New Readers

 Home News and World Report Buyers Guide Global Excellence Technology Case Studies Editorial Awards About Info Security
2008 Best Deployment Scenario

 Identity-based Policy Enforcement


Current Threat: Nevis’ technology addresses the “dissolving network perimeter” problem. Now that organizations have to open up their internal networks to guests, contractors, business partners, mobile employees, and unmanaged endpoints, the entire network is becoming the new DMZ. Nevis’ LANenforcer solution secures the fabric of the network, acting as an in-network security policy enforcement system. Once the user connects to the network, and based on the specified policies created for this class of user, Nevis controls access to the network and other systems, prevents the spread of malware from the connected client, and ensures compliance of system and desktop security software.

Info Security Products Guide
this article
COMPARE and print reports
RATE products

Tomorrow's Technology Today - Network Security Solution

Tomorrow's Technology Today: Nevis Networks is a leader in providing network security policy enforcement solutions that protect the internal core network from all threats arising from endpoint systems, whether internal or unmanaged external systems. Nevis’ line of secure switches and appliances, LANenforcer, employs a four-pronged approach to managing endpoint risk, securing network access and containing malware, including:

  • Endpoint validation: pre-connect and post-connect authentication of the user and system to ensure the health and compliance of the system’s operating environment, effectively isolating viruses and worms from the internal network;
  • Identity-based access control: ensuring that specified user groups and roles are constrained within the internal network to only specific systems and applications;
  • Threat containment: going beyond ensuring anti-virus signatures are up to date, Nevis uses state-of-the-art deep packet inspection algorithms, including behavioral, protocol and traffic anomaly detection to protect against zero-day attacks detected in the network;
  • User activity monitoring: keeping a detailed audit trail of which users accessed which resources and systems for regulatory and compliance purposes.

The Nevis LANenforcer offers the following key features and attributes:

  • In-line Appliance: Nevis is an in-line appliance, meaning that it analyzes real network stream, so it is in position to enforce the policy by dropping malicious packets, or preventing the spread of malware within microseconds.
  • Identity-based Policy Enforcement: Nevis builds identity-awareness into its security policy enforcement to easily map user and group-based policies into the network. This simplifies administration and reporting tasks, especially policy changes due to user adds, changes, and moves.
  • Maximum Performance: Nevis detects threats without slowing down the network, performing deep packet analysis at wire-speed (10Gbps) with its custom ASIC architecture
  • Effective Containment: As a high-performance, in-line solution, Nevis can filter out malicious packets from a user’s traffic without impacting valid activity, reducing adverse impact of remediation and false positives.
  • Event Correlation: The ability to correlate events across devices and across the network provides further analysis to detect threats

LANenforcer is essentially a secure switch or network appliance to enforce identity-based policies in the network. It is a highly scalable solution that integrates Network Access Control capability with IPS and identity firewall functionality for holistic LAN security.

Let’s compare a Nevis-based approach to network security to alternative approaches:
Using non-secure switches, organizations are forced to secure the perimeter of their non-secure network from the outside, but we know that more than 50% of security losses come from malicious internal attackers. This problem is exacerbated by the myriad of external, untrusted users that now are required to have access to the corporate LAN, including employees that own their own mobile PCs and smart phones.

In order to secure critical data and systems inside the network, organizations deploy a complex infrastructure of firewalls to create semi-secure LAN segments, or they secure the servers from all the insecure network traffic that they have allowed to be unleashed. This hodgepodge of network security infrastructure has becoming increasingly unmanageable because of its inflexibility to adapt to changes, and it doesn’t scale as the number of people, applications and systems grows requiring increasingly complex security policies and administrative overhead.

By using a secure switch, the network fabric itself becomes secure and removes the need to apply perimeter security devices to try and secure the internal LAN. Rather than passing through every packet, like a non-secure switch would do, the Nevis LANenforcer secure switch analyzes the packet to see who sent it, where it’s going and if the organization’s policy requires legitimate activity between the user and the packet destination. Traffic that does not conform can be immediately dropped.
If the traffic is allowed between a legitimate user and destination, the traffic is analyzed using all techniques for suspicious activity, including detecting patterns of previously detected viruses and worms, unusual behavior outside the expected patterns for the current network protocol, or abnormal traffic patterns that could indicate malicious activity. Network traffic that does not conform to the pre-defined security policy is dropped, thwarting attacks in the network before they reach the susceptible host systems or other end users.

This type of in-network security can alleviate a wide-range of attacks that endpoint security on the server can not avoid, such as denial of service attacks where attackers flood the server with access requests to shut the system down. Halting the packets in the network offloads this defense from the mission critical server itself and keeps it running. Similarly if the unauthorized packets are halted in the network, vulnerable servers can not even be probed for available ports, services or back-door entries.

Now let’s compare the Nevis LANenforcer to other network security solutions that do not have the critical feature of being “identity-aware”:

Other network security appliances inspect network packets, such as firewalls and intrusion prevention systems. However, none of these systems has any capability to associate the network packet with a particular user’s identity. Network packets include information about the source and destination of the machine, but not the user’s identity, so low-level security devices have never supported this notion. Unfortunately, network security policies that arise from business process, risk-management or compliance requirements are assigned to individuals or groups of users. User identity is fundamental to understanding and enforcing a security policy in the network even though that information is not included in the packet itself. As a result, firewalls and IPS systems are very limited in their ability to truly reflect the intended security policies developed by the organization, as well as detecting a wide range of threats where the user identity can provide clues to the intent of the transmission.

Conclusion: Nevis offers customers a solution to effectively secure the fabric of their network from the risks of unmanaged endpoints, mobile users, and untrusted systems. It offers a tangible ROI in terms of easing network security implementations and administration by enforcing identity-based access policies at network speeds.

Nevis Network, Inc.
295 Bernardo Ave., Suite 100
Mountain View, CA 94043 USA
Tel: 1-650-254-2500
Download the document
From Info Security Products Guide site: CLICK HERE