Novell, Oblix Boost Access Control

When a business is considering an access control system, Novell and Oblix are probably not the first two names that come to mind.

When a business is considering an access control system, Novell and Oblix are probably not the first two names that come to mind. But given the fact that Web access control relies heavily on directories, both vendors have been able to leverage their extensive backgrounds in directory technology to provide powerful, comprehensive access control platforms.

iChain 2.0s approach to access control—with a strong focus on authentication and access restrictions—clearly illustrates Novell Inc.s experience in both networking and directories, with its groundbreaking NDS. Oblix Inc.s background in massive metadirectories is obvious in both the highly detailed approach to access control that Oblix NetPoint 5.1 takes and in the products massive feature set and equally massive complexity.

In eWeek Labs tests, both products proved very capable of providing high levels of control and strong authentication for Web applications and resources. Oblix NetPoint proved to be one of the most complete access control applications weve tested, providing nearly endless options, including good single-sign-on capabilities. We also liked its broad support for Lightweight Directory Access Protocol directory servers and for Web servers. However, its also easily the most complex access control product weve seen, which is saying something for a category that is never user-friendly.

iChain lacks the breadth of features of Oblix NetPoint, but it is also much less complex. iChain, which requires NDS as its directory, provides some good authentication options and has a nice proxy feature for quick-and-dirty access control to entire sites.

Novells iChain is priced at $10 per seat. Oblix NetPoint has a tiered pricing model that averages $15 per user with a minimum of 1,000 users. Both products shipped in October.

Oblix NetPoint can be installed on Windows NT Server, Windows 2000 Server and Solaris. NetPoint actually consists of five modules, which adds greatly to the complexity of the product, especially when compared with competing products such as Netegrity Inc.s SiteMinder.

To be fair, each of the modules had a good browser interface, and all were fairly intuitive. Once administrators have used the system for a while and figured out where to do what, the complexity level should decrease quite a bit. In addition, the workflow module, where most of the work is done, is one of the better tools weve seen for managing access rights and privileges.

Strong Sense of Identity

Oblix Netpoints identity infrastructure is one of its strongest features. Although most access control products simply rely on the directory server to handle user information, Oblix NetPoint adds another layer that greatly improves its capability to create and manage flexible user policies and rights. Oblix NetPoint is also heavily based on XML, which adds to its customization and makes it well-suited for protecting access to Web services.

For example, Oblix NetPoints internal architecture makes very heavy use of XML, including support for Security Assertion Markup Language, which is moving toward becoming a standard for securing Web services. In addition, the developer APIs for Oblix NetPoint make good use of XML and related standards such as Simple Object Access Protocol.

iChain takes a much simpler but still effective approach to access control. The product consists of two modules: the proxy server and the authentication module. Installing the proxy server meant booting to a CD, which converted a standard Intel Corp. system into a Web appliance. The authentication module is installed on a system running Novell eDirectory, which in our tests was a NetWare 6.0 system.

The proxy approach of iChain makes it possible to provide basic access control and single sign-on for an entire site fairly quickly. Using the somewhat inappropriately named Web Server Accelerator (it doesnt make it faster), we could quickly define a Web address to which we wanted to restrict access.

Traditionally, proxy-based systems have made the trade-off of allowing simple access control while not providing the detailed application-level controls found in access control products that touch the Web server (see related story, Page 56). Although iChain can be a little more fine-grained about access control than most proxies, it cant, for example, display dynamically generated pages differently based on authentication. Novells iChain does introduce an interesting feature for Web-based forms. Using XML, iChain can fill in form information for users who have previously logged in via iChain and filled out a form. It does this by storing the information in the iChain directory.

Management of iChain is done through a browser interface into the proxy server and through the Novell ConsoleOne management tool, although most tasks can be done in ConsoleOne. iChain also includes Java servlets that make it possible for users to self-register and modify their accounts.

East Coast Technical Director Jim Rapoza can be contacted at [email protected]