FRAMINGHAM (06/23/2000) - Check Point Software Technologies Ltd. and Secure Computing Corp. next week are proposing separate means to let trading partners gain restricted access to corporate intranet applications.
Check Point's strategy, called "Secure Virtual Network Phase II," centers on its VPN-1 firewall/VPN gateway's ability to share user authentication information with the applications behind the firewall to gain benefits such as single sign-on.
The VPN-1 gateway can capture information about each user offering evidence of his identity through means of a digital certificate, static password or dynamic-password security token.
"The VPN-1 gateway knows who I am and where I came from," says Check Point Senior Product Manager Tom Clare.
He says this information can, in theory, be transmitted to applications or authentication-management servers behind the gateway. That way the user wouldn't have to authenticate a second time with a separate identifier. The specific technology is a set of "UserAuthority" software APIs that could be embedded into applications to accept VPN-1 data.
The technology would work to restrict user access to Web applications running on these servers after the user is authenticated at the VPN-1.
VPN-1 can determine user identity, profile, location and device used. The application-use security policy would be enforced at the VPN-1 gateway outfitted with a new software module.
The first version of the UserAuthority module - expected next month - will include the UserAuthority Internet Server API plug-in for the Microsoft Internet Information Sever with a similar plug-in for the Netscape and Apache Web servers in the future.
Several vendors, including BroadVision, Oracle and IBM, have indicated strong interest in deploying Check Point's approach.
BroadVision says the business-to-business applications, including one called Procurement that will ship this fall, will use the Check Point security capabilities, though it's uncertain UserAuthority will make it into the first version of Procurement.
"Our customers need access to the network, and we've chosen Check Point as the partner in managing that access," says Asher Kotz, BroadVision's technology partner manager.
Even vendors with their own authentication-management products, including Netegrity and Securant, say they are interested in implementing UserAuthority.
Securant Chief Technology Officer Eric Olden says his firm plans to add the UserAuthority API to its ClearTrust Web-access control software by year-end.
"This isn't a threat to us, it's augmenting what we do in the business-to-business transaction market," Olden says. "It will save the user having to authenticate the second time."
"Interesting things are happening here with the ability to let the end user authenticate once," says Richard Karon, security architect at Plano, Texas, systems integrator Perot Systems.
"The application would become aware of the central security model. You'd have to have a repository to hold that information, though, either on the firewall or in a directory," he adds.
Another established vendor, Secure Computing, also has ideas about application-access control, is planning to ship a product this week.
Secure Computing's SafeWord Plus is server software that sits behind the firewall to restrict access to applications, particularly Web-based applications.
To protect these applications, the SafeWord Plus agent software has to be added to either the Microsoft or Netscape server running the application or directly to the e-commerce application, such as those from SAP.
"If you're going to let people into your network, the really hard part is knowing where they are and who these users are," says George Jelatis, Secure Computing's director of e-business initiatives. "And managing this user community does become complicated."
SafeWord Plus costs US$30 per seat, and includes a Java-based management console and Lightweight Directory Access Protocol directory from Netscape or Novell for storing user identity and public-key certificates.