Introducing IDex

Article #: Product Castle
KB-169 IDex Kenilworth

What is IDex?

IDex is a way for the Smoothwall to know who has logged in where on your network. This allows the Smoothwall to apply the appropriate filtering and firewall settings based on who you are and your group membership, not just the device you happen to be using.

Why use IDex?

IDex identity indexing offers an alternative to authentication which is:

  • Simple to deploy via group policy
  • Simple to configure, with no reliance on the Smoothwall being joined to an AD domain
  • Able to attribute all web traffic to logged in user, so there’s no authentication exceptions. This enables you to identify individual users that may need Safeguarding, and help to comply with the Prevent duty
  • Resilient to external problems on the network such as the loss a server or network link to the Active Directory domain
  • Transparent to the end user. There’s no login prompts or messages displayed to the user, IDex is a background service, so no more user authentication calls to your helpdesk
  • Scalable. IDex centrally identifies users across many different independent domains. Smoothwall can replicate identity information across a Smoothwall cluster, removing yet more complex setup

Why use an alternative to authentication?

Traditional authentication methods such as Kerberos and NTLM are precise in verifying user identity, but similarly are complex to set up. The Smoothwall needs to be joined to the Active Directory. Browsers and web applications need to support NTLM or Kerberos, or an authentication error will occur. This requires complex authentication exceptions to be set up and maintained, causing an administrative overhead.

How is IDex different?

To understand how IDex is different, let’s first understand at how traditional authentication works with Smoothwall;

When a user logs on, your Active Directory Domain Controller grants the user permission to the network.

With traditional authentication, such as NTLM or Kerberos, every time a user makes a web request, the Smoothwall queries the Active Directory Domain Controller, to ensure that the user has permission. It then retrieves the web content according to their firewall and filtering policies. This constant need to seek verification from the Domain Controller is highly secure, but is complex to set up and can cause problems if there is a loss of connection to the controller, leading to authentication errors.

IDex Directory records the username, groups, IP address and logged-in timestamp for a user, and integrates with Smoothwall services that require identity information, such as Guardian and the Firewall. It replicates data across nodes so all servers have access to current IDex data and can apply actions before a client first connects.

There are two ways that IDex can gather this information:

IDex Client can be installed on your any Active Directory domain joined devices, including Windows and Apple Mac OS workstations. It can be easily deployed and configured via Active Directory Group Policy, and is transparent to the end user.

IDex Client interrogates the workstation first hand as to who is logged into the device at any given time, and so is not reliant on a connection to domain controllers to identify users. When a user makes a web request, IDex Client forwards the logged in user’s username, groups and web traffic to the Smoothwall. With no need to verify the user’s permissions directly with the Domain Controller, the web content is returned according to the user’s firewall and filtering policies.

IDex Client also enables you to identify users behind NAT devices or logged in using fast user switching or terminal services.

IDex Agent is an application which runs on Windows Active Directory domain controllers, and can be deployed using Active Directory Group Policy. It monitors the Windows event audit log on the domain controller, and notifies IDex Directory of the logged in user’s username and IP address in as soon as they log on. This means that when a user makes a web request, the Smoothwall already knows the identity of the user, and so can apply the appropriate filtering and firewall rules instantly, again with no need to communicate directly with the Active Directory Domain Controller.

You can use IDex Client, or Agent with IDex Directory, or both together.

Where can I use IDex?

IDex can be used for any Active Directory domain joined users and devices, including Windows and Apple Mac OS workstations. It isn’t intended for remote or offsite filtering, or for BYOD such as an android mobile.

Will it work alongside my existing authentication methods?

If you already have a trusted authentication method you are using, IDex can work alongside it. There’s no need to switch at this point, and existing methods will not be deprecated.

Attribution:

Last updated: Author: Contributions by:
10 August 2017 Suzanne Knight