Call a Specialist Today! 844-294-0778

User-ID™
Tie users and groups to your security policies

As enterprises continue to use Internet- and web-centric applications to aid expansion and increase efficiencies, visibility into what users are doing on the network becomes increasingly important. Dynamic IP addressing across both wired and wireless networks, and remote access by employees and non-employees alike have made the use of IP addresses an ineffective mechanism for monitoring and controlling user activity. Unfortunately, today’s port-based firewalls rely heavily on IP addresses as a means of identifying and controlling user activity.

User-ID

User-ID is a standard feature of our enterprise security platform that seamlessly integrates with a range of enterprise directories and terminal services, enabling you to gain visibility into usage patterns regardless of device type, determine security policies, generate reports and perform forensics based on users and groups—not just IP addresses. When used in conjunction with App-IDTM and Content-IDTM, your security infrastructure is based on three pillars of your business—the application, the user and the associated content thereby strengthening your overall security posture.

Compounding the visibility problem in an increasingly mobile enterprise, where employees access the network from virtually anywhere around the world, internal wireless networks re-assign IP addresses as users move from zone to zone, and network users are not always company employees. The result is that the IP address is now an inadequate mechanism for monitoring and controlling user activity.

The user identity, when tied to the application activity, provides you with more complete visibility into usage patterns, greater policy control, and more granular logging, reporting and forensics capabilities.

user identity diagram

How User-ID works

Integrating User Information into Your Security Infrastructure

The user identity, as opposed to an IP address, is an integral component of your security infrastructure. Knowing which who is using each of the applications on your network; who may have transmitted a threat, or is transferring files can strengthen security policies and reduce incident response times. User-ID enables you to leverage user information stored in a wide range of repositories for the following uses:

How User-ID Works

User-ID integrates our next-generation firewall functionality with a wide range of user repositories and terminal services environments. Depending on your network requirements, multiple techniques can be configured to map the user identity to an IP address. User mapping techniques include authentication events, user authentication, terminal services monitoring, client probing, directory services integration and a powerful XML API. Once the applications and users are identified, full visibility and control within Application Command Center (ACC), policy editing, logging and reporting is available.

Authentication Events

User-ID can be configured to monitor authentication events for Microsoft Active Directory, Microsoft Exchange and Novell eDirectory environments. Monitoring of the authentication events on a network allows User-ID to associate a user with the IP address of the device the user logs in from to enforce policy on the firewall.

User Authentication

This technique allows you to configure a challenge-response authentication sequence to collect user and IP address information.

Client and Host Probing Captures Windows User Information

This technique allows you to configure User-ID to monitor Windows clients or hosts to collect the identity and map it to the IP address. In environments were the user identity is obfuscated by Citrix XenApp or Microsoft terminal Services, the User-ID Terminal Services Agent can be deployed to determine which applications users are accessing.

Terminal Services Integration.

In environments where a user's identity is hidden by Citrix XenApp or Microsoft Terminal Services, our User-ID Terminal Services Agent can determine which applications users are accessing. We can also identify users sharing IP addresses working on Microsoft Windows Terminal Services or Citrix. Completely transparent to the user, every user session is assigned a specific port range on your server. This allows your firewall to associate network connections with users and groups sharing one host on your network. For custom or non-standard terminal services environments, the XML API can be used to collect the user identity.

Directory integration

To allow customers to specify security policies based on user groups and resolve the group members automatically, User-ID integrates with nearly every directory server using a standards based protocol and a flexible configuration. Once configured, the firewall automatically retrieves user and user group information and keeps the information updated to automatically adjust to changes in the user base or within your organization.

Syslog Listener and the XML API integrates with non-standard repositories.

In some cases, you may already have a user repository or an application for storing information on users and their current IP address. If so, the firewall can now listen for syslog messages from those services so that the User-ID agent (either the Windows agent or the agentless user mapping feature on the firewall) can extract the authentication events from the logs. Syslog filters that you define allow User-ID to parse the messages and extract the IP addresses and usernames of users who successfully authenticated to the external service and add the information to the IP address to username mappings it maintains. Currently the syslog listener natively supports BlueCoat Proxy, Citrix Access Gateway, Aerohive AP, Cisco ASA, Juniper SA Net Connect, and the Juniper Infranet Controller. 

Visibility into a User's Application Activity

The power of User-ID becomes evident when a strange or unfamiliar application is found on your network by App-ID. Using either ACC or the log viewer, your security team can discern what the application is, who the user is, the bandwidth and session consumption, along with the source and destination of the application traffic as well as any associated threats.

Visibility into the application activity at a user level, not just an IP address level, allows you to more effectively enable the applications traversing the network. You can align application usage with the business unit requirements and if appropriate, can chose to inform the user that they are in violation of corporate policy, or take a more direct approach of blocking the user's application usage outright.

User-based Policy Control

User-based policy controls can be assembled based on the application, which category and subcategory it belongs in, its underlying technology or what the application characteristics are. Policies can be used to safely enable applications based on users or groups, in either an outbound or an inbound direction. Examples of user-based policies might include:

User-based Analysis, Reporting and Forensics

Informative reports on user activities can be generated using any one of the pre-defined reports or by creating a custom report. Custom reports can be quickly created from scratch or by modifying a pre-defined report. Any of the reports—predefined or custom—can be exported to either CSV or PDF, or emailed on a scheduled basis to an interested manager or an HR group.

Download the Palo Alto Networks User-ID Datasheet (PDF).