In this regard, Trusted Network Technologies (TNT) offers a unique solution that is specifically aimed at internal network identity and access control management across enterprise networked assets.
With the TNT solution, internal user access to critical internal applications can be controlled from a central point with full reporting capabilities built-in. With growing regulatory concerns, the ability to identify, control access and track the network comings and goings of internal users is high on the list of must-haves for business managers.
The ID100 is an appliance-based solution that claims to be the first of a new category of network layer-based identity management. The ID100 uses the concepts of transparent, two-factor identification username/machine ID; cryptography and steganography for hiding identity information within packets; and policy enforcement at the session request level to enforce access policies before connection is even accepted.
The components of the system are the I-Gateway policy enforcement engine; the I-Host, which is the driver software that resides on end user systems; and the I-Manager, which is the management application that provides maintenance and monitoring of the appliance performance and operation.
A computer with the I-Host installed initiates a session and gathers username and machine information that identifies the user and the system.
This "identity" information is encrypted and digitally signed, then inserted into the session request by the I-Host. Keep in mind that one of the goals of the system is to ensure the authenticity of the user and system as opposed to confidentiality of the data payload.
This creates a unique "identity," a sort of user/machine fingerprint which is inserted into each network packet during a session. The I-Manager policy configuration engine uses a unique, object-oriented, drag-and-drop interface to link users, systems, and applications to create and manage large numbers of access policies. An administrator can create user groups and manage policy by individual user or by groups of users.
Active Directory user databases can be imported into I-Manager. This means shorter initial implementation and easier, more centralized management than would be realized by the traditional method of re-keying user data from disparate user databases into yet another network security device.
The I-Manager implements a quite flexible policy framework. Policies can be created for both I-Host enabled and non-I-Host enabled computers to access protected systems.
Additionally, internal protected systems policy can be created to allow or deny outbound connection attempts, a potentially useful feature to control malicious activity such as worms and hijacked systems acting as relays.
A core feature of the ID100 is system cloaking, or hiding, by controlling the packet-level response to connection requests. The TNT policy enforcement decision point is during the three-way TCP session handshake.
At TCP session request time, authentication and access policy enforcement can be configured to either allow the user to access the network asset via specified protocol or the session request will be silently dropped and logged by the ID100. Thus, a non-authorized user will not even get a response from the target server during the initial session request attempt, effectively "hiding" the very presence of the protected servers.If an attacker attempts to do network discovery, the attacker will get no responses from the protected servers.
The ID100 appliance itself operates as a network bridge and requires no IP address for the internal/external NICs, making it nearly invisible to discovery and a minimally intrusive physical network installation. The only IP address needed is for the dedicated 10/100Mb management interface.
In our lab testing, we used a crossover cable for management interface functionality testing. In practice, an out of band management network could be connected via a hub or crossover cable.
The ID100 comes packaged as a standard 2U rack-mountable hardware unit with pre-installed management and gateway software, front-mounting brackets and pre-drilled holes for a rack slide (provided by the customer).
On the back of the machine is a total of one dedicated management network interface and two additional 10/100Mb interfaces which can be designated for internal and external networks. Another model, the ID1000, supports Gigabit Ethernet interfaces.
After unpacking and installing the ID100 in a rack, the initial installation phase consists of configuration and setup and is accomplished via an LCD front panel. The second phase, configuration and policy creation is done via a SSL web browser-based interface using the I-Manager.
The documentation provided did not help much in setting up the product because it was not very logical to follow. In addition, the I-Manager interface could do with a back button on the web page.
While the concept of the so-called "identity-based firewall" is new, as is the Identity product family line, authentication and access control are relatively old problems facing new, especially regulatory, scrutiny. This product should only be used as part of an overall security infrastructure.
