed through the network unless there are explicit access control entries to allow this. Even computers that are joined together within a realm mapping have no automatic right to see or connect to each other.
When an ENC agent node wishes to communicate with another ENC agent node, the first operation to happen is usually a name lookup event. In most cases, there will only be one registered machine with this given name and it will usually be within the same realm as the requesting machine so would be covered by a blanket access control rule that allows all ENC nodes within a given realm to contact and lookup other members of its realm. In rarer circumstances, there may be two or more machines with the same fully qualified name. In this event, we need to disambiguate the name lookup by ensuring that we can only dereference computers within the realm(s) that the requesting object is also a member of. This is designed to ensure that data leakage across realms cannot happen unless explicitly allowed by an access rule.
If the authorization component allows the name lookup request, the IP address of the virtual ENC host is returned to the ENC Client agent. The ENC Client will then issue an Agent Connect request to the ENC Gateway Server/Manager. Again, the ENC Gateway Manager will look up the secured identity associated with the address of this request, and call the authorization system for permission for the operation to occur.
If permission is granted for the connection, both agents - the peers of the virtual communications circuit - will connect to ENC Gateway Routers to finalize the connection. Again, this connection is authenticated and authorization to access the router is required.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|