Mountain View, Calif. – July 30, 2007 – Nevis Networks, a market leader in identity-based policy enforcement solutions that control network access and secure sensitive resources, today announced a new secure “Cloaking” capability that enables security administrators to completely mask key network resources from specific users and user groups. By making network servers and application resources “invisible” to unauthorized users, Nevis’ new cloaking technology prevents unauthorized users from launching a range of malicious attacks, including denial of service (DoS), password cracking, and probing for open ports and vulnerabilities. The new functionality represents a new network security best practice that’s like moving from locking your door, to making the door completely invisible to potential attackers (so they can’t kick the door down, try to break the lock, or make a duplicate key).
“An area of growing interest in the nascent NAC market is identity-based access control, particularly for guest users,” said Lawrence Orans, research director, Gartner. “ A key challenge for the industry is whether identity-based policy enforcement can be effectively extended to a broader set of devices, such as application servers, and user groups as a means of implementing better network access control.”
“Even though the ‘NAC’ market is still in its very early stages, we’ve already seen an evolution from ‘admission control’ to ‘access control’,” said Joe Luciano, CEO, AccessIT Group, headquartered in King Of Prussia, PA. “What we’re hearing from customers is a desire to go a step further, where strategic network resources are completely masked from users in the first place. That’s what makes Nevis’ cloaking technology so compelling.”
Cloaking Policies are Based on User Identity
Nevis’ new cloaking technology is built on the foundation of its LANenforcer identity-based security appliance, which associates network packets with unique user IDs and the user’s group affiliation. This allows cloaking and access policies to be defined in simple, easy to manage rules aligned with organizational group definitions. For example, a user within an organization’s engineering department can be prevented from sending/receiving traffic to or from an HR application server. Unlike other access control technologies, it doesn’t matter where the engineering user accesses the network from, or how the LAN is segmented, or what workstation he uses. The policy for his role is enforced everywhere in the network. Unauthorized packets are dropped before ever reaching their destination, removing the need for mission critical servers and applications to defend themselves from potential intruders, who can still overwhelm systems with attack attempts.
Cloaking represents a quantum leap over prior access control techniques, such as LAN segmentation with internal firewalls because the policies are much more manageable, largely being defined from an existing directory of user and group definitions such as Active Directory, without the need for additional expensive high-bandwidth security devices. Cloaking is also superior to application level security, which resides on the endpoint server itself, exposing the host to multiple attack scenarios. Cloaking specifically prevents an emerging hacking technique that uses network resources as “jump stations” to launch attacks or gain access to sensitive company data.
“By preventing key network resources from being visible to unauthorized users in the first place, Nevis’ cloaking feature provides us with a superior security model and obviates multiple layers of security at various points in the network,” said Jeff Dorsz, telecommunications and network security manager with South Orange County Community College District. “One of the keys to resource cloaking is that it’s available as an ‘out-of-the-box’ capability that integrates with existing identity-based policy stores. As a result, LANenforcer configuration efforts are minimal.”
Granular and Efficient Policy Enforcement
Because the LANenforcer deploys cloaking from the vantage point of a high-performance, in-line security appliance, access policies can be designed to be extremely granular down to a particular application, or specific server. This is a big advantage over the traditional VLAN approach where LAN segments are large, include a large number of systems, and offer only an “all or nothing” approach to contain users. Cloaking is thus an effective complement to existing VLANs when more granular access controls are required, and when the policies that are to be enforced are based on organizational divisions or group definitions. Administrators can also update policies “on the fly” with immediate effect, unlike VLANs or endpoint access control, which requires the users to log out and log back in before taking effect. Cloaking can thus be much more effective in stopping attacks in progress with an instantaneous change in policy.
About Nevis Networks
Nevis Networks is a market leader in secure switching and identity-based policy enforcement appliances. The company’s LANenforcer product family transparently enforces identity-based policies in real time within the network fabric, tightly controlling who can access a company’s network and what resources they are permitted to use. Cross-industry customers, ranging from financial services, healthcare, education and defense contractors deploy Nevis LANenforcers to protect sensitive network resources and assets, and significantly reduce the overall costs and time to resolve security breaches and conduct network audits. The company is headquartered in Mountain View, CA, with additional R&D centers in Pune, India and Beijing,China.