Secure Computing SafeWord SecureWire 2500

The latest security buzzword is IAM (identity access management) and Secure Computing claims its new SafeWord SecureWire product family is the first appliance-based IAM solution to market. In this exclusive review we take a close look at the top of the range 2500 appliance which targets enterprises and can support up to 2,500 concurrent connections.

In a nutshell, IAM encompasses the processes required to create and manage user identities and allow access to specific resources on the network by enforcing policies. The 2500 brings together an impressive range of security measures as it supports SafeWord two factor authentication, IPsec and SSL VPNs, SSO (single-sign on) and NAC (network access control) for end-point validation. A key feature that makes this solution standout is the fact that the SafeWord feature is supplied as standard and the price quoted in this review includes the SafeWord server and a starter pack with five tokens.

Installation is a simple affair and the appliance can act as a router or as a transparent gateway. For testing we configured the appliance as a router and slipped it in front of our Windows Server 2003 domain controller. We used a group of Windows XP/2003 systems to act as remote clients on the other side.

The SecureWire Control Center handles all management and monitoring and can run from the appliance on demand or be downloaded and installed locally. It's well designed and the Configuration Navigator provides swift access to functions such as authentication, policies, users, VPNs and system settings. There are also tabs for viewing alarms and accessing the extensive reporting facilities. For user authentication the 2500 provides a local user database and supports Active Directory, LDAP, RADIUS, SecureID, SafeWord and generic methods.

From the Policies section you create local users and declare web and file resources to the appliance. For the latter the 2500 supports both SMB and NFS protocols and when declaring file resources you can create a single policy entry which includes environment variables. This will be a time saver if you want to control remote access to user specific resources such as home directories.

We had no problems declaring our domain controller's web site and selected shares to the appliance and dishing out access privileges to our local users. Custom time intervals are applied to each user or group so you can decide when the policy should be active. Applications are declared to the appliance by selecting from a list of over fifty predefined services such as SMTP, FTP and MS Exchange and providing the host IP address that this applies to. There are no problems with custom services as you can create your own from the Network Services section.

SSO makes light work of scenarios where, for example, authentication to an application is not tied in with corporate access policies. This can bridge the two together where the appliance will conduct user authentication and then map this transparently to the application. SSO can also take user authentication details and pass them on to an application so reducing the number of times a user needs to sign on. One feature we liked about this method is that unlike some SSO point solutions you don't have to go through the tedious process of enrolling an application.

The SafeWord two-factor authentication is a slick feature that relies on each user knowing something and being in possession of something. Each user has a PIN and a hardware token with a unique serial number and using a common algorithm the token generates a one time password. Authentication is handled by a separate SafeWord server and during installation it imports customer information from Secure Computing. The server now has information about all the tokens supplied to the company and can verify if a password has come from these tokens. Two types of token are available where one generates a password which the user logs in with and appends with their PIN number. The other token requires users to input their PIN after which it will generate a password. This method means the user never has to provide their PIN to anything other than the token. Token setup is handled well as the server installation adds an extra tab to the Windows Server User Properties where you can enter the serial number of their token. The process can be streamlined even further as the SafeWord User Centre can be used to get users to register the token themselves.

NAC needs some more work but otherwise the SafeWord SecureWire appliance is offering a comprehensive range of access controls that we found particularly easy to configure. Resources and privileges are simple enough to declare to the appliance and manage and the jewel in its crown is the integrated support for the SafeWord tokens.

Verdict

A high starting price but a slick appliance based IAM solution that delivers an excellent range of enterprise level access controls, easy management and integrated support for SafeWord tokens and their two factor authentication

2U appliance

Supermicro X5DPE-G2 motherboard

2 x 2.4GHz Xeon

4GB 266MHz SDRAM

2 x Intel PRO/1000 MT dual port Gigabit PCI cards

2 x 80GB Hitachi Deskstar IDE hard disks

SecureWire Control Center management utility

price includes SafeWord Server and five Token starter pack