Product review: Identity Engines' Ignition Server - Information Security Magazine

Product review: Identity Engines' Ignition Server

IDENTITY MANAGEMENT


Identity Engines Ignition Server
REVIEWED BY SANDRA KAY MILLER

Identity Engines
Price: Starts at $33,500

@exb

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.
@exe

Identity Engines' Ignition Server manages access controls across disparate directory services platforms (Active Directory, LDAP, eDirectory) by consolidating them into a single user store. Deployed as an alternative to RADIUS, the appliance includes a comprehensive policy engine to use with multiple access control devices (wireless access points, switches, firewalls, VPNs) throughout a heterogeneous enterprise.


Configuration/ManagementB+  
Because of well-written documentation, we completed basic network installation in minutes. But that's where simplicity ends. Users must have an extensive knowledge of authentication protocols, directory structures, virtual provisioning and certificate management to take full advantage of the Ignition Server's features.

There are three major aspects of the Ignition Server: networked devices (authenticators), user stores (directory services) and policies.

Authenticators--devices attached to the network--can be bundled by subnet to facilitate large installations. They can be managed according to several attributes, including service categories--groups of authenticators to which policies are applied. Adding authenticators was the same as with RADIUS: Provide a name, IP and shared secret. Service category, device type (wired, wireless, VPN) and vendor are added the same way.

Ignition Server automatically connected to AD once we entered the domain name, service account name and password, and to LDAP using the service account domain name, password, IP address and port number. We could create fall-through rules across multiple directory services for a variety of situations (for example, check AD first to authenticate a VPN user, then LDAP).


Policy ControlA  
The Ignition Server is really a policy engine that speaks RADIUS. It does everything a RADIUS server would do, but it's the policy engine that sets it apart. We liked how multiple authenticators are tied together into a single service category to which three different policies--authentication, identity routing and authorization--can be easily configured and applied.

Authentication policy determines the tunnel protocols, credentials and ciphers for communication between the supplicant, Ignition Server and directory services.

An identity routing policy traverses directory services during authentication, determining which user store to apply based on the user's network domain or what device is making the authentication request.

The authorization policy controls access according to the user account.


EffectivenessA  
We authenticated users to specific devices, such as wireless access points, and assigned a common policy using credentials from two directory services (AD, LDAP).

Ignition Server supports strong authentication, such as RSA SecurID and Secure Computing's SafeWord.

Security is solid. Built on a 64-bit hardened appliance running a stripped-down version of BSD, security features include onboard IDS, 256-bit AES encrypted file system, and protection against physical tampering.


ReportingC  
This is Ignition Server's biggest shortcoming. While real-time statistics and logging are available, the logs could only be exported hourly, daily or weekly--nothing customized or on-demand. We'd welcome the ability to export the statistics displayed in the individual tabs.


Verdict
Organizations that need a unified policy engine to control network access using multiple authentication systems will be able to justify Ignition Server's price tag.


Testing methodology: Ignition Server was deployed in place of the RADIUS server in our simulated enterprise network. It provided AAA services for our wired and wireless network access, as well as for a VPN.

This was first published in June 2007