UAE’s first IFMAP deployment using Juniper Networks

DTS Solution – leading security consulting firm; deploys the regions first TNC IFMAP compliant federated access control security solutions at UAE University with lead system integrator Visionaire using Juniper Networks Security Products.

UAE University – one of the largest universities in the UAE with over 12,000 students and a group of 650 faculty members had faced an interesting challenge to secure their data center resources whilst allowing university users to access the resources from any location and any device. With a high number of students and faculty members bringing their own device (BYOD) – personal laptops, iPADs, iPhones, Tablets; accessing the UAEU’s public Wi-Fi network and then utilizing data center resources without any user accountability were considered major risks.

Sajid Ali – IT Security Officer at UAEU mentioned “Not having visibility into the type of endpoints that connect to the network, the domain groups that users belong to and its associated privileges, the type of classified data that is consumed from the data centers and securing our critical assets within data centers from unauthorized and unauthenticated users are just some of the major security challenges and risks we were facing. Having chosen Juniper Networks Security Solution that comprises of Secure Access (SSL VPN) and Junos Pulse, Unified Access Control (Infranet Controller), SRX High End Firewalls and Juniper IC IFMAP server – DTS Solution along with prime partner Visionaire have delivered the most advanced federated access control solution that makes BYOD practical and real for our university”.

DTS provided the end-to-end consulting, design and implementation of the security solution that is based around IFMAP (Interface for Metadata Access Points); an open standard client/server protocol developed by the Trusted Computing Group (TCG).

IFMAP is designed to enable security products to communicate over a single protocol / language that different systems can understand, providing a coordinated effort in understanding and federating the security posture. Take an example – a user is connected to the corporate network remotely using SSL VPN (Vendor X), the inline IPS (Vendor Y) detects an intrusion from that user and sends an alert which is received by the SIEM device (Vendor Z). The SIEM device (Vendor Z) then sends a message to the SSL VPN gateway (Vendor X) to limit the access or block the user.

Communicating a common unified security language between these three vendors is the sole purpose of IFMAP. Vendors of course need to support the IFMAP protocol – which are referred to as IFMAP clients. By publishing metadata (security posture details) from the IFMAP client to an IFMAP server will allow other IFMAP clients such as a firewall (Policy Enforcement Point) to subscribe to such metadata and apply the required enforcement based on the metadata is receives.

Shah Sheikh – Sr. Security Solutions Consultant at DTS highlighted “Our ability to execute and deliver a highly visible security project in the academic sector is testament to our commitment and desire to deliver cutting edge security technologies. If you look at our technology partners – Juniper Networks, Infoblox, Great Bay Software, Lumeta and nSolutions are all TNC members and all have products that are IFMAP compliant. Our strategy from the beginning was to build emphasis on real-time information sharing for security, collaboration of security posture across different elements to build on security intelligence within a network. Delivering this key project for UAEU with solutions that we strongly believe in, is a great reference for the security industry in the region.”

He continued by saying “IFMAP is a key enabler for interesting emerging security techniques – the ability to correlate physical and logical access control; example being a user has to be physically present (swipe access card) to access computing resources. Additional examples include SCADA networked environment that removes an infected machine from the network whilst dynamically enforcing a security policies on PLC firewalls and finally scanning an endpoint the moment it connects to the network and then issuing metadata to either allow or block access from that endpoint. The opportunities and use cases of IFMAP are endless and we strongly believe it is the future of security”.

To learn more about IFMAP, BYOD and Unified Access Control contact our sales team – sales@dts-solution.com.

Official resources are available from TNC (Trusted Network Connect) for more details on the IFMAP specifications currently running on v2.1 – IFMAP_v.2.1_Specification.