In intrusion prevention systems, reliable user identification is a critical attribute in complying with an organization's security policy. User-based policies are necessary to control and monitor network access in an intranet/internet setting. Intrusion prevention systems, such as IBM's Security Network Protection, use internet protocol (IP) addresses in the network flow to bind a particular flow to a particular user identity, which can then be used to apply a corresponding security policy. For authentication, users must pass an SSL-encrypted login page, at which point their IP and MAC addresses are allowed to pass through the device. In other words, most common authenticator devices only utilize network identification to bind user identification.
However, existing authentication techniques are not secure enough. An authenticated user's IP and MAC addresses can be discovered by readily available packet sniffing programs. Non-authenticated users, after discovering the authenticated network addresses, can easily bypass existing authenticators by fabricating (spoofing) the authenticated IP and MAC addresses on the non-authenticated machine. User identification can be forged by anyone, so long as they have the ability to obtain a user's network identity. A particular problem with infiltrations of this type is the destruction of valid audit trails in the event of breaches. In the event network policies are violated, employees of breached systems can claim that their IP has been fabricated. In other words, security personnel are unable to persistently bind user identification to IP and MAC addresses.