Editor's Choice Award for Best Identity-Management Suite
Novell Cool Solutions: Trench
Digg This -
Posted: 13 Nov 2003
Security Pipeline recently announced that Novell's identity management suite won the Editor's Choice award in a head-to-head review at the NWC Inc. business applications lab, in Green Bay, Wis.
The following quotes are from The Security Pipeline article at http://www.securitypipeline.com/story/showArticle.jhtml?articleID=15306125.
After implementing all three products in the NWC Inc. labs and testing them in a variety of situations, we gave Novell our Editor's Choice. The robustness and flexibility in its supported target systems, password and account management make this suite, which comprises DirXML, eDirectory, Novell Audit and iChain, a perfect fit with the many custom applications NWC Inc. deploys. We found that iChain provided the most flexible and secure Web access control of the products we tested, and its proxy-based architecture made it a breeze to deploy for internal and external customers alike.
Novell has made serious progress with its identity management offering in the past few years, with more advances yet to come with DirXML 2.0, which is scheduled to be released by year's end. Although the product is moving heavily toward a Web-based console for administration and configuration, the flexibility inherent in its use of XSLT is still present and available for admins who prefer tweaking the system to enforce corporate policies.
We needed to make only a few changes to our infrastructure to implement Novell's DirXML and iChain, its resource access-control product. Our Linux system was the only machine on which we had to install additional software to provide password and account management, based on Novell's eDirectory. Novell recommends an eDirectory installation on Linux and Unix systems and use of NIS to provide remote management. This installation was straightforward, though we encountered problems getting the Linux eDirectory installation implemented.
Novell uses the term drivers to describe the modules used to integrate systems and applications into its suite. All the databases in our test--Microsoft SQL Server 2000, IBM DB2, MySQL and Oracle9i--were integrated via a JDBC driver. We had to make tweaks to the XLST for each system because not all relational databases are SQL 92-compliant, and the syntax used to manage accounts with SQL are different for each system. CA and Courion require installation of each database's client tools on the systems their products are installed on, but Novell requires only that the JDBC driver for the target system be installed. This makes Novell's setup much more portable, as there is no reliance on operating system-specific connections.
Novell goes further than its rivals by selectively filtering the data that is passed between any two systems. For our implementation, AD was the authoritative system responsible for kicking off the new-hire and termination processes. The Novell AD driver was configured as bidirectional, so updates to passwords and profile information would propagate regardless of origination. This is typical of an identity-management solution, but Novell took it one step further by letting us specify which attributes each individual driver can change. Our first test of the system actually failed because the work-flow driver was configured to send a notification to the manager of the new hire via e-mail, and we forgot to allow the manager attribute to flow from AD to eDirectory. Once configured correctly, the system worked like a charm.
Novell's iChain product is primarily used to provide Web access control and is the mechanism through which Novell provides password and profile self-service functionality. These features are scheduled to be included in the 2.0 release of dirXML, but now are available only with iChain, which is deployed as an appliance and implemented as a reverse proxy. As such, it requires no changes to back-end servers, with the caveat that back-end systems should be reconfigured to accept connections only from the iChain device. To implement self-service we had to do some coding to integrate iChain with dirXML, but configuring Web access-control rules was an extremely flexible process thanks to the intuitive Web-based GUI.
Because iChain is a reverse-proxy implementation, we had no problem integrating IIS, Apache and our CapeClear CapeConnect Web services systems into the access-control mechanisms. CA's product, on the other hand, requires plug-ins or custom coding to integrate into its eTrust Web Access Control app, and Courion, which partners with Entrust, Netegrity, Oblix and RSA for access control, is powerless to determine the method of integration with Web-based services.
We were also pleased with some of the features we gained with Novell's proxy-based Web access-control implementation. By using some of the advanced security features in iChain, for example, we could have users authenticate to eDirectory, and iChain could take care of authenticating to back-end systems. This means that users do not need to know these passwords--that aspect of password management is removed from their control. Using eDirectory, iChain can change back-end passwords randomly on a scheduled basis to provide a higher level of security on Web-based resources than its competitors.
Review the full report, "Review: Identity Crisis", including the final Report Card.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com