John Neystadt is here again. Today I am blogging first part of an overview of how to protect Data Center applications with IAG. Hope you are enjoying the holidays. I will blog second part after they are over.

Changing threats blur the difference between remote and local access

 

For many years network and security departments engineered their networks around the concept of physical security. Establish a security perimeter; guard physical access to a building with human guards and badges; guard network perimeters with an access gateway using strong user authentication; verify endpoint compliance with a security policy that enables restricted access to corporate applications, knowing that when users connect remotely threats are greater than when they connect locally.

 

IAG Datacenter Architecture

 

 

However, mobility and increased outsourcing have changed the threat landscape for local access. There are a number of questions that many security departments ask themselves today:

·        How do I know who connects to my Wi-Fi network from the parking lot or lobby?

·        How do I control which applications can be accessed from mobile phones?

·        Do I trust on-site vendors to the same degree as employees?

·        How do I mitigate the risk from guests’ unmanaged laptops that are allowed to access my business applications?

·        How do I enable and secure access to my data center for clients that are not controlled by my IT department. For example:

o   My company has recently merged with or acquired a company that uses a different desktop security standard.

o   My company has outsourced desktop management and I can’t control what is installed on desktops.

o   My IT environment is loosely coupled as is my organization (this is common for government, educational, and many other organizations). I am in control of the data center only, but not of the clients.

·        How do I enforce compliance for all above scenarios, and be able to monitor and audit all these activities?

 

If you are asking yourself one or more of these questions, than perhaps you are ready for reperimeterization - and IAG 2007 SP2 can help you.

Reperimeterization and the changing role of perimeter security

 

The idea behind reperimeterization (also known as deperimeterization) is simple. Let’s separate data centers and clients, and route all access to corporate applications through a data center gateway which provides the same level of security as that which we enforce for remote access.

 

IAG Datacenter Architecture

 

What am I gaining from such a configuration?

1.      I can provides users coming from different domains or partners with  a great seamless single sign-on experience, without requiring them to explicitly enter credentials when accessing Web applications. This can be done using a combination of either Integrated Windows Authentication (IWA) or Active Directory Federation Services (ADFS), and Kerberos Constrained Delegation (KCD) authentication delegation.

2.      I can implement granular access control, based on the endpoint security state of the client (For example, is the endpoint patched? Is it running an antivirus with recent signatures? Is an anti-malware application turned on?). You might ask what the difference is between IAG and NAP endpoint policies. NAP is a great and simple way to enforce and automatically remediate endpoint compliance for environments that have standardized on a single desktop standard, as NAP expects a specific anti-virus or anti-malware to be present. NAP is binary about client compliance. If a client doesn’t comply with NAP, then the client is restricted to the remediation network. You certainly should use NAP for managed client computers. However, when dealing with loosely coupled environments or “unmanaged” computers - when you don’t control the clients and can’t enforce a uniform standard - you need a technology that enables “unmanaged” Windows, Linux and Mac clients to access a restricted set of applications while enforcing policies such as “must have any anti-virus” or “must have any anti-malware software installed”. In addition NAP supports Windows XP SP3 and newer client operating systems, and you can NAP for these client endpoints, in combination with IAG endpoint security to secure Windows 2000 and pre-Windows XP SP3 clients.

3.      I can monitor and log all application access using the IAG Web Monitor.

 

Authors

John Neystadt, Architect

Eli Tovbeyn, Sr. Program Manager

 

Technical Reviewers

Meir Mendelovich, Sr. Program Manager

Ran Dolev, Sr. Support Engineer

Noam Ben-Yochanan, Sr. Program Manager

Oleg Ananiev, Group Program Manager