Edge-Secirity – The Identity Management & Access Management are handled at the edges of your network or within your network so the sensitive data never goes over the Internet
Who should consider Edge-Security
- Any company that has more than 2000 employees should consider Edge-security as an option.
- If you have more than 100 clients (access points) in your network
- If you have more than 10 locations that you want to secure
- If your employees have different access needs and if more than 50 different variation of access controls (profiles) are required
- If you want to apply company policies based on group of objects
- If your network is built in layers where the innermost layer is the most secured as compared to the outer layers
- If you require more than two types of MFA (multi-factor authentication) for your user base.
- It you need to have a direct access to the database and not through GUI interface
- If you don’t want your network configuration data to leave your network for security reasons
- If you want to generate your own custom reports by having access to the raw database
- If you want to run your own scripts on our database to streamline your bulk data manipulation
- In a multi-location environment, you want to manage security differently at each location
- If you have a need to change the access policies of a number of objects in real-time.
Edge Security Architecture
- Your network architecture could be layered or flat
- In case of layered network, the innermost layer is considered to be the most secured part of the network and the outermost layer is considered to be DMZ (demilitarized zone). The entire network is protected by firewalls at the access points.
- In our security architecture most of the security servers having access to the security database reside in the innermost part of the network.
- Only one particular type of server in our product-line that requires Internet access has no database access and resides in the DMZ.
- There is no direct communication between the servers in the innermost network (safest part of the network) and the Internet.
- Only servers within the innermost layer of the network can communicate securely with each other.
- Any communication between the safest part of the network and the DMZ has no sensitive data.
- Any communication between the lower layers of the network with the DMZ is protected by a TLS layer of security
- In case of a simple (Flat) network architecture, the entire network is protected by firewalls at the entry points. In this scenario all the security servers are kept in the network and firewalls are configured to only communicate with one particular type of server that has no security database. All the internal communications are handled over TLS.
Known Access Edge Security Product-Line
- Centralized Security Administration Controller (CSAC). The network security configuration is managed by CSAC. The security administrators can configure the access points, all users, authenticators and access control capabilities. In case of multi-layered network, this particular type of server resides in the innermost layer (most secured layer) of the network. All the configuration management is centralized. We do support backup CSAC in the network.
- Remote Access Controller (RAC). When a user tries to access the network via Virtual Private Network (VPN) or PAM or any other method then the identity of the user and the access permissions of the user are checked here. In case of multi-layered network, this particular type of server resides in the innermost layer (most secured layer) of the network
- Key Distribution Controller (KDC). All the security related communication between the Centralized Security Administration Controller (CSAC) and the Remote Access Controllers (RAC) goes over KDC. The main purpose of the KDC is to prioritize the data and distribute securely to other servers wherever the data is required. In case of multi-layered network, this particular type of server resides in the innermost layer (most secured layer) of the network.
- Gateway Access Controller (GAC). The main function of the GAC is to communicate with the security servers in the secured part of the network over TLS protocol and on the other hand communicate with the devices/services which are outside the network. In case of multi-layered network, this particular type of server resides in the DMZ (Demilitarized) zone of the network
Identity Management & Supported Products
- Multi-factor authentication. We support many hardware based , software based , App-based and SMS based multi-factor authentication (MFA) methods
- Known Access App and SMS based security supports 7-digit tokens for authentication. The hardware authenticator (RSA’s SecurID) supports 6-digit tokens and YubiKey5-OTP supports a long string that consists of public key and OTP.
- User Authorization – The Known Access App provides a unique method to self-authorize before authentication. It provides added security and ease of use.
- Session Management – During an authentication session if a user provides only one factor (password only) then a token is issues securely to the user’s App. or to the user’s phone via SMS. The token during the session is valid only for the current session and it cannot be used for a new session.
- Support of Biometrics – The Known Access App supports Fingerprint based authentication as well as Facial-recognization based authentication.
- Integrated MFA Notification – The software allows you to configure network access attempt notification to the user’s App or email address
Access Management Highlights
- When a particular user can access the network.
- Access points from where the users can access the network.
- What type of authentication method (MFA) to be used to access the network from a particular network access point (NAS/RAS).
- Where the users can go in the network once their identity has been fully established.
- The users can be forced to use a particular multi-factor authentication method to access certain secured devices in the network
- In order to manage multiple access points, network devices, users, authentication methods, different access permissions per user etc. we provide simple software tools for the security administrators to implement those policies.
- All the network access points, users, permissions, etc. can be grouped so that certain policies can be applied for the entire group.
- When a particular type of MFA (NacID, SecurID, or YubiKey-OTP) is used then the other MFAs (NacPass App or SMS) can be configured for notifications.
- Threats are prevented by regularly analyzing the real-time network security activities. All the network access activities are logged with detailed information for analysis.
- Some users can be flagged as suspicious and their activities can be monitored separately
- If some users log in multiple times with incorrect credentials then they can be flagged and monitored
- If multiple authentication requests are coming in from unknown sources then it is logged and flagged
- If invalid authentication requests come in at a very high frequency from the same or multiple sources then the system detects that and the administrators are notified
- Changes in the network connectivity is detected and notified
- If any security database corruption is detected then the security administrator are notified
- In order to perform a detailed analysis of any security related issue, all the logs and audits are provided to network security administrators
Integrated Multi-Factor Authenticators
- For added security we provide a unique functionality in our product-line that can use two MFAs to protect a highly secured network. When one of the supported multi-factor authenticators (MFA) is used (for example NacID, SecurID or YubiKey) for authentication then the other methods like NacPass or SMS can be used to notify the authentication attempts to the user.
- At Known Access our intent is to provide you security in multiple layers. If for any reason one of the security layers is breached then the remaining layers will keep your network secured.
- Few years ago SSL was discontinued and it was replaced with TLS (it is a cryptographic protocol that provides end-to-end communications security over networks and is widely used for internet communications). Anytime in the future any other protocols or authenticators can be considered weak but if your enterprise has a layered security then your network remains secured.
Feature Rich Product-Line & Services
We provide robust remote access security for small, medium, and large networks. Our security system provides robust Identity Management, Access Management, integrated one-time password generation technology, Auditing & Logging, Real-Time Profile management and many more functionalities. Our product architecture supports small networks with less than 50 users, to large networks with well over one million users.
Here are the highlights:
- High Availability
- Fault Tolerant
- Strong Identity Management
- Strong Access Control
- Call Auditing & Logging
- Real-Time Profile Management
- IP Pool Management
- Extensive Protocol Support
- Support of Layered network architecture
- Support of multi-vendor RAS & NAS