Rollout: Applied Identity's Identiforce

Monitoring network access is not enough to satisfy a slew of regulatory, legislative and self-imposed compliance demands. CIOs are pressuring IT to implement technological solutions that control and audit specific end users' access to certain data. Applied Identity's Identiforce appliance uses an organization's LDAP-based directory to grant that access.

Applied Identity stepped into the emerging IBAC (identity-based access control) market in early 2006, with the release of its Identiforce appliance and PolicyCAD policy management software. Unlike NAC (network access control) products, which sit directly in front of user workstations, Identiforce sits in front of servers and controls access based on the identity of the user who initiates the network traffic. Essentially, it acts as an identity-aware firewall.

Identiforce focuses on identifying users and applying that identity to network traffic. It kicks in after a NAC device has allowed a user onto the network. Therefore, a separate NAC device is still necessary to manage the endpoint compliance and health checks, as well as initial authentication and authorization.Although some vendors have begun adding IBAC features to NAC solutions, Identiforce sole focus is IBAC. It does not handle compliance checks on the host; it instead forces identity correlation to network traffic, then controls the traffic based on that profile. Competing devices from vendors such as Caymas and ConSentry are NAC products with a few IBAC features, and Trusted Network Technologies offers an IBAC product whose software agents reside on a server. Applied Identity's approach yields a more robust, consistent identity-based solution that pulls information from multiple directory services.

QUICK DEPLOYMENT

For our tests, we used Windows Server 2003, an Active Directory based on a fictitious financial firm, Windows XP Professional workstations and an Identiforce IDF-5000, one of two appliances available. Deploying the IDF-5000 took less than an hour, including the initial connections, basic configuration through the IOS-like interface, AD schema changes and rudimentary policy creation.

Identiforce uses three methods to identify users: integration with the Microsoft login GINA (graphical identification and authentication), a standalone authentication client and a Web login portal. The first two provide the highest security by cryptographically signing each network packet to be verified by the Identiforce appliance.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

Applied Identity uses existing LDAP 3.0 directory services for policy creation with PolicyCAD. PolicyCAD Directory support includes Fedora Directory Server; Microsoft Active Directory 2000, 2003 and ADAM; Novell eDirectory; OpenLDAP; Oracle Internet Directory; and SunONE.Policy creation is straightforward, and the interface resembles that of Check Point Software Technologies' firewall rules. In defining policies, you can map users and/or groups to any IP address or range, or to a service. Although the appliance is agnostic of actual service protocols--such as HTTP, SMTP and SMB,--the policy definitions still use the protocol, by convention, to refer to the port. For example, the HTTP service is a definition for TCP Port 80, so traffic matching this definition doesn't have to be HTTP but it must be destined for TCP Port 80.

From an auditing standpoint, it would be nice to have more info about the traffic other than source IP/port, destination IP/port and session info. Products like ConSentry's LANShield have this feature, in which traffic is captured and decoded as it passes through the appliance. Unfortunately, capturing, parsing and logging traffic creates huge overhead, and performance suffers significantly. To address this problem, Applied Identity plans to add client-side integrity checks in the first half of this year.

Logging is accomplished through standard syslog, as Identiforce has no built-in reporting interfaces. Log output is a modified WELF (Webtrends Enhanced Log Format) compatible with most security information management systems. Configuration is through the command line, accessible through SSH or a serial connection.

Identiforce does an excellent job ensuring that properly authenticated and authorized users can access the correct resources. It integrates seamlessly with directory services to make access to network resources easy to configure per user or group. It even works well with remote users who connect through a VPN. Identiforce is a solid product for auditing and limiting network access for compliance. Just be aware that you'll need a separate product for NAC and endpoint compliance.

John H. Sawyer is a senior it security engineer at the University Of Florida and a GIAC certified firewall analyst, incident handler and forensic analyst. Write to him at [email protected].0