The number of users of mobile communication devices is constantly increasing. Communication is further becoming more and more global, which means that two devices communication often belong to different communication networks or security domains. Still further, many users further have a plurality of mobile communication devices, plus high mobility requires secure identification for traffic originator, especially when traffic takes place between different communication networks or security domains.
One example of how to implement a network access security is to define security policies based on source and destination Internet Protocol, IP, address. This may be done by access-control list, ACL, applied on network interface. However such approach would require knowledge of a particular IP address assigned to a particular device at a certain moment of time, especially if a primary network access to such device is provided by other authority domain.
Application of various VPN techniques (with or without encryption), when some kind of a tunnel is created and device is assigned with a pre-defined IP address would solve this problem with help of an overlay authentication mechanism.
Another possible solution is to create a domain where all traffic inside the domain is marked with a special security group tag, SGT, on Media Access Control, MAC, layer. Each SGT is related to a certain role/identity so network administrators may build their policies using traffic identification based on SGT rather than on some abstract IP address.
One of the most challenging problems in managing large networks is the complexity of security administration. Remote access to cloud content creates big burden for the firewall administrators, since IP-addresses are not possible to aggregate and all the addresses must be mapped manually and often with policy based rules towards the content.
A VPN tunnelling always comes with extra cost of transport overhead and increased complexity, which is not needed in case when only simple identification of origin is needed and neither confidentiality nor integrity protection is required.
In existing solutions, where a domain is created, proprietary support for that solution on all network nodes is required and is not possible to implement across several authority domains or autonomous systems.
Further, the dynamic nature of assignment of IP addresses to mobile devices renders the existing practice of building security policies based on IP address association rigid and ineffective plus adds a heavy burden of frequent administrative activities.