This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
Identity Engines Ignition Server
REVIEWED BY SANDRA KAY MILLER
Price: Starts at $33,500
Identity Engines' Ignition Server manages access controls across disparate directory services platforms (Active Directory, LDAP, eDirectory) by consolidating them into a single user store. Deployed as an alternative to RADIUS, the appliance includes a comprehensive policy engine to use with multiple access control devices (wireless access points, switches, firewalls, VPNs) throughout a heterogeneous enterprise.
There are three major aspects of the Ignition Server: networked devices (authenticators), user stores (directory services) and policies.
Authenticators--devices attached to the network--can be bundled by subnet to facilitate large installations. They can be managed according to several attributes, including service categories--groups of authenticators to which policies are applied. Adding authenticators was the same as with RADIUS: Provide a name, IP and shared secret. Service category, device type (wired, wireless, VPN) and vendor are added the same way.
Ignition Server automatically connected to AD once we entered the domain name, service account name and password, and to LDAP using the service account domain name, password, IP address and port number. We could create fall-through rules across multiple directory services for a variety of situations (for example, check AD first to authenticate a VPN user, then LDAP).
Authentication policy determines the tunnel protocols, credentials and ciphers for communication between the supplicant, Ignition Server and directory services.
An identity routing policy traverses directory services during authentication, determining which user store to apply based on the user's network domain or what device is making the authentication request.
The authorization policy controls access according to the user account.
Ignition Server supports strong authentication, such as RSA SecurID and Secure Computing's SafeWord.
Security is solid. Built on a 64-bit hardened appliance running a stripped-down version of BSD, security features include onboard IDS, 256-bit AES encrypted file system, and protection against physical tampering.
Testing methodology: Ignition Server was deployed in place of the RADIUS server in our simulated enterprise network. It provided AAA services for our wired and wireless network access, as well as for a VPN.
This was first published in June 2007