If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Identity-Driven Access Gateways manufactured
by Caymas Systems allow organizations to identify, authorize, protect and audit
everyone that accesses corporate data and applications.Caymas Systems was founded in
2002 by Terence Brown and Robert Bortolotto, and ceased its operations in late 2007."
Source: Caymas Systems
Identity-based NAC: Using Identity to Put the "Control" in Network Access Control
Access Control is also known as :
Access Control,
Access Control Card,
Access Control Companies,
Access Control Company,
Access Control Equipment,
Access Control Information,
Access Control Level,
Access Control Management,
Access Control Lock,
Access Control Management System,
Access Control Manager,
Access Control Methods,
Access Control Model,
Access Control Products,
Access Control Requirements,
Access Control Security System,
Access Control Security Systems,
Access Control Software,
Access Control Solution,
Access Control Solutions,
Access Control System,
Access Control Technology,
Application Access Control,
Based Access Control Model,
Best Access Control,
Complete Access Control.
Identity-Based Network Access Control (NAC)
There is significant interest in Network Access
Control (NAC). The increasing requirement to
extend access to critical applications further
and further outside of the boundaries of the
enterprise has created the unintended consequence
of rendering perimeter security obsolete.
This trend towards anytime, anywhere
access for internal and remote third party
users such as contractors, visitors, partners,
auditors is not going away. Leading enterprises
are achieving competitive advantage by
embracing new outsourced business processes
predicated upon unfettered access for a
variety of constituencies.
But this enterprise collaboration does not happen
without risk. Providing access to all of
these internal and external constituencies creates
many additional exposures and opportunities
for data to be compromised, as well for as
compliance violations.
Businesses require better and more flexible
access, while auditors insist that private data
and intellectual property is protected. This
leaves the networking and security professionals
caught in the middle. There are significant
and quantifiable business drivers for providing
access. On the other hand, there are just as
many significant and quantifiable risks that
make the case for less access.
Ultimately, access decisions hinge on an
organization's policy, which needs to answer
the following questions:
- Who needs access? - Providing access to
anyone is a risk, especially if they are not
an employee of the organization.
- Where can they go? - Providing access to
everything is ill-advised, but locking
down access to every resource individually
can be management intensive. Striking
the appropriate balance and being able to
enforce as finely-grained access as necessary
are important considerations.
- What can they do? - Providing fine
grained access is important, but just the
beginning of achieving access control
Equally important is being able monitor
and respond to the behavior of users
after they have been granted access to
authorized resources.
By answering these questions and providing a
way to flexibly implement any such policy, NAC
provides the opportunity to re-engineer business
processes in unforeseen ways. All while
increasing the security of the data being protected
and providing a documented audit trail
to prove who accessed what and when. This
white paper provides an overview of the benefits
of NAC and will demonstrate how Caymas
System's Identity-Based NAC Appliances
address enterprise NAC requirements.
Understanding the current state
To determine if NAC is a viable alternative to
provide better and more controlled access to
critical information resources, it is important to
understand the current state. What are organizations
doing to solve this problem today? The
current state can be summed up in a few
approaches to solve the problem:
- Open up the network - Many organizations
provide access by addressing the
problem within the network infrastructure.
This technique relies on a combination
of VPN tunnels, private networks,
extensive firewall rules, or host access
tables.
- Replicate infrastructure - Many organizations
basically replicate their computing
environment within a demilitarized zone
(DMZ).
- Create custom extranets - Working within
the application itself or building complex
web, specific applications can be provisioned
for external access.
- Embrace web-based applications -
"Software as a Service" (SaaS) offerings
move the application to a hosted
provider, alleviating the need for access
to your network.
A common drawback of these approaches is
that each is expensive, complex, management
intensive, and slow to adapt. They also give IT
departments reduced visibility and control
across the access infrastructure. Finally, these
techniques also offer poor performance (given
the complex rule bases that grind network
equipment to a halt. None of these options
provides the broad audit and control capabilities
mandated by the various regulatory
regimes.
The limitations of these make these them illsuited
to provide the access control that will
be required for the next generation of business-
enabling applications.
Defining NAC
Leading edge enterprises have pinpointed the
need for Network Access Control, but the
industry has many definitions for NAC.
Caymas Systems believes NAC solutions must
offer the following capabilities to meet the
needs of enterprises of all sizes:
- Scalable - cannot slow down the applications
by adding latency and must operate
at multi-gigabit LAN speeds.
- Granular - must offer a flexible policy
engine that can enforce fine-grained controls
based not only on who, what,
where, and when, but also on device
attributes and other policy triggers.
- Non-disruptive - cannot require "forklift"
upgrades of existing network equipment,
ensuring easy deployment and integration
with existing network equipment.
- Transparent to User - cannot impact the
user experience of authorized users, who
should see absolutely no difference at all.
- Persistent - must maintain control over
the life of a connection, both ensuring the
initial access is authorized, but also
ensuring that subsequent accesses or
changes to the state of the device are
constantly evaluated.
- Consistent - must provide the ability to
enforce the same access policy across
both internal and external networks,
regardless of connection type, speed, or
access mechanism.
- Resilient - must be able to recover gracefully
in the event of failure ensuring
always-on availability for mission critical
environments.
- Audit - must be able to document both
good and bad access and provide appropriate
reports to demonstrate due care in
achieving regulatory compliance.
Network Access
Control (NAC) provides
the ability to
enforce granular
access policies across
your entire network
without suffering any
latency or performance
impact.
Admission Control is Not Enough
An early set of technology providers brought
products to market that focused only on network
admission, and not network access or
post-connection management. These solutions
check devices access thing network against
corporate security policy to determine if they
are carrying any worms or malware. Checking
devices is not sufficient to meet the needs of
organizations that need to increasingly provide
access to critical data resources to both internal
and external constituencies.
Admission-based solutions provide little in the
way of access control once a user is authenticated
and their device passes a health check.
They are not aware of the identity of the user,
the identity of the device being used, or the
location of the user and device. These facets
of identity should be used not only to determine
whether a user should be admitted to
the network, but also to define where a user
should be allowed to go once admitted, and to
provide a complete record of each user's activity
while connected.
The Identity-based NAC Solution
Given the need for enterprises to provide
access control in a scalable, granular, transparent,
non-disruptive and resilient way, the next
generation of NAC appliance needs to leverage
identity to make network access decisions
faster and more effective. After all, it is the
users that require access to application
resources, not a nameless, faceless IP
address or device. By integrating identity into
the fabric of the network, organizations gain
the ability to control access to resources much
more precisely and effectively.
In this age of employee mobility and enterprise
collaboration, it is not safe to assume
that an IP address or device identification provides
adequate visibility for access control. It's much more effective to key off the "user" in
addition to the device. Identity-Based NAC
appliances do this, enforcing fine-grained
access policies based on any or all of the following
aspects of identity:
- User - Who is the user and how do
they authenticate?
- Device - Is the device being used
managed or unmanaged?
- Location - Where are they coming
from-local, remote, wireless LAN?
- Resources - What is the user trying
to access
Keep in mind that access decisions are neither
one-time nor static in nature. As attributes
change (strength of authentication, location,
device), so should the policy. For example, a
contractor can be prevented from accessing
the network from his/her personal machine
from their network at home during the day.
But the nature of the project may require that
contractor to work from home for only the
next two days, which should be easily
changed and enforced within the network via
the NAC appliance.
Caymas' Solution -
The Identity-Based NAC Appliance
Caymas Systems products leverage the identities
of users, devices, locations and more in a
purpose-built appliance featuring optimized
hardware to bring control into the fabric of the
network - allowing scalability to LAN speeds,
yet offering a policy engine with unprecedented
flexibility and granularity.
Spanning three separate appliances sized to
meet the needs of enterprises of all sizes, the
Caymas NAC appliances feature unmatched
access control granularity, network plug and
play deployment, transparent user experience,
and full auditing and logging for all connections.
Granular Access Control
An access policy is dynamically changing all
the time. A user's access rights change
depending on where they are, what they are
doing, and even what machine they are using.
But this involves making millions of policy
decisions instantaneously to manage thousands
of access options across hundreds of
thousands of users at wire speed. Uniquely
utilizing purpose-built hardware and custom
network processors, each Caymas appliance
makes millions of policy decisions a second,
ensuring that there is absolutely no latency
introduced into the environment.
To enforce these policy-based access controls,
Caymas uses "logical zones" to provide
unprecedented flexibility in how administrators
choose to remediate any of the issues detected
on the network. Each zone represents a
level of risk, as opposed to reflecting the existing
segmentation of the network. For example,
a contractor accessing the network through a
device that doesn't have adequate anti-virus
protection can be placed in a quarantine and
remediation zone, providing the ability for the
user to take appropriate measures to meet the
minimum requirements for access. Likewise,
the CFO can be placed in a "Finance" zone
providing access to all applicable finance applications.
To provide even more protection, a policy
could be implemented that requires a 2nd
authentication factor from the CFO if he/she is
accessing the network from home.
Caymas controls access through user-based
firewall technology, which allows the appliance
to open and close applicable ports based upon
the rules for the specific user in that specific
zone. The user-based firewall is supplemented
with a reverse proxy that inspects all traffic to
and from the application ensuring that the policies
are enforced.
Case Study:
Educational Testing
SCENARIO: Leading provider of postsecondary
standardized tests needs to
protect questions on upcoming tests
and also the test scores and financial
aid data of millions of students.
- Must support direct access to
web application
- Must integrate into Oracle DBMS
- Must provide secure remote
access to universities
CURRENT SOLUTION: Over 2500 rules
on firewalls enforced across over 200
user groups to ensure only authorized
users get access to data. This solution
was very time and resource intensive
to manage.
CAYMAS SOLUTION: By implementing
Caymas' Identity-Based NAC
Appliances in a secure zone configuration,
this customer was able to
dramatically reduce the complexity
of their environment while increasing
the security.
- 2500 firewall rules reduced to
one - connect to NAC appliance
- Directly integrated with Active
Directory for authentication
and group membership
- Three network engineers
reassigned as Help Desk took
over support of the access
control environment
END RESULT: The Caymas deployment
provided positive ROI after
only six months.
Network Plug and Play Deployment
Caymas Identity-Based NAC Appliances are
implemented inline, providing protection for
any resources and/or applications that reside
behind it at LAN speeds without requiring any
network changes. Out-of-band solutions cannot
enforce a granular policy by relying on
reconfiguring router and firewall ACL and
VLANs without introducing unacceptable latency
and also impact existing network configurations.
Customers typically roll out Caymas appliances
incrementally, initially protecting a few critical
servers. As more resources require protection,
customers can incrementally add more
devices and are not forced to upgrade (or even
reconfigure) existing network equipment or
rollout client software to achieve the full benefit
of NAC. Plug the box in, configure the policies,
and critical assets are protected.
Each appliance ships with pre-configured policies
and simple wizards that help to configure
initial access policies to get organizations started
and decrease the time to value for the
products. Over time, more detailed and granular
policies can be implemented via an intuitive
policy language that shields complexity from
administrators. Caymas appliances can provide
as much or as little customization and granularity
as an organization needs to meet their business
requirements.
Customizing policies is also easy since the policy
configurator uses a point and click model
allowing policies to be designed graphically.
Once the policy is defined, the appliance generates
all the necessary rules to cleanly and
quickly define the zones to enforce the policies.
To further facilitate the deployment of the
appliances, Caymas integrates with existing
directory stores. So if users and groups are
already assigned in the organization's Active
Directory or any other LDAP data store, the
appliance can leverage the information to prepopulate
many of the policies required further
streamlining implementation.
Transparent User Experience
End users are very sensitive to changes in
their workflow, and as such, Caymas has
taken great care to ensure a transparent user
experience. For starters, the same policy is
enforced for the user, regardless of device,
location, or access method. The user-based
firewall enables zone assignments, remediation
alternatives and authentication methods to
vary depending on specific policy triggers. For
example, the policy pegged to the CEO is
enforced based on whether he or she is
accessing the network from the office, a conference
room, or a hotel on the other side of
the world over an SSL connection.
That being said, it may be prudent to require
additional authentication mechanisms in certain
cases, which can be implemented as a
simple policy addition. If the CEO's machine
hasn't been patched, he or she may also be
put on a quarantine network with only email
access until the machine is updated. Any and
all of these policies can be implemented
across all users and groups in the enterprise
providing unmatched flexibility.
To further ensure user transparency, the
Caymas appliances piggyback on the Windows
login, eliminating the need for users to authenticate
twice - once to Windows and again to
the NAC appliance. In the event a problem is
detected, Caymas can send the user to a
remediation server which offers the proper
updates, patches, etc. to get the machine up
and running on the network very quickly.
Full Auditing and Logging
No discussion of a security product can be
complete without some perspective on auditing
and logging. Given the requirement inherent
to many regulations, it's critical to be able
to document access requests, authentications
and authorizations to critical resources for
compliance reporting purposes. Caymas stores
detailed logs for every access request and policy
change (to ensure there is an audit trail for
administrators as well).
Since Caymas keys many of its policy decisions
to identity information, the appliances correlate
between IP address and known identities to
more easily pinpoint unauthorized or malicious
users. This may not seem important until a network
compromise is being investigated and not
having to manually map between IP address
and device name accelerates the investigation
and more effectively use resources.
Case Study:
Outsourced Business Process
SCENARIO: A publicly held drug distribution
company needed to securely share
drug usage information with partners
and suppliers. This customer also had a
need to provide access to an outsourced
development partner to complete
a high profile web-based project.
CURRENT SOLUTION: This customer was
faced with building their own secure
FTP site to share data with partners
and suppliers. To support the outsourced
development team, they considered
entirely replicating the technology
environment, which would be very
expensive and time-consuming.
CAYMAS SOLUTION: By implementing
Caymas' Identity-Based NAC
Appliances in a secure zone configuration,
this customer was able to provide
secure access to partners and suppliers
and ensure always-on access to
developers half-way across the world
while logging all of their access.
- Secure zone configuration allowed
the customer to centralize access
for partners and suppliers, providing
them with shared folders that
only they could access.
- Taking advantage of the ability
of the Caymas NAC appliance
to enforce a user-based access
policy, remote developers stay
at their home site and get access
to only those resources required
for the project.
- Extensive logging ensured the
customer stayed compliant with
HIPAA and was able to track the
usage of outsourcers to protect
intellectual property.
Summary
Corporate IT groups increasingly need to provide
access not only to internal employees,
but also to contractors, visitors, business partners,
outsourcers and other key constituencies.
This is combined with the increasing
scrutiny dictated by the need to protect private
data and intellectual property from both external
and internal threats creates the need to
more effectively control access.
A category of product called Network Access
Control (NAC) has emerged to meet these
needs, but not all NAC devices are created
equal. Caymas Systems has introduced a
family of Identity-Based NAC Appliances
that provides enterprises with the ability use
identity to control access within the fabric of
the network.
Here are just a few of the best in class
features of the Caymas NAC Appliances:
- Scalability - Caymas offers purpose-built
appliances with hardware acceleration to
provide the ability to make millions of
policy decisions per second, which scales
to the demands of the largest enterprises.
- Granular - Caymas' policy engine
enforces user-based access policies that
can be triggered off of hundreds of attributes.
Out of the box policies can be used
to provide an accelerated time to value
and a graphical policy configurator can
be used to shield administrators from
complex rules.
- Non-disruptive - Caymas does not require
any changes to the existing network
devices. Just plug in the appliances in
front of the protected assets, implement a
policy and you are protected.
- Transparent to user - Caymas adds no
latency, integrates with existing equipment
and directory stores, and does not
require a client. In many cases, the user
doesn't even know there is a much
greater level of access control protecting
their network connection.
- Persistent - Caymas checks the integrity
of each connecting device upon access,
but also continually ensures the device is
adhering to policy. Resources are protected
both pre- and post admission.
- Consistent - Caymas enforces a consistent
policy for the user regardless of how,
when or from where they connect.
- Resilient - Caymas supports full failover
with redundant devices to ensure the network
suffers no downtime.
- Audit - Caymas tracks and logs every
access attempt (both successful and
unsuccessful) while correlating between
IP address and identity to facilitate investigations
and provide the documentation
required for regulatory compliance
audits.
Caymas Identity-Based NAC Appliances enable
enterprises of all sizes to control access and
control their business.
Caymas Systems, Inc.
Phone: 408.985.9000
Fax: 408.985.9001