Friday, November 11, 2005

Identity Engines Delivers Platform for Network Ide?

So finally the company is out with the product. I have been hearing about this company for some time now. Any way seems like these guys are catering to the requirement of companies that want to control access to their network in much secured fashion. Most of these guys have need to perform the following functions
  • Sequestering the machine hooked to the environment unless validated (so it may not even be able to get a IP via dhcp)
  • the laptop would be checked for latest version of firewall, antivirus with the latest updates.
  • The user would need to authenticate to ensure that it gets access to the network.
  • (Not seen a lot though) if the user tries to access an application this access needs to be managed.
  • Auditing all these events with additional information for monitoring and analysis.
W.r.t. the third access requirement, I have seen most of the company already have something installed. For example web applications would have the Web SSO products. But most of the client server applications (which are not being fixed since they are not broken) are still out of the perview of the centralized solution. Now looking at the solution it seems to provide the
  • sequesting of machine - this is a tough nut to crack but I think combining with user authentication at switch level can achieve the same result.
  • user authentication - which is provided by most of the managed switches through support of 802.1x and RADIUS (I will be implementing something in next few days for my company and will have more to write about it at that time)
  • Application access control - I am not clear what is the mechanism implemented with regards to mapping the identity to a machine after machine has been authenticated. If it uses the IP address or mac address, then theoretically the battle is lost since these can be spoofed. So, would really be looking forward to get information on this.
  • Security Compliance - I did not see feature support for making sure machine is compliant before allowing it on network.
Something else that is bothering me is the possible requirement of provisioning the switches for sequestering new machine. I am not sure how comfortable the network guys would be with an system managing their boxes "automatically". I know that a lot of firewall and IPS do perform such operations but still it may be an interesting issue.

No comments: