SECURING & PROTECTING ACTIVE DIRECTORY

Optimal IdM’s Virtual Identity Server (VIS) can be deployed as an LDAP Proxy Firewall to provide the needed protection and security for the sensitive identity data stored in your Active Directory.

An LDAP proxy firewall acts as a barrier between client applications and data stored in your Active Directory.  Instead of client applications directly accessing your sensitive data, which can leave it vulnerable to attack, applications connect to the proxy and the proxy accesses the necessary data. LDAP proxy authentication creates an added layer of security for your sensitive data while still offering real-time access when and where you need it.

 

Register for a Free Trial Today!

Interested in the features and benefits of Optimal IdM? Request a demo!

Request Demo

VIS LDAP Proxy Firewall

Many organizations utilize an http web proxy server, such as Microsoft’s Internet Security and Acceleration (ISA) Server within their web server environment. ISA provides not only a more secure environment but also additional performance capabilities.

LDAP Proxy Firewall

Likewise, when deployed as an LDAP proxy server, VIS offers this type of protection and security for LDAP directories such as Active Directory. Applications connect to the VIS proxy server exactly as they do any normal LDAP directory. In fact, to any client application accessing an LDAP proxy, VIS looks and behaves just like a standard Active Directory or ADAM server to the LDAP enabled client application.

isa-http-web-proxy-server-2x

Application-Specific Views

In many cases, applications that are written to Active Directory are written poorly and inefficiently. For example, many applications connect at the root of the Active Directory forest when they may only need to search one or two containers in the tree. Additionally, many applications only need to view users and groups, but in reality are granted access to view more than just users and groups.

This is because Active Directory does not provide the ability to control what is searched, such as specific LDAP queries. When used as an LDAP proxy server, however, VIS can be configured to publish application specific views, granting the application only the data it requires. The result is a more secure Active Directory and increased performance for both the application and Active Directory.

Product Features

The Virtual Identity Server, deployed as an LDAP Proxy Firewall, provides not only a more secure environment but also additional performance capabilities, such as:

COMPANIES THAT TRUST OPTIMAL IdM TO SECURE THEIR BUSINESS:

Benefits

Meet Audit and Compliance Initiatives

One of the key benefits of using an LDAP DMZ proxy is the ability to simplify auditing, compliance and related security issues.

With Virtual Identity Server, you get at-a-glance answers to questions such as:

– Who has logged in and when?

– What changes were made to data and when?

– Who was added to the Administrators group today?

– What changes did “Bob” make?

Increased Security and Control

Using VIS as an LDAP proxy firewall, you can:

– Gain greater control over what accounts connect, bind, and search your LDAP directory.

– Limit the entry points into your Active Directory, further protecting your Active Directory.

– Monitor and report on changes to the directory in real-time.

– Limit what searches and modifications can be performed against the LDAP directory.

Eliminate Deployment Barriers

Rapidly and easily deploy applications to users existing in multiple Active Directory forests or directories.

– The VIS Schema Manager™ eliminates the need to extend the Active Directory schema for third party LDAP applications.

– VIS allows you to rapidly deploy applications to users existing in multiple Active Directory Forests without any forest trusts.

– VIS simplifies your identity management deployment by accessing data at its source directly.

– VIS provides multiple views of data, allowing for easy discreet application views of enterprise data.

Secure Access with VIS LDAP Proxy Firewall

In any business setting, one of the key security policies is to give each employee just enough access to IT resources for them perform their respective job functions.

If an employee has been given too much access, then ‘data leakage’ can occur. This is when an application (such as a database query) can literally return more confidential data than what the employee needs to have or know. An LDAP Virtual Directory greatly minimizes this security risk by only allowing the employee to access this confidential data when and where it is needed. In other words, data is not reproduced multiple times throughout the business.

Active Directory vs. Active Directory with VIS LDAP Proxy Firewall

The Virtual Identity Server™ (VIS™), deployed as an LDAP proxy server provides the needed protection, firewall authentication and security for Active Directory.

Active Directory Alone

  • –  Active Directory is vulnerable and unsecure to attacks such as denial of service.
  • –  Applications have more access then they need with the principle of least privilege being very hard to enforce.
  • –  Data in Active Directory is difficult to secure because administrators have little control over the applications accessing the data.
  • –  Poorly written applications can crash Active Directory causing outages for end users.
  • –  Active Directory performance is susceptible to inefficient queries that applications send.

Active Directory with Virtual Identity Server LDAP Proxy Firewall

  • Active Directory is more secure by being placed behind an LDAP firewall proxy server. Applications no longer access AD directly.
  • VIS provides data leakage prevention (DLP) by only publishing the data that the applications require.
  • Active Directory is now protected and safe because inefficient or rogue queries are either blocked or transformed in real-time into more efficient queries.
  • VIS provides a complete auditing solution for all applications accessing AD. All activity (modifications, searches) are captured.
  • All applications now have built-in failover. As backend systems fail, VIS provides the failover mechanisms automatically at the server layer.
  • All applications now have built-in connection pooling to AD, which increases performance and reliability significantly.
  • Application deployment time is reduced by over 50% by quickly providing real-time application specific views from multiple data stores.
  • VIS removes application deployment barriers by handling AD schema changes virtually and rapidly providing multi-forest views without any forest trusts.
  • VIS reduces the Kerberos token size limit problem by providing application specific groups at the VIS layer.
  • Active Directory and application performance is increased by mapping inefficient queries into more efficient queries, without code.
  • Leverages and extends the existing investment in the Microsoft platform & enables LDAP firewall authentication.

No Active Directory should be left unprotected.

Frequently Asked Questions

Does VIS support Kerberos and/or NTLM/Negotiate authentications?

Yes, VIS supports Kerberos, NTLM and Negotiate as authentication options on both the listing side as well as the back-end connection sides.

Can I get a demo/evaluation version of VIS?

Yes. Please fill out a demo form with your contact information.

What data stores can the Virtual Identity Server connect to?

The Virtual Identity Server supports a number of data stores directly with out of the box adapters. Additionally, a customer or integrator can create adapters utilizing our built-in extensibility.

Read more

Can’t wait?
Get Optimal IdM IAM Services Now

Start Your Free Trial

Resources

Data Sheet: Virtual Identity Server

Read More
White Paper: VIs for Automated Compliance Management

Read More
Videos

Read More