Sean Convery

Tim Greene from Network World has an article up highlighting the Insightix NAC solution. Insightix is the company co-founded by Ofir Arkin, who got some notoriety by showing how NAC could be “bypassed.” I wrote about his presentation a while back so I won’t reiterate any of that. But I found this snippet from Greene’s article interesting:

Insightix NAC software can block unauthorized devices from network access via address resolution protocol (ARP) spoofing, which tells the device it is ineligible to send traffic to the network. Alternatively, it can block access to switch ports using SNMP commands to switches that deny access.

Let’s see … the co-founder of a NAC company attacks existing NAC approaches and releases his own approach based on ARP and SNMP. I’ll leave any jokes here as an exercise for the reader. If you want a hint, check out Alan Shimel’s analysis.

Technorati Tags: NAC

Cisco has announced the branding of the Meetinghouse 802.1X supplicant. The “Cisco Secure Services Client” is now available. I wrote about the Meetinghouse and Cisco deal a while back. I was right when I predicted that Cisco would pull Meetinghouse out of the TCG / TNC; that happened pretty fast. However, I was wrong when I predicted that Cisco might sell their client for substantially less than Juniper’s offering or even give it away for free. My reasoning was that Cisco had far more to gain by selling switch migrations enabled by a supported supplicant, than they did in trying to recognize revenue per seat in connecting to those switches.

I still stand by that. However, there is some subtlety here. just because something costs between $30 and $40 a seat depending on volume (very similar to Juniper’s supplicant), doesn’t mean that Cisco will charge that to its biggest customers. The minute a major account manager has a giant Catalyst switch deal on the line if they can remove the supplicant objection, I think the cost will be reduced if not eliminated. That’s just good business.

However, if Cisco’s goal was to ensure that 802.1X succeeded only on Cisco kit, their strategy seems more plausible but is still flawed. A Cisco supplicant which was almost free to Cisco networking customers but not for anyone else would prevent non-Cisco network customers from freely using the Cisco supplicant. The flaw comes in with respect to 802.1X’s wired deployability in general. Cisco succeeds when the network gets more intelligent. 802.1X is still in its nascent stages on the wired side and Cisco’s competition isn’t really HP ProCurve (regardless of how much HP would like that to be true). Their real competition is dumb networks in general. Vista’s security infrastructure doesn’t require the use of networking as enforcement. It doesn’t have the 802.1X supplicant complexity as a required element. While their security model is incomplete, it is also mostly free to organizations deploying Microsoft on the server and client side–which is just about everyone. For more evidence on Microsoft’s stance on wired 802.1X see this article which was originally titled “802.1X on Wired Networks Considered Harmful.”

Rather than trying to differentiate Cisco vs. the other network vendors, Cisco should instead be trying to rally the networking industry to compete with the onslaught of host and application oriented security solutions. I’ve often stated that security is a system and that there are roles for the network and the host to play. However, business goals and security architecture aren’t always aligned. Cisco should be championing open standards to make the network more intelligent, not looking for ways to keep such systems proprietary. They already have the market share and if customers see them as innovators and embracing standards (which is how Cisco got to where it is today) they will continue to buy Cisco. This bears on their supplicant pricing decision as well as their involvement and willingness to drive standards around NAC.

When IPsec VPNs for remote teleworking became viable, Cisco bought a company called Altiga. Altiga became the Cisco VPN 3000 Concentrator and it was quite a success. The client for connecting to the concentrator was given away since the money they wanted to make was in the hardware. However, there were proprietary extensions to the client from Cisco and other VPN vendors like CheckPoint and Nortel. Microsoft had their own IPsec client in Windows, but because its configuration was clunky; it wasn’t used. IPsec never really converged on a standard, open, and interoperable client. As a result, SSL VPN seems to be the technology with long-term staying power in no small part due to the client being ubiquitous. With 802.1X / NAC, Cisco has proprietary technology and is charging for the client. I’ll be surprised if the outcome is better and not at all surprised if it turns out worse.

This further reinforces the need for an open supplicant as I’ve wrote about before. The next 18 months will be very telling for 802.1X as a ubiquitous authentication mechanism rather than a deployment necessity for secure wireless.

Technorati Tags: 802.1X, Cisco, HP Procurve, NAC

Ed Vielmetti’s daily del.icio.us post alerted me to an ancient (in networking terms) article on visitor networks and various strategies for their deployment. It was published in Cisco’s Internet Protocol Journal back in 2002 and it is surprising how much the technology for deploying visitor networks has not changed. The core goal of being client-less remains and the techniques around captive portal are still very much in use today. This is great background information with plenty of application in today’s authenticated networks.

Technorati Tags: identity, guest networks

Dave Kearns has a nice write-up on the directory implications of NAC / NAP. He says:

What I find extraordinary in all the material Microsoft has published on NAP and NAC (both Cisco’s NAC and the generic NAC) is the extremely limited (i.e., I couldn’t find any) references to Active Directory! But all of this is firmly based on having an up-to-date, schema-extended Active Directory forest as the basis for identifying and tracking all of the hardware that’s either on or attempting to attach to your network.

Getting a handle on AD is certainly a requirement before doing NAP but in talking to customers I’m finding things are even worse than Dave describes. Often there are multiple forests of AD through acquisition or merger. Also, many organizations have LDAP servers as well which house their own user repository for certain groups. Microsoft would like organizations to use a single forest of AD for all their users and devices but in reality while that may be a goal for an enterprise, there are plenty of things which prevent that from happening.

Network identity management is about more than just directories and AAA. It has to be about making those directories do something useful in their current state of deployment, not just their idyllic environment as envisioned by the vendor. Some of the things a virtual directory can do for application IdM are just as useful in the network context. Only when we can easily identify the user and their device can we hope to write meaningful policies around what those elements can do on a network.

Technorati Tags: NAC, NAP

Jeff Boles writes this about NAC:

What we should be left with in NAC is an evolutionary development of current architectures, such as 802.1x, that are standardized and fully interoperable. There’s some discussion afoot about interoperability, but in reality the market has greatly fragmented itself with a bunch of different solutions and poor definition of what NAC is. We’re left without a solution set, but a lot of different packaged up products.

I think Jeff has this right. Cisco, Microsoft, and other big players have often touted proprietary protocols as a way to seed the market with an in-demand capability. Cisco did this correctly with the Hot-Standby Router Protocol (HSRP) and with some of its early extensions to IPsec. However, 802.1X is relatively new without being further encumbered by NAC. Cisco sees this and has begun positioning Cisco Clean Access as an alternative to 802.1X-based NAC.

While there seems to be widespread agreement that standards are necessary to get a functional and interoperable NAC architecture, standards are slow going. The IESG within the IETF finally received a submission from the Network Endpoint Assessment (NEA) mailing list to form a working group today. The chairs of the mailing list are representatives from Cisco and Juniper, two companies with substantial stake and influence in how all this shakes out. While I hope specifications move more quickly than the initial formation of the working group did, I’m not hopeful that the IETF’s sluggish tendencies can be easily remedied.

Technorati Tags: 802.1X, NAC

I’m presenting later today at the New York Tech-Security conference on identity-centric NAC. This is following the same theme as my remarks at Digital ID World. You can download the slides here. Comments welcome as usual.

Technorati Tags: identity, NAC

Well that was an interesting three days with a fair amount of typing. Hopefully the session notes were helpful to everyone. There is some good analysis of specific sessions over at Phil Windley’s blog. In all I thought the conference was well done and it was interesting to discuss the nascent blurring of the NAC and Identity space. The hot topic of the conference was not NAC though, but rather the user-centric identity efforts from Microsoft, Higgins, and others.

These initiatives, if you are unfamiliar with them, promise to simplify the user experience of sharing identity information on the Internet. Through a visual representation, users choose the identity profile they wish to share with a given site and can control what information is presented. These identity profiles can either be self-asserted or signed by an identity provider. Think of it as a signed version of your web browser’s auto-fill feature with a selector in advance of submitting the data.

There were a couple presentations on the enterprise applications of this functionality and most of the conversations were clothed in the trappings of web 2.0 virtues like user-centricity and distributed workflow. There were no immediate killer applications that I saw. Interestingly enough, the most compelling reason to imagine that this functionality will hit the enterprise is that consumers will like the user experience at home and will ask for it at work. What then, will user-centric identity mean in an enterprise networking context?

These systems seem to be very much like a PKI at their heart. Identities are signed and can be presented without a challenge / response from some authority each time. This is good and if it can be extended to include information within the signed identity about the role and attributes of the user, then network access decisions can be made without consulting a user directory. Of course role changes, revocation, and other intricacies threaten the simplicity of the system but the overall idea of embedding more information in a certificate is not particularly new. If these user-centric efforts produce something substantially easier to deploy and use, then a signed identity throughout the enterprise is possible and could significantly change network identity management.

Technorati Tags: Digital ID World, higgins, Identity 2.0, Infocards

Here are notes on the second NAC session.

Eric Norlin, Moderator

NAC Guys started using Identity in their messaging, he wanted to find out why.

Introductions:

Applied Identity
Juniper
Forescout
Apere
TNT

What do you do:

Applied Identity: Application security is further along, so we’re doing identity based access control in the network

Juniper: In the NAC business. Genesis was the acquisitions of Netscreen and Neoteris. SSL VPNs being used for access control. As these technologies evolved througout the enterprise we looked at policy frameworks

Forescout: Definitely NAC. Clientless approach and discovery, also do ranking abilities, also provide role-based capabilities, provides integration with identity players.

Apere: Bringing Identity and Access Control together. Miniature Tivoli in a box. Medium enterprises don’t have identity management. We wanted to put a version of that in a box.

TNT: Identity is confusing for enterprises, at the network layer no one did this. We bring a clear vision of what assets are doing and who they are interacting with. We now have access control on top of that to define what folks are allowed to do.

Eric: Identity Managment at the Network layer and Identity Management at the Application layer, you seem to be going between the two. What are customers doing from you?

Applied Identity: Control is something we provide, second driver is compliance SOX, etc. Third driver is consolidation of defense in depth from disjointed layers to more coordinated layers. One place for security policy. Deployment cases. 1: Guest worker access (employee, contractor, etc.)

Juniper: First is notion of identity at the user level, then also non-managed devices and controlling what they are able to access, then what rights do they have. The reality of enterprise endpoints, customers tend to want a holistic view across all forms of access.

Forescout: Agrees as far as drivers. One thing to add, depending on market (i.e. Federal may have a different focus). In the enterprise, we see mostly orchestration to provide one management platform for things already in place. I.e. How can I be sure that the AV is all in place. In federal market, more compliance.

Apere: Too many products in the market, what can we do to help this? Did interviews in 2002 talking to customers. Three key issues we heard from is 1. Business enablement 2. IP protection 3. Compliance. 90% of customers we talk to have more than 10 identity stores (7 ADs, couple LDAPs, etc. These systems don’t talk well with one another). Focused on the medium enterprise.

Eric: How is TNT changing based on changes in market?

TNT: Lots of disjointed functions deployed across enterprises. Regulatory pressures are forcing directory discipline. Need controls and visibility after authentication. Fighting attacks at the edge or data center alone is not enough. Need to go to every machine in the network [SJC: This seems architecturally questionable, but perhaps we have different definitions for these terms]

Eric: Security happens when you do Identity well. Why call yourself an Identity company and not just a networking company?

Applied Identity: Wanted a strong association with Identity. Noise level got excessive in the overall security space. Static ACL tables are very error prone.

Juniper: We aren’t an identity management company. What used to be controlling access based on who is evolving into other vectors like device type, etc. We see a huge guest worker opportunity.

Eric: The metaphor seems to be changing. Instead of bigger firewalls and more techniques to protect the network, is this change in metaphor happening?

Forescout: Yes, we are a NAC vendor and are not doing Identity but we see the linkages between the two.

Apere: We launched product two months ago. Biggest problem was analysts are identity or security focused. This highlights the problem. In customers, the networking guy cares about security but the application guy cares about identity. An application guy and the network IT manager don’t play well with one another. We want to make a comprehensive solution that includes both security and identity.

Eric: What is the value of managing Identity at the network layer?

TNT: The balance of power in the enterprise is shifting towards the identity folks since they speak the business language. This power is taken from the networking guy. These trends are causing some of these metaphor changes. By talking about the infrastructure in Identity terms it allows the networking guys to speak the language of the business.

Missed the last 15 minutes.

Technorati Tags: Digital ID World, identity, NAC

-Special thanks to Roy Chua for taking notes on this session I participated in on Tuesday-

Panel

ESG
- Jon Oltsik – introducing

ConSentry – Jeff Prince

- Secure internal LAN, not rip replace
- Full user visibility and mitigation
- Here – identity key to their closing of businessSanjay Uppal – CEO of Caymas- Identity control appliances
- Have been doing for some time now
- How it all comes together, two important categories coming togetherSean Convery – CTO of Identity Engines- Network identity management platform
- User is center of identity in enterprise
- Bring user directories to the network – to make meaningful decisions
- Works with new devices as well as existing equipmentPaul Sangster – Chief standards officer at Symantec- Security and integrity protection for enterprises
- Co-chair of TNC group
- Working on NAC open standards

Definition of Network Identity

Paul Sangster

- establishing set of attributes with regard to things on network
- From NIC card to laptop to human
- And authorized to get on network
- Identity – ties into integrity and event managementSean Convery- Network ID used to be MAC and IP addresses
- Talked about spreadsheets and IP = user
- Mobility has made MAC and IP more difficult
- Seeing prevalence of user-centric identity
- From simple auth to 802.1XSanjay - Practical and then future
- 2-factor, client certs – one aspect
- Other aspect – integrity of device – combination of multiple ID
- Practical – integrity of device
- User – username, password, token
- Future – combination of twoJeff Prince- Knowing users and machines connecting to network
- Trick (as Sean put) – bind users to IP and MAC
- How to make user-readable, and location-based – bob, using machine X in office 12
- Location is important as wellCisco and MSFT were invited to participate but declined

Jon: implementation is difficult
Many supplicants, devices, EAP strategies

What to help people ease into solution

Jeff Prince

- Been in networking long time
- Things that become pervasive on network – easy to deploy, cost effective, high performance
- Cisco NAC – good vision, impossible to implement
- ConSentry want to execute that vision – e.g. rip out L2 switchesSean Convery- Cisco not quick to release NAC specifications
- Seeing lots of interest in preserving infrastructure built out
- Seeing disparity in making enforcement technologies
- From enterprise – deploying 6, 8, 10 different things – hard
- Need central authoring and policy point
- Trying to put all eggs in one technology basket is troublesome long term
- Particularly due to lack of standardsPaul Sangster- See difficulty in deploying – e.g. AV, desktop FWs – people turning it off
- IT needs centralized point of control – and when joining, want to make sure that the machine is healthy and to do so periodically
- Customers tell them this is very difficult but customers don’t want to take the wrong step – don’t want to step up until see long term future of spaceSanjay Raja- Agree that Cisco and MSFT is not open enough
- Don’t agree with vision of NAC – network admission control
- Customers are asking, after you get admitted, where can you go
- Shouldn’t be limited to just network, but applications as well
- NAC should be access control done in the network, as opposed to, to the networkJon: who supports TNC, and why hasn’t everyone in audience heard of it

Paul Sangster

- Communication – Cisco and MSFT have large PR budget and voices
- TNC – many large companies, focused message is hardJeff Prince- Biggest frustration – CSCO not member
- Own 80% not adhere to standard, neuter standard
- User community put pressure on CSCO to join
- Best way is to drive standards between endpoint and networkSean Convery - Not failure of TNC
- But failure of any architecture for NAC overall
- Have had problems deploying NAC framework at Cisco
- Customers are coming and saying NAC with AV, and firewall and .dat files are good
- Want to know who’s coming on network first, and then along with everything elseSanjay Uppal- Agreed, how to integrate client with network
- Should have defined protocol for not 802.1X but others
- Captive portal and web-based login first, and then do bells and whistles
- Need an open supplicantJon: trying to rally around the open supplicant- MSFT, CSCO, Juniper – proprietary – how to drive open supplicants
- Good grassroots support to date – www.enterprisestrategygroup.com
Question from audience:- Why won’t people stay with MSFT and CSCO and wait until they are done rolling outSanjay Uppal- Most of their customers (e.g. Hormel), waiting for Longhorn or CSCO, a lot to ask for from people with problems today
- Already have problems with identity theft and guest users
- Products on panel will solve that today and don’t have to wait till giants learn to dance
- For entire infrastructure though, advice is to waitPaul Sangster- Normal enterprise risk analysis decision
- Lots of data on cost for enterprise for not being able to enforce decisions about posture (worms, malware etc)
- Don’t want to make bad decision, need future proofing
- Nature of attacks over last 12 months, more focused on enterprises
- Without integrity checking, lots of enterprises have user auth, nothing to stop malware
- Need to have no malware stealing credentialsSean Convery- Agree that solving acute problems today
- Biggest people deploying our product have short-term access problems
- When talking about NAC and are people ready to deploy NAC
- NAC is AAA
- Dialing into POP over SLIP – using AAA NAC back then
- Principle reason we exist – authenticate people on network
- Repository of user identity and not treated as a critical resource on network
- AAA down – lose VPN and wireless
- Moving forward, how do you authorize users to get on networkSanjay Uppal- On aspects of what customers should do from a practical standpoint
- Non-employees getting on network – biggest risk
- Yesterday – SLIP connection – had today, but need combination of identity of user and device as well (e.g. folks in India and Philippines doing contract programming)Jon:- How much marketing money CSCO has? LotsAudience: where’s the vision for centralizing policies throughout the company . Don’t have the people – geeks on parade. Don’t want to call someone to make change in some device. How to go I to a central policy store to make these changes across enterprise-wide.

Jon – paraphrase – centralized policy instead of policy everywhere

Sean:

- Think we have won’t have centralized policy today, and may never, but some day
- Trying to embrace standards around this area – e.g. XACML around that, SOAP-based interface
- Work on networking problems first, and then start doing it for the applications-side, assert it to the futureJeff:- See solution boiling down to three basic components:
o End point, control piece in switching infrastructure, and IdM infrastructure
o Defining standards – is critical
- Today, ConSentry built controller behind the switches, can’t rip and replace everything
- As people do switch replacement, will see it coming in
- Announced secure switch, embeds full function into wire-speed switchSanjay Uppal- From enterprise, have concern about adding more layers
- Don’t want new policy in AD, RADIUS etc
- There are standards for asking about Identity – not rich, but can work
- No standard way to ask for policy yet
- Also need standards to federate health
- Once standards set – one place to set policy to get management policy (not appliance), and enforcement can be switch or not, think appliance is still important, need client piece as well for integrityPaul Sangster- Centralized place for policies
- Everyone has that, but then you still end up with many centralized stores
- Need MetaDirectory
- Need a PDP that can talk to other PDPs or network
- Can express PDP in some form and push it out (e.g. XACML)Jon:- See standards – e.g. Federation, users have to drive big vendors on TCG and 802.1X
- Will have more IP devices, no vendor at all, including CSCO, MSFT, that will give us what we needAudience:
Qn: focus on LAN and enterprise network, WiFi LANs, services networks etc
Federated model with common security model, tying in all the items, e.g. DS_69 on DSL forum, is important. Standards from wide area, to LAN to core etc.

Is there integrated architecture, for LAN, WAN, Service Provider etc?

Paul Sangster

- Don’t want different infrastructure for all – how to come up with extensible portion across all networks
- Access points for WiFi to talk to RADIUS
- Maybe not needed for LAN over cable
- Backends need common infrastructure – TNC identity all common areas
- Have laid down protocols for bottom layer for some areas already
- Pushing that TNC can cover it all as a high-level infrastructureSean Convery - When we say appliance, means different things to different people
- Goal of IDE is to work with different types of devices
- E.g. FW, switch etc
- Aggregation to get all these things talking
- RADIUS got us on 99% of access decision today
- Some disagreement – position – rich decision made in one place is good, but also want consistent set of entitlements in terms of what you’re allowed on
- But can only do that with standards - so there is limitation
- Even insertion of a device everywhere is close to rip and replaceSanjay Uppal- NAC is not limited to LAN
- Disagreement – their device can check local area network and wide area
- Perimeter is disappearing but they are appearing elsewhere
- It is not just LAN, but also where users are coming in from Jeff Prince- No reason why they can’t span LAN and WAN
- Once solve problems for LAN, then can solve problems for WAN and other places as wellAudience – TNT - Practitioners here – don’t wait. Even TCG/TNC will take time
- There are problems now, and people are buying equipment that the vendors are buying
- Forward thinking folks don’t care and will solve the problem now
- ‘Who is buying the stuff now’
- What position, what problem solvingJeff:- Customers are driven by compliance – PCI compliance in 3 weeks
- Passed audit within 3 weeks
- Regulated folks – HIPAA, PCI, SOX – folks with corporate assets on LAN
- Prove have clamped data need now
- Compliance is not done yet (still real today)Sanjay:- 1. There is a compliance push out there
- No one is making be-all and end-all of compliance solution
- Have one, pass all, no compliance in a box today
- Can implement these much quicker
- 2. Business enablement – e.g. outsourcing, make sure people only get access to specific areas. Not security value-prop, but business value-prop
- 3. Risk management – ID theft, laptops getting stolen, CIOs want to lock down sensitive information, criminal or other records
- Identity-based NAC to deal with thatSean:- Biggest problem – contractors, guests, visitors – that we are solving right now
- Keeps customer excited longer term
- Flexibility of policy
- Organizations have directories all over – really useful information – meaningful access decision
- E.g. Library at university that wanted low QoS for overdue customersPaul:- Apply political approach
- He is a standards person
- TNC – no standard, but people have standards-compliant products?
- Going out and taking RADIUS and using it
- Using EAP and if doing 802.1X, already have it
- TLS, IPsec, doing standards over
- Have to have a common way do the same thing, protocol standards already existJon: 7 minutes left – Lightning Round

Audience: so, who is the buyer?

Jeff:

- Security is champion, but the network ops guys is the one buyingSanjay:- Security guy signoff- app guy if app resource, or networking guy if network resourceSean:- network and security guysPaul:- samePapa Gino’s – audience, Chris Cahalin, Network Manager
Qn: $ spent towards unified standards is $ saved

-TPM already exists on laptops – march 2005 – have been using it
- Facilitates business
- Backs TCG
- Extends end-point analysis, can you trust the response you’re getting
- In deployment today
- Appreciates open standards

Jon: closing thoughts

Paul:

- too many NAC, tell vendors that want one open solution, can start today
- Built on things already deployed

Sean:- Can start today
- Things that you can do that don’t require TPM or OTP
- User names and passwords insufficient is not reason
- Diagnostics etc are more significantSanjay:- Enterprises with business problem today – they have solution
- Audience in IdM space – combination will get thereJeff:- Clear alternatives to CSCO
- Get to secure LAN today with them
- Give them opportunity and show value

Technorati Tags: 802.1X, identity, NAC

Jeff Williams, California State Association of Counties -

Nonprofit advocate for California’s 58 counties.

Represent before lawmakers, agencies and federal government, counties range from 1200 to 10 million people.

Multiple consituencies: Legislators, employees, conties, residents. All want high degree of service and integrity. Very keen on knowing who has access to our network.

State government entities are the 2nd most often targeted in attacks (behind financial services) - Open and easily accessible information is often part of our mission.

Wanted to protect servers and applications from unknown users

Grant appropriate access to specified users/machines

Reporting and auditing for state compliance

IT must be responsive with limited staff

Integrity and credibility of CSAC at risk

Risk to counties’ agenda and well-being

Solution considerations:

Firewalls - identity blind, no machine auth, limited auditing, complex config
Chose instead - identity management and network access control appliance and software

Deployed TNT: Simple implementation, met objectives, unalterable user and computer identity into network traffic, grant or deny access to specific information resources based on identities. Simple tool to configure, set policies, and report all activity. It was installed in one day.

Really liked the reporting capabilities. See status at a glance

Results:

-Identity enabled infrastructure provided full view of user and endpoint behavior
-Led to rapid, straightforward and effective access control policy decision
-Protected the critical state information records from data breaches
-Ensured confidentiality of communication within state government and counties
-Provided full audit to address regulations

Q&A:

What is the scale of this deployment?

We represent the counties from a legislative standpoint but they didn’t deploy this. We deployed this for our employees only.

** Second Case Study

Roman Lessnow (sp) - Security Manager Wellstar (Atlanta, GA)

600,000 customers
10,000 employees
Fve hospitals
Urgent care centers
etc.

Implemented Information Technology Infrastructure Library (ITIL)

Very small IT staff, wanted network plug and play, granular access control, transparent user experience

We use LDAP, needs to work with that. Novell E-Directory, moving to LDAP

Environment:

Windows, Linux, HPUX, 475 devices with SSH/Telnet, also looking to control devices, pumps, monitors and other SSH or telnet supported devices for vendor access

Wanted authorization based. More access internally than remote. Needed to set the policy directly and enforce it on the engines within the device.

Easy management: Vendor logs in to update one of their devices onsite, we want to check that there system is clean before they are granted access.

View log data, etc.

Chose Caymas Appliance. Plocies can be updated real time, users cannot view / discover unauthorized resoruces, full log and audit, no user training required.

We provide the vendor access, meet the requirements of our mobile employees, deal with a heterogeneous environment, etc.

Can do policies via LDAP or locally on the box.

Technorati Tags: Digital ID World, identity, NAC