By Andrew Garcia  |  Posted 2004-05-17 Print this article Print

With the Identity Series ID100, Trusted Networks Technologies offers an inspired approach to segmenting and protecting internal networks.

The ID100 provides a policy enforcement point that verifies user identity and the source machine for every session-level connection attempted to protected, high-value data resources. However, this innovative tech- nology can be difficult to deploy across the enterprise and requires improved health checks of known resources.

For each connection request to a resource protected by the ID100, the I-Host client culls user and machine identity information from the requesting machines operating system and hardware. The driver encrypts and signs this identity data in the packets without encapsulation.

The I-Gateway component uses this identity data to delegate access to protected resources according to user identity and source machine on a session-by-session basis. All connection attempts generated from unknown or unapproved user/host combinations are stealthily dropped.

We tested the ID100 with Version 1.6 of the Network Identity Enforcement software, which shipped last month. The ID100 sells for $40,000 for an unlimited number of users.

While the ID100 is the first identity-based firewall weve seen, wed like to see Trusted Networks increase the ID100s defenses against malicious attacks from known entities. The ID100 does not filter attacks at the application layer, nor does it quarantine and scan hosts for updated anti-virus and desktop firewall policies before granting network access, as does InfoExpress Inc.s CyberGatekeeper LAN.

Trusted Networks is working with third-party companies to add health integrity checks in a forthcoming release, company officials said.

In case of an outage, the I-Gateway will automatically deny all access between segments and disrupt traffic to protected resources, making redundancy crucial. The unit we tested had dual power supplies, and multiple devices can be clustered in active/passive configuration for high availability.

We tested the I-Host driver on Windows 2000 and XP test clients. (Drivers are also provided for Red Hat Inc.s Red Hat Linux Versions 7.3, 8 and 9, which we did not test for this review.) We found the I-Host easy to install, but it definitely requires administrative rights on the client. Wed like to see the ID100 offer a centralized installation tool that lets administrators push drivers to targeted machines, instead of asking users to perform the installation.

The Web-based administration and reporting tools were impressive. I-Manager provided a simple drag-and-drop canvas that allowed us to define protected resources easily, then define accepted network protocols and the appropriate users and client machine combinations for each resource.

I-Manager allowed us to import user and group information from Active Directory, easing the process of creating targeted policies.

I-Managers reporting tools are outstanding, offering high-level and in-depth reports via a Java-based Web page. We could generate equally handy usage reports according to network application, host server, or user or client workstation. This versatility let us log every connection to critical resources—a useful feature, given the plethora of regulations with which companies must comply.

Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel