Start-up sets stage for tighter security

Start-up Trusted Network Technologies is preparing an upgrade to its unique authentication and access-control offering that could prompt businesses to rethink their use of firewalls.

Start-up Trusted Network Technologies is preparing an upgrade to its unique authentication and access-control offering that could prompt businesses to rethink their use of firewalls.

TNT’s Identity consists of an agent called I-Host that runs on PCs and servers, an appliance called I-Gateway that enforces authentication and access policies, and software dubbed I-Manager with which administrators set access policies.

Identity works by setting and enforcing policies that link users to network assets. I-Host embeds in each packet a unique identifier based on users’ identities and the identity of the machine being used. I-Gateway sits on the network in the traffic stream, reads the identifiers and enforces policies to allow or deny sessions as they are requested. I-Manager is browser-based software with a graphical user interface for setting policies and managing and gathering activity audits.

All this is done within standard TCP/IP packets without adding overhead or altering network infrastructure, the company says.

An I-Gateway placed in front of a firewall can block unauthorized traffic before it reaches the firewall, says TNT CTO David Shay.

The University of Georgia College of Pharmacy in Athens is considering Identity to protect key administration applications in its network, says John Anderson, management information specialist. The two-factor identification tied to a specific person and a specific machine is potentially less vulnerable to spoofing attempts than a firewall, Anderson says. IP addresses are susceptible to spoofing if a hacker within an organization puts a legitimate IP address on a nearby machine on the same network to exploit internal firewalls, he says.

He is concerned that the Identity system is vulnerable to session hijacking, in which a hacker takes over an established session after I-Gateway has let it be set up.

Shay says I-Host monitors the state of established sessions to prevent hijacking.

I-Gateway also protects networks from hackers by dropping the unauthorized session requests they use to probe networks, says TNT CEO Steve Gant. When hackers get no response, they interpret that as having probed an empty network segment, says Gant, a former vice president at Internet Security Systems.

“They play within the world of TCP/IP to do some subtle tweaks to make your network invisible to hackers,” says Dan Keldsen, director of IS at consulting firm Delphi Group. He says he knows of no other commercial security products that do what TNT says Identity does.

“To a certain extent, you have to take their word for what they do,” he says, because the company won’t fully explain how its technology works while it applies for patents.

Gant says the current Identity gear protects data at rest, but the next version also will protect data as it is being transported.

So end devices running I-Host could establish a secure session between themselves without an intervening I-Gateway and choose from standard methods for encrypting the session, Shay says. “I’m talking about an open infrastructure supporting end-to-end [privacy] and individualization of their own tunnels. . . . No more VPN gateways,” he says.

Identity appliances come in two versions, supporting 10/100 Ethernet for $9,000 and Gigabit Ethernet for $20,000. Per-user costs are extra.