|
TNT Finds the 'NAC' for System i Protection
Published: December 12, 2006
by Alex Woodie
When the Henry County Department of Education near Atlanta, Georgia, needed a way to safeguard data and applications residing on its iSeries server, the group looked at some of the new network access control (NAC) solutions on the market. However, instead of shelling out more than $2 million for a NAC solution from one of the major vendors of network gear, Henry County found Trusted Network Technologies' new Identity 3.0 appliance up to the task--and at a fraction of the cost of the big guys' offering.
"We evaluated a typical NAC deployment versus TNT's Identity solution, and TNT won on every key consideration: technology, price, and ease of deployment," says Matt Bowen, network administrator for Henry County Department of Education, which uses an iSeries Model 810 to house personnel records, payroll data, fund accounting data, and grades for more than 38,000 students and 5,000 staff members at 40 K-12 schools. "TNT offered the same security, plus in-depth auditing and controls, for well less than 10 percent of the price, ensuring the integrity of our personnel and academic data at a justifiable cost."
If you've never heard "NAC" or "TNT" mentioned in the same breath as "i5/OS security," you're not alone. There is nothing inherent in NAC technology--nor TNT's development process--that applies specifically to the strange and different IBM product.
However, when you consider that the System i is as network-enabled as the next server, and that many requests for System i access arrive over the network from potentially unsecured or virus-riddled PC clients running powerful terminal emulation software, you can see that NAC could be a very handy tool in your i5/OS administrators' repertoire, especially considering the little problem with harboring Windows viruses that the box has been shown to have.
TNT's Identity boosts network security by creating a barrier, or a gateway, between a user's trusted network and the un-trusted world outside of the internal network, much like a traditional firewall. The rack-mounted Identity appliance adds to this capability to positively identify user end points, such as PCs, and to provide full auditing and logging of all network and application activity occurring over the network.
With Identity 3.0, which became available this month, TNT added the capability to block attempts to access trusted sources by PCs or other end points that don't have up-to-date antivirus and spyware software and a working firewall, which is the heart of what NAC is and does. With version 3, the company rolled out support for hundreds of the most popular security tools for Windows, Macintosh, and Linux operating systems.
TNT's Identity does not require any changes to be made to iSeries or other hosts, which simplifies the implementation process, says Rob Ciampa, vice president of marketing and business strategy at TNT. "We're treating the iSeries similar to how we're going to treat a lot of IP-based data centers," he says. "You don't have to go in and do any fancy configuration. By putting it in an appliance, we enable you to install a major implementation of NAC or auditing, with no infrastructure or iSeries changes, pretty much in a day."
What separates TNT Identity from other NAC offerings is the reliance on a small agent component that binds to the end point device and assigns it unique non-spoofable identifier. "Where you get into trouble is using IP or MAC (media access control) addresses, because both MAC and IP addresses are spoofable," Ciampa says. "That's the odd part about going with NAC itself, because a lot of NAC offerings are using IP and MAC addresses, which are inherently not secure."
When a client attempts to access a trusted source, such as an iSeries, Identity checks the encrypted digital signature housed on the client-side agent against an access control list (ACL) that defines what applications and ports specific users are allowed to access. This ACL can be integrated with an LDAP server, such as Microsoft's Active Directory, which is how the Henry County Department of Education has Identity configured. If the Identity gateway doesn't recognize the client device, it is not permitted access, and everything behind the gateway is invisible to the device, rendering network snooping tools ineffective.
Once a client device has been positively authenticated as an allowable visitor, Identity progresses to the health status check, if NAC is enabled (which it probably will be). Identity then checks the client device's antivirus, anti-spyware, and firewall status, which occurs nearly instantaneously, Ciampa says. If the device passes the health check, they're allowed access to the applications (controlled through ports) detailed in the ACL. If the endpoint fails the health check, the device quarantines itself and starts remediation processes.
While Identity doesn't yet have the capability to check the patch status of Windows PCs, it will be added to the Identity appliance in a future release, Ciampa says.
Many users get started with Identity by first using it to log all the network activity. Once they have a good idea of their network access patterns, they can then take the next step and begin using Identity to control access to trusted resources on the network. The appliance comes with extensive auditing capabilities that allow users to pull up very detailed information about user activity. But instead of just listing a bunch of IP addresses, the product correlates the addresses to physical machines, making it easier for auditors to understand what's going on, Ciampa says.
Identity devices are 2U appliances equipped with dual 64-bit, 3.2 Ghz Intel Xeon processors, 3 GB of RAM, dual 146 GB SCSI drives, and at least two Ethernet adapters. The company also offers a high availability version of Identity that links two appliances in active-passive mode.
Identity 3.0 is available now. The devices starts at $15,000. For more information, see www.trustednetworktech.com.
|
