Access management from a different perspective
It is the mission of this column to find the new and unusual as well as significant upgrades of the unusual. I focus on products that address aspects of information assurance that intuitively we all know need to be addressed, but that are not being addressed either well or at all. This month's First Look product takes a bit of a crazy hop.
When we think of access control, we think of ways to manage subjects and their behavior on the network. What can the user log into, for example?
We use NAC or some other mechanism that tells us where we can go and what we can do at login time. We need to take into account applications and processes that need legitimate access to the network. All of this is mediated at the network boundary. But what happens when we allow access to an object by a subject?
What mechanism do we use to decide what, exactly, the subject can do with that object and, perhaps more important, how closely do we monitor those actions? Rohati Systems' Transaction Networking System (TNS) takes care of these challenges for us, and it does that transparently to the subject. The TNS works in two separate modes depending on the individual subject's requirements.
The first available mode is the fine-grained mode that controls a subject's actions with regard to a particular object when executing a transaction using the http, https, SSL or CIFS (common internet file system) protocol. The second mode applies identity-based controls over any TCP/IP-based protocol. In either case the core purpose of TNS is to answer three important questions: Who should access what? Who does have access to what? And, especially good for compliance and forensics, who actually did access what?
This product addresses the need to change access controls to an object quickly and easily. In this case, the term "access control" is comprehensive, meaning that it deals with authentication, identification and authorization. Once a subject is identified and authenticated, it may attempt to access any object for which it is authorized in whatever manner(s) it is authorized, and all interactions between that subject and object are logged in detail.
When I looked at a typical log entry, I experienced a sort of déjà vu. It looked a lot like some older, detailed firewall or IDS logs. It had a distinct syslog smell about it and I was impressed with the level of detail - useful detail - available in these log entries. Then it occurred to me: this is a classical firewall applied to individual applications, and I like the characterization of an application firewall for this product. It gives one a clear view of what the tool really is and what it really does: protect an individual asset from unauthorized access or misuse.
The system identifies the subject in two ways: through the normal login process and by extracting the information from the protocol when available. The subject logs into a sign-in portal that then maps the identity of the subject to its current IP address. The rule-making process is intuitive and follows tried and true default-deny policy we all are used to in firewalls, routers, etc.
There is one interesting exception to this, however. There is a default-allow mode that allows the administrator to build a rule and then run a simulation without denying actual access to the object. This is very useful for trying out a set of rules on the user population.
The TNS appliance is layer-2 based and sits in-line. It has the capability of working with other TNS appliances to achieve load balancing. To make rule-making and administration easier, the TNS applies the principal of policy domains. Overall, I like this concept. I liked the ease of setting the product up and managing it.
The appliance can be accessed through SSH, but only the customized Rohati commands are available, and there are no services turned on that are not TNS-specific. No daemons, which are not needed for the TNS to operate, are present either. This improves the security of the device itself. If you are managing access to and use of specific sensitive resources — and who isn't — give this product a very close look.