Nexor offers security for directories

Messaging and directory vendor Nexor Ltd. last month unveiled an application-level firewall for directories that is designed to protect sensitive agency data from unauthorized users.

Called the Directory Boundary Agent (DBA), the product is designed to work with directories that are based on the Lightweight Directory Access Protocol (LDAP), which is used to access information stored in directories. Directories store information such as e-mail addresses, phone numbers and what systems employees are running.

While a "regular" firewall deployed in a network is only capable of either rejecting or accepting LDAP queries, the DBA is capable of filtering LDAP traffic so that users get access only to information they are allowed to see.

"[DBA] provides access control and policy enforcement," said Bob Johnson, business development manager at Nexor. "It...says, 'This is information we will let the outside world see or not see.' If I have everyone's phone numbers in the directory and don't want the outside world to see that, this product will allow names and e-mail addresses to pass through but keep the phone numbers from the outside."

Military and civilian agencies should be interested in the product, particularly those that have directories from different vendors in one organization, Johnson said. DBA provides the same access control to different directories as if the directories were all from the same vendor, he said.

DBA also would be useful within an organization where certain databases, such as the human resources directory, must be restricted from general access, Johnson said.

In addition, DBA protects a so-called meta directory, which is essentially a directory of directories that integrates information from network operating systems, application-specific directories and other sources. LDAP is a good access method for meta directories, Johnson said, because it allows access to the information where it resides.

Traditionally, many organizations have addressed directory security by setting up a directory outside the firewall for public information while maintaining a separate private directory inside the firewall, Johnson said. That way, a hacker attack on the public directory would not compromise critical data. However, this is usually a complicated and highly customized solution, he said.

Furthermore, such a solution is not very scalable, said Doug Simmons, senior consultant at The Burton Group, Santa Cruz, Calif. "You could copy the information and put it in a database outside the firewall, but where that breaks down is in terms of scalablility," he said. "Suppose you have tens of thousands of users. It's hard to administer."

Electronic commerce and public-key infrastructures rely heavily on directories to succeed, and DBA should help make those applications easier to support, said Sara Radicati, president of The Radicati Group, a Palo Alto, Calif.-based consulting firm.

"You would want to protect your directory anyway because you have sensitive company information in it," she said. "But if you do electronic commerce with other companies, it's even more important because these companies want limited access to the directory. At the same time you don't want them to access [private data]."

While other companies are sure to jump on the bandwagon with similar products, Nexor should get credit for coming out first with its product, Radicati said.

DBA, which Nexor licensed from the United Kingdom Defense Evaluation and Research Agency, will be added to government contracts including the General Services Administration schedule. The product retails for $8,000 per server license. Government pricing has not been set.