QUICK, SECURE ACCESS
Posted March 22, 2002 01:01 PM Pacific Time
http://www.infoworld.com/articles/ne/xml/02/03/25/020325neneo.xml
PROVIDING REMOTE ACCESS to partners and employees is
necessary in today's distributed business environment. Employees want to work from home or at least to have access to their e-mail accounts when traveling. For the sales team partners, access to customer databases or inventory levels is critical. To date, however, setting up secure, easy-to-use remote access has proved complex, costly, and unreliable. And with many of today's remote access solutions, once a user gains access, they have complete access to the network. The only layer of security remaining is anything on the host or application itself that prevents access.
Neoteris is attempting to relieve these headaches with
its IVE (Instant Virtual Extranet), a stand-alone
appliance that provides secure remote access with
granular access control and is a snap to set up,
earning a Deploy score in our tests.
The IVE essentially acts as a proxy. Users connect to
the appliance using SSL (Secure Sockets Layer) through
any standard Web browser. No specialized client-side
software is required. The IVE translates content
dynamically using its Content Intermediation Engine.
Via IVE, users can access corporate intranet sites,
Web applications, Windows and NFS (Network File
System) file shares, and e-mail accounts based on
standards such as POP3 and IMAP (Internet Messaging
Access Protocol).
IVE comes in two flavors, EmployeeAccess and
PartnerAccess. The main difference between the two is
that PartnerAccess, the version we reviewed, provides
granular access control management, including the use
of groups, resource-level access control, and source
IP restrictions.
Administrators configure user accounts that
authenticate to the IVE to gain access. Neoteris
provides an internal database that can be used for authentication, although the solution also supports other authentication methods, such as LDAP, RADIUS (Remote Authentication Dial-In User Service), NT Domain, NIS (Network Information Services), and Active Directory. Administrators do have the ability to import users, which saves them from having to re-create substantial user lists.
Once the users have been defined, administrators can
create groups to help define access policies. Each
group can be configured according to its access
requirements. For example, the sales team needs access
to the customer database, but the engineering team
does not. The engineering team needs access to the
file share containing code, but the sales team does
not. IVE makes simple work of setting up these
policies and enforcing them through groups.
When defining access control policies, administrators
have a fair level of granularity. They can either
default to an open system that allows users to access
anything except that which is specifically denied, or
vice versa, denying access to everything except that
which is specifically allowed.
One of the best features we saw was the extensive
logging capabilities. The IVE appliance logs every
action every user makes. Administrators can quickly
see who logged in to the system and from what IP
address, what actions they performed while logged in,
what administrative configuration changes have been
made, and so forth.
Setup was a breeze: We were up and running in 30
minutes. Out of the box, we connected to the IVE
through a console to set the initial IP address and administrator account. We also had to define a NAT (Network Address Translation) rule in our firewall allowing access to the IVE appliance through port 443 (SSL), 465 (S-SMTP), and 995 (S-POP). After that, everything was configured through the GUI. We created several users, some using local database authentication and some using Active Directory authentication. We also created two groups -- sales and engineering -- and populated them with a few of our users.
We created bookmarks, defined file shares and Web sites
that users could access, and tested to make sure the
IVE properly enforced our security policy. With the
device translating all of our communications, we were
concerned with latency, but we did not notice any
discernible delay during testing.
The IVE e-mail proxy could use some improvement.
Currently, the device supports only standards-based
e-mail servers; native Exchange Server setups cannot
be proxied through IVE. Organizations must use PO3P or
IMAP if users want to use an e-mail client to check
their email. For Exchange or Lotus Notes users, this
means enabling POP3/IMAP/SMTP. For Exchange users,
Microsoft's Outlook Web Access is always an option,
and it works exceptionally well through the IVE's
browser feature. Additionally, the Netscape mail
client cannot be used to check e-mail through a POP
(Post Office Protocol) server because it does not
support S-POP.
Neoteris provides an excellent option for creating a
secure remote access solution that provides
administrators with the ability to control remote
access to specific resources, a much-needed approach
in today's distributed environment. Improved e-mail
and Java functionality as well as the addition of
shell access (all planned for the next release) will
greatly enhance this product's capabilities and will
increase further its value for the enterprise.