At Apani, our solution keeps data in motion safe and secure from client to client and also server to client.
Apani is a global company, our corporate office is in Southern California with supporting offices in the UK and Japan We are privately funded by the Takahara Group. They are widely known in Japan as the largest consumer goods company, they are like a Proctor & Gamble company – they also produce pet food. Our software originated from a Hughes project before the Takahara Group purchased in 2003. Our technology was also used in the development of VPN software for Nortel and Cisco.
Apani provides support to its customers 24/7, along with professional services – We can install and support very large Enterprise customers as well as small to medium businesses. Our solution can support the needs of different markets, we specialize in Retail, Healthcare, Financial Services and the Public Sector. We will discuss this further as we take a look at a few success stories.
Our solution will work on all types of clients, from Windows, Unix, Linux and others. We are easily managed via our Management Console. Small footprint software solution for network segmentation instead of hardware firewalls. The software will are able to manage user access, encryption and segmentation. We will work on physical and virtual servers and protect against intruders. We can help support compliance mandates like PCI or HIPPA.
Citi was the first and our largest Enterprise customer They are a very well known financial services company- We help them with PCI compliance Detailed information is not available as it is proprietary to Citi
The University of Pennsylvania Health System is a group of 3 hospitals and they are one of the oldest hospitals with great credentials Our solutions helps them with PCI compliance, server segmentation and encryption of data in motion Our tool is centrally managed which helps IT and lower overhead once set up and configured
Our Public Sector success story is from the Staffordshire Police Department. Our solution support legacy applications for the police department on their 350 server and 2500 workstations. We helped them with their compliance initiative – in the UK it is called CoCo compliance They are encrypting data in motion and using our server segmentation
Canadian Tire Financial Services is the financial division of this Canadian retail giant.
Harrods is a luxury department store, but also has locations in airports throughout Asia and Europe They purchase our solutions for PCI Compliance initiatives and server segmentation
Firewalls and VPNs prevent unauthorized access to the corporate network from the outside EpiForce manages access and security between systems inside the corporate network Although hardware devices can control access between systems within the corporate network, as a software solution, EpiForce can be significantly less expensive
EpiForce components are: Database server stores all the Agent registration and policy data for the system. The database can be either MySQL is included with the product Oracle support can be configured Admin Server delivers policy on demand to each of the Agents and implements Certificate Authority functionality Admin Console is the GUI for all EpiForce policy and configuration Agents are the network security policy enforcement points. Agents each have an X.509v3 certificate issued by the Admin Server that must be used to authenticate the Agent before any communications is permitted. When communications is requested, both endpoint Agent systems request all the applicable policies from the Admin Server EpiForce architecture: Multiple replica databases provide fail-over system resiliency as well as localized performance for regional or departmental data centers. Multiple Admin Servers provide fail-over system resiliency and load-balancing for improved performance. One or more Admin Consoles manage all databases, Admin Servers and Agents Agents run on Microsoft Windows XP, 2003 Server, 2008 Server and Windows 7, Linux (Red Hat 3, 4 and 5), Solaris, AIX and HP-UX (both PA-RISC and Itanium. Windows and Linux systems can be virtualized in VMware, Citrix and Hyper-V and AIX systems can be run in LPARs
There are three parts to an Agent: The Key Manager (KM) responds to requests from the SP to negotiate between Agents by calling the INM and responds to requests by SP for network security policies by asking the Admin Server. The IKE (IPsec Key Exchange) Negotiation Manager (INM) in user space authenticates the Agents using the X509v3 certificates, negotiates security parameters and establishes Security Associations (SAs) to transfer user data The Security Policy (SP) manager is a driver that examines every packet that enters or leaves the system. The Security Policy module enforces the network security policy.
A Zone is a set of rules (clear, protect or deny) for specific ports that apply to a list of Agents or Users, IP addresses or address ranges. Additionally, Agents can be added to a Zone by address ranges, subnets, or both. There are three types of Zones: Client/Server Zone― Defines a Security Policy when a client initiates communication with a server. Internal Access Zone― Defines a Security Policy for peer-to-peer, bi-directional communications between Agents and Users. Used for communications between servers in the data center. External Access Zone― Define a Security Policy between a specific Agent and a host, such as an Internet site, inside or outside the Zone. When an Agent begins communications with another system, the Agent requests a list of all Zones that apply between the two end points from the Admin Server. The Agent sorts the received Zone information by Zone priority where Client/Server Zones are the highest priority. The Agent uses the security policy in the highest priority Zone that applies to the port used for communications between the two Agents. This allows the use of multiple overlapping Zones to describe the overall network security policy.
Because EpiForce Agents are installed as a driver, no application changes are required to implement network security policy Some use cases for EpiForce are: Separation of production from non-production systems, sometime referred to as network segmentation Limit access to internal systems to legitimate partner and contractors Protect data-in-motion within the company network from sniffers Virtualization implementation Configure network access policy on the user’s login identity rather than Agent so that the policy will follow the user as they move from system to system
Network segmentation can be implemented in two ways: Create a Zone that either grants access or denies access. Configure individual Agents as Isolated and use Zones to allow critical communications Creating a Zone which denies communications between development systems and human resource servers eliminates access for developers to a sensitive data center resource Network segmentation can minimize the scope of audits where one group of Agents cannot access another group
Many companies are faced with a guest networking security challenge and use network firewalls, ACLs and VLANs and firewall rules to physically separate the machines involved in contractor projects from the broader network The challenge is to manage the access to systems once guests are granted access to the corporate network A single EpiForce Agent can be used to limit access for guest users to internal systems by: The guest uses a VPN through a firewall to access the corporate network. The VPN authenticates the user and provides an IP address from a pool of address The user is directed to a Windows or Citrix terminal server with the EpiForce Agent installed An agent-based policy can use the source IP address range to allow or block access to internal servers A user-based policy can limit access to internal servers where the end-user logs in at the Windows or Citrix terminal server
Policy-based encryption of data in motion enables encryption to be applied in a granular, port-level deployment, encrypting only those communications required to be confidential to minimize encryption computational overhead EpiForce provides enterprises the ideal encryption option – strong security, minimal application performance impact and lower bandwidth requirements
Where EpiForce Agents are installed on systems running in a virtualized environment, network security policy is enforced regardless of the host system EpiForce Agents can change IP addresses without changing any policy configurations so virtual machines can move freely between hosts in the data center EpiForce Agents support moving live VMs using VMware VMotion without interrupting communications. IP addresses are automatically changed as the VM is moved between ESX hosts Not only is network traffic managed between a VM and the external network, all traffic is managed between VMs on the same host Each Agent is identified by a unique name. Since duplicate Agent names are not allowed, VM sprawl is minimized Compare this to virtualized network security implemented using firewalls and intrusion protection systems
In addition to specifying network security policy for all traffic to and from an Agent, EpiForce can also apply security policy by the user name that sends or receives traffic on all Windows platforms with cooperation with Agents on non-Windows platforms. User names that are used to specify network policy must be entered in the EpiForce database. EpiForce supports local, system and domain defined user names. Where users are managed in a Microsoft Active Directory (AD) domain controller, user names can be imported and periodically synchronized with AD using scheduled LDAP extracts. LDAP extract schedules are configured in the Admin Console. If user names are defined in AD, the Admin Server can authenticate user names using Microsoft Kerberos login credentials before sending network security policy based on a user name to the Agent.
EpiForce features: Uses industry standard cryptographic protocols to secure Agents and network data Automates all cryptographic tasks, for example, certificate renewals and key creation Provides selective data protection for data on the corporate network Manages network security for all VMs within a host as well as between hosts. Implements identical network security policies on both virtual and physical systems transparently