Accessing Control

Axent Webthority guards sites from unwanted visitors.

Axent Technologies Inc.s Webthority 3.0 is a new, simple-to-deploy access-control application that uses the companys experience in security to provide good control over who can view Web-based content.

In tests, eWeek Labs found Webthority 3.0 to be a straightforward tool for variegated access to content on Web sites, extranets and intranets.

Released in October, Webthority 3.0 (a new product despite the version number) runs on Windows NT and Solaris and requires Sun-Netscape Alliances iPlanet Web Server. By running as a proxy, Webthority can be used to manage access to content on any platform running on any server. Axents prices are based on concurrent user sessions and start at $25,000.

Rival access-control packages such as Netegrity Inc.s SiteMinder and Securant Technologies Inc.s ClearTrust SecureControl require tighter integration with the servers they manage. That integration is a plus, however, when it comes to creating personalized pages.

In tests, we found it fairly simple to set up Webthority and the iPlanet Web Server that comes with it. However, the product uses different authorization agents for each type of access control, and we had to rerun the setup file to install more than one.

Options add complexity

We performed all management of Webthority through a Java applet accessed through a browser. This method provided good centralized management for access control, but the process became highly complex once we started building in access-control options. Also, Webthoritys interface is nonintuitive, and we found ourselves referring to the manual too often just to figure out simple tasks.

The first step after setting up Webthority was to create a Satellite server to handle authentication. Axent has built in a handy option that lets managers clone a Satellite server and have all changes automatically reflected in all clones—a useful capability for managing the load and spreading servers across an enterprise.

Each server consists of a proxy server, a session manager, authentication agents and a logging server. The proxy server is the key because it is the point of entry for users accessing content.

Setting up the proxy was as simple as defining all the different servers and content directories for which it would provide access control (see screen, Page 91). Users trying to view content access the Webthority proxy server, which routes content to users based on the directory alias used. This method bolsters security because it grants users access only to the proxy server, shielding the content servers against hacks.

Webthority supports a wide variety of mechanisms to authenticate users, including standard user name and password, Lightweight Directory Access Protocol, Windows NT domains, certificates, and RSA Security Inc.s SecurID. The product can also use Axents own Defender and PassGo authentication systems.

User access to content is controlled by creating standard rights defined as Web Roles in Webthority. Once we had created a role, we simply chose which authentication mechanism to use and what content users of that role could access.

Unlike other access-control mechanisms, Webthority has limited personalization capabilities. Most of the personalization in the product is based on options provided through the authentication system.