Voice and data infrastructure specialist at a tech services company with 1,001-5,000 employees
User
2021-10-05T19:24:34Z
Oct 5, 2021
We use Check Point for this solution through the Identity Awareness blade where when integrating with the domain controller or LDAP, we can see the entire organizational unit of the Active Directory where we can generate rules through the user's profile to make access more dynamic to the internet services, DMZ or others.
It is a good experience that gives us greater control and agility when debugging users since these changes are reflected in the FW when they are eliminated from the AD.
Infrastructure Architect, Team Leader, Service Aggregator at Fujitsu
User
2022-08-26T20:51:43Z
Aug 26, 2022
Most support some form of identity-based policies based on LDAP and/or AD and it won't be a simple straightforward decision, choosing the one that best fits what you're trying to achieve and your budget.
Look at things like cost (is it an add-on or comes as part of the base product), and licensing (e.g., do you need to maintain a license for the feature to continue). Essentially, choose a number of products and ask vendors questions.
What is your goal? If you want to restrict access by identifying the user and use groups for certain access areas, Sophos provides many options. FW combined with endpoint protection and server protection can offer total protection. If you want to use access-based identification to provide networks like Microsoft VPN, then you might look into Meraki.
They offer a client and small VPN FWs to manage access to a corporate network.
Head of Sales and Business Development at Axalon GmbH
Vendor
2022-08-26T15:04:20Z
Aug 26, 2022
As my company Axalon is focused on the Identity Governance and Administration (IGA) part of the security market, I'll answer the question from that perspective:
In the last 5-8 years an increasing number of vendors for so-called CIAM (Consumer (oriented) Identity & Access management) solutions have improved and extended their functionality.
As a very interesting example of access policies based on ID-based rules, I'd like to mention the product CIDAAS (from a german vendor called widas).
2 examples of the ID-based rules to govern the access of users:
(1) IoT device identity association As IoT devices increase in popularity, consumers and business customer users will have a greater need to associate their IoT devices with their digital identities. These identity associations between consumer and IoT objects allow for the more secure and private use of smart home, wearables, medical, and even industrial devices.
(2) Fraud detection is enhanced by identity proofing and device fingerprinting functionality. cidaas smart MFA uses User Behavioral Analysis (UBA), based on geo-location, device fingerprint and more, as triggers for step-up authentication based on the risk level of the requesting user-client.
A security dashboard is integrated into CIDAAS' admin UI to help customers secure their applications, the dashboard provides functionalities to monitor and manage security and fraud protection, as well as provides insights into the cidaas configuration of clients or the instance (wrong scopes on a client).
Summary: CIDAAS is of course NOT an NGFW, but combines security and business features, both based on the ID of the accessing user in order to increase the protection level of sensitive content in the own IT landscape and deliver business-relevant information about accessing customers in parallel.
We have a Sophos XG Firewall and the authentication methods are included in identity-based firewall rules even if the users are local and if you use LDAP or Active Directory.
Firewalls are essential components of network security, acting as barriers between secure internal networks and potentially hazardous external connections. These tools monitor and control incoming and outgoing network traffic based on predetermined security rules.
We use Check Point for this solution through the Identity Awareness blade where when integrating with the domain controller or LDAP, we can see the entire organizational unit of the Active Directory where we can generate rules through the user's profile to make access more dynamic to the internet services, DMZ or others.
It is a good experience that gives us greater control and agility when debugging users since these changes are reflected in the FW when they are eliminated from the AD.
Most support some form of identity-based policies based on LDAP and/or AD and it won't be a simple straightforward decision, choosing the one that best fits what you're trying to achieve and your budget.
Look at things like cost (is it an add-on or comes as part of the base product), and licensing (e.g., do you need to maintain a license for the feature to continue). Essentially, choose a number of products and ask vendors questions.
Do your preparation and ask a lot of questions.
What is your goal? If you want to restrict access by identifying the user and use groups for certain access areas, Sophos provides many options. FW combined with endpoint protection and server protection can offer total protection. If you want to use access-based identification to provide networks like Microsoft VPN, then you might look into Meraki.
They offer a client and small VPN FWs to manage access to a corporate network.
As my company Axalon is focused on the Identity Governance and Administration (IGA) part of the security market, I'll answer the question from that perspective:
In the last 5-8 years an increasing number of vendors for so-called CIAM (Consumer (oriented) Identity & Access management) solutions have improved and extended their functionality.
As a very interesting example of access policies based on ID-based rules, I'd like to mention the product CIDAAS (from a german vendor called widas).
2 examples of the ID-based rules to govern the access of users:
(1) IoT device identity association
As IoT devices increase in popularity, consumers and business customer users will have a greater need to associate their IoT devices with their digital identities. These identity associations between consumer and IoT objects allow for the more secure and private use of smart home, wearables, medical, and even industrial devices.
(2) Fraud detection is enhanced by identity proofing and device fingerprinting functionality. cidaas smart MFA uses User Behavioral Analysis (UBA), based on geo-location, device fingerprint and more, as triggers for step-up authentication based on the risk level of the requesting user-client.
A security dashboard is integrated into CIDAAS' admin UI to help customers secure their applications, the dashboard provides functionalities to monitor and manage security and fraud protection, as well as provides insights into the cidaas configuration of clients or the instance (wrong scopes on a client).
Summary: CIDAAS is of course NOT an NGFW, but combines security and business features, both based on the ID of the accessing user in order to increase the protection level of sensitive content in the own IT landscape and deliver business-relevant information about accessing customers in parallel.
We have a Sophos XG Firewall and the authentication methods are included in identity-based firewall rules even if the users are local and if you use LDAP or Active Directory.