Strengths: By hiding the root but still allowing delegation of access, PowerBroker provides a level of access control lacking in basic Unix.
Weaknesses: Installation and setting policies require coding and are rather time consuming.
Verdict: PowerBroker is ideal for beefing up your Unix network's access without compromising security through access to the root.
If you think Unix houses have been ignored in this test, Symark's PowerBroker is just for you. Supporting multiple flavors of Linux and Unix - including IBM S390 Linux - PowerBroker ensures Unix administrative privileges can be safely managed and delegated.
One of the biggest problems with Unix is that it was never designed with security in mind. Over the years, a number of products have come to market to solve this problem, but few have addressed the problem of delegating/restricting access to individual resources. This has meant that anyone needing access has had to be granted the full administrative powers of the Unix root. And a network where everyone has that sort of authority is just ripe for hacking.
PowerBroker seeks to rectify this situation by allowing selective access without the need to give full root access. The root is hidden from the user, and from the hacker.
Symark has provided two methods of installation. For the old school, the familiar Unix command line is available. This isn't a particularly arduous task, but for those preferring something a little more user-friendly, there is a web-based GUI (although this does require some Unix coding before it can be accessed).
The configuration windows are fairly straightforward, and through it you set such attributes as logging destination and type of encryption, as well as Kerberos authentication. You can also specify details of any firewalls running. For example, if you have a firewall between the client and server PowerBroker needs to know.
Creating the policy files requires a degree of coding in the C-like language provided with the program. Although this may be fiddly (Symark suggests cutting and pasting from the example files provided), it is extremely powerful. Access can be restricted or granted at all levels, and by using conditional statements you can cover all eventualities. This means specifying users, resources and permitted/ restricted times of access. However, perhaps future releases could include some kind of code generator with a friendly GUI.
Although not as intuitive as other products in this test, one would expect administrators on Unix networks to be dab hands at Unix coding and, therefore, unphased by the need to use the command line or having to script the policies. By targeting a known weakness in one type of OS, and not trying for a blanket multi-platform approach, Symark has delivered a perfect solution for any Unix shop.