|
Overview
The eTIPS architecture has been designed to address the emerging requirements of policy management in general and network access control in particular using the best design practices and technologies. This architecture recognizes the requirements to support multiple NAC frameworks, to be extensible so as to easily support new features as they are introduced in this rapidly growing area, to leverage the functionality of embedded client and network devices, and to integrate with existing identity and trust services. At the same time, the architecture is designed to provide consolidated and unified policy management to eliminate the operational burden of managing policy and access control with multiple disparate systems and technologies. Thus, the overall solution architecture is one where eTIPS integrates seamlessly with clients, network devices, and backend services for identity and trust verification as shown in the figure.
Architecture Highlights
- Dictionary-based architecture for easy extension to additional credentials
Attributes and credentials for making access control decisions are constantly being expanded. The eTIPS architecture has a data-dictionary design so that these new attributes can be added to the system without the need for software updates or even system downtime.
- Device neutral
Attributes and credentials are managed internally in a canonical form and exposed to the administrator in a user-friendly form. Data-dictionaries map these between the canonical form and device-specific form. This allows administrators to specify policies in a device neutral manner. It also makes it easy to add support for new devices that might be introduced into the network after initial deployment.
- Security technology neutral
eTIPS supports standard and common protocols and security algorithms for access requests and backend trust and identity servers. A modular plugin architecture makes it easy to extend the system to include other access protocols and servers as the need arises.
- Proactive and reactive access control
While access control to date is mostly proactive, meaning that an access control decision is made when a client first connects to the network, it is well recognized that reactive access control, meaning ongoing evaluation of clients' access rights, is also required. The eTIPS architecture has been designed to also support reactive access control mechanisms as these become available.
- Distributed replicated architecture for scalability and fault-tolerance
eTIPS is a distributed, replicated architecture with no single point of failure. This allows the system to scale to large enterprises and to continue to operate even if some of the individual servers are down. With the proper network design, access control is still available even when the network itself is partitioned. Servers can be added or removed on the fly.
- Ubiquitous browser based administration
Both management of eTIPS itself and definition of access control policies are performed from any standard web browser using the latest Web 2.0 user interface technology. Simply pointing the browser to the virtual eTIPS URL will connect to the current configuration server.
- Rich APIs
In addition to the browser interface, eTIPS architecture includes a rich API to import and export policy information. This programmatic access to policy data is most useful for developing scripts to share information with legacy user databases and policy systems.
|
