EpiForce EpiForce: Protecting Personal Information What is EpiForce? A pani® EpiForce® is a software-based, cross-platform server isolation, encryption and access management solution that enables logical security zoning and policy-based protection of data in motion. EpiForce has a Benefits • Cross-platform support to protect heterogeneous environments distributed, centrally managed architecture that is transparent to end users, • Apply network security policies to applications and infrastructure, making it quicker to deploy and less costly to legacy applications manage than hardware-centric solutions. • Selectively apply strong encryption policies Single Solution: Physical and Virtual Servers • Transparent to existing applications, EpiForce security software delivers cross-platform server protection for both without code rewrites virtual and physical environments with a single solution. Server isolation • Create logical security zones regardless eliminates vulnerabilities within the corporate network by isolating servers and of platform or physical location desktops containing business critical data into logical security zones, regardless of platform and physical location. Access to these zones is strictly based on policy, • Prevent security gaps when relocating a and communication between the systems may be selectively encrypted. Cross- virtual machine to another server platform server isolation provides flexibility and efficiency not available with • Highly scalable architecture traditional network security solutions, and mitigates risk in the event of a breach. • No end user training • Limit audit scope and provide a strong Logical Security Zoning audit trail Logical security zones offer a superior, software-based alternative to traditional • FIPS 140-2 Level 1 validation network segmentation accomplished with firewalls and VLANs. Zones enable flat EpiForce is ideal for: corporate networks to be separated into isolated security communities without • Remote worker/contractor isolation reconfiguring the network and without regard to the physical location of computers. Servers and endpoints are assigned membership into one or more logical security • PCI-DSS, HIPAA, SOX and CoCo zones, creating a flexible, layered security approach within the corporate network. • Mergers, acquisitions and divestitures Logical security zones can be based on endpoint identity, IP address, user identity • Financial institutions, retail stores, and port. health care and public sector www.apani.com, 2929 E. Imperial Hwy Suite 110, Brea, CA,92821, USA, America +1.714.577.1600, United Kingdom +44 (0)118 9298060 With EpiForce, logical security zones can span across physical and virtual environments, and systems can belong to one or more zones. Inclusion in a logical security zone is persistent and does not cease when a system is physically relocated or a virtual machine is moved, providing organizations the flexibility to locate systems where warranted by business demands. Logical security zones can be virtually unlimited in size, a contrast to the constraints of available ports on a switch or a firewall in traditional network segments. Logical security zones are centrally administered through one or more Epiforce Administration Consoles, enabling zones and security policies for an entire network to be modified with only a few mouse clicks. Administration can be delegated and workflow enabled for approving and committing policy changes. Logical security zones may be created, moved or modified without the need to physically reconfigure the network. EpiForce controls access to members Logical security zones enable layered security of logical security zones and dictates which systems can communicate with each other. without regard to platform or physical location. Policy-Based Encryption of Data in Motion Policy-based encryption of data in motion offers a superior alternative to the rigid encryption approaches common in link encryptors, network firewalls and personal firewalls. Policy-based encryption of data in motion secures communications between servers and/or clients based on policies configured by the security administrator. Apani EpiForce takes a unique two-pronged approach to encryption – delivering an efficient, low-overhead encryption mechanism and enabling security administrators to selectively deploy encryption policy at the port level. This approach allows EpiForce to strike an optimal balance between communications security and application performance, while reducing overall bandwidth requirements due to encryption. Policy-based encryption of data in motion offers a superior alternative to the rigid, all-or-nothing encryption approaches common today. It secures communications between users, virtual machines, physical servers and clients based on policies set by the security administrator. Policy-based encryption offers efficient and selective encryption at the port level. www.apani.com, 2929 E. Imperial Hwy Suite 110, Brea, CA, 92821, USA America +1.714.577.1600, United Kingdom +44 (0)118 9298060 EpiForce ® Features & Benefits Management Centralized Management Interface Auto Create and “Push” Install Support Manage security policy for all EpiForce-enabled servers and endpoints EpiForce enables thousands of servers and endpoints to be added and from a single administration console. One or more administration consoles assigned security policy at once, streamlining initial and incremental can be utilized simultaneously, enabling the flexibility to manage deployments. Client software can be deployed through most standard centrally, regionally or by business unit. “push” installation packages such as Microsoft Acitve Directory and LANDesk. Role-Based Delegation of Admin Privileges Maximize flexibility in operationalizing security policy by delegating Operations administrator privileges to five roles including Super User, Account Logical Security Zones Management, System Settings, Operations, Audit and Read-Only. Isolate servers and endpoints into one or more private communities without regard to their physical location. Logical security zones can be based on IP Powerful Administrator Workflow address or range, port, geographic region or user group. Logical security Utilize powerful workflows to create, submit, approve and commit zones can be spanned across physical and geographic boundaries. security policy. All administrator actions are tracked as Change Sets and entered into the workflow process. Policy-Based Encryption of Data in Motion Efficiently secure communications between servers and endpoints based Enhanced Alert and Activity Logging on port-level policy. Policy-based encryption is highly scalable, maximizes Monitor operations of all client software through real-time alerts on application performance and minimizes bandwidth requirements. penetration attempts, operational status, IPSec protocol status and an EpiForce combines strong encryption and data integrity using audit trail of key management and encapsulation protocols. EpiForce industry-standard protocols. stores activity logs in standard Syslog and Windows Events Log formats. Distributed Architecture Easy Deployment and Upgrades EpiForce is a distributed architecture with policy enforced between servers EpiForce is compatible with most third party deployment tools including and clients themselves, eliminating the bottlenecks and single points of Microsoft Active Directory and LANDesk. failure common in hardware-based solutions like firewalls, VLANs and NAC. Installation and Interoperability Policy Persistence Cross-Platform Support Security policy deployed by EpiForce remains persistent, regardless of the EpiForce agent software is available for a broad range of operating physical location of a server or endpoint. When a machine is moved, the systems, providing the flexibility to secure complex, heterogeneous security policy goes with the machine and does not require any policy enterprise environments common in large companiess. changes or administrative action. Network Layer Transparency Customizable Failover Procedures EpiForce operationalizes IPSec at the network layer and is transparent Granular and customizable failover procedures enable more flexibility to to existing infrastructure and software applications. Legacy applications deploy EpiForce into normal business processes. can easily be secured, eliminating the cost, time and incompatibilities associated with rewriting applications. Support for Unprotected Hosts Enforce policy for servers, endpoints and devices that don’t have EpiForce Broad VPN Client Support installed, allowing printers and other devices to be included in logical EpiForce is compatible with VPN client software from leading vendors security zones. including Cisco and Nortel. On-Demand Policy Distribution Facilitate large deployments and the extension of EpiForce to servers and endpoints that have minimal disk and memory resources. www.apani.com, 2929 E. Imperial Hwy Suite 110, Brea, CA, 92821, USA America +1.714.577.1600, United Kingdom +44 (0)118 9298060 EpiForce ® EpiForce Specifications Management Platforms Supported EpiForce Management • Windows Server 2008, Standard and Enterprise Editions (x86-32 and x86-64) (Admin Server & Database) • Windows Server 2008 R2 Standard and Enterprise Editions (x86-32 and x86-64) • Windows Server 2003 Standard and Enterprise Editions with SP2 (x86-32 and x86-64) • Windows Server 2003 R2 Standard and Enterprise Editions with SP2 (x86-32 and x86-64) Admin Console • Windows Server 2008, Standard and Enterprise Editions (x86-32 and x86-64) • Windows Server 2008 R2 Standard and Enterprise Editions (x86-32 and x86-64) • Windows Server 2003 Standard and Enterprise Editions with SP2 (x86-32 and x86-64) • Windows Server 2003 R2 Standard and Enterprise Editions with SP2 (x86-32 and x86-64) • Windows 2008 Agent Platforms Supported Microsoft Windows Linux • Windows XP, SP2 or SP3 (x86-32) • Red Hat Enterprise Linux 4 (x86-32 and x86-64) • Windows 7 (x86-32 and x86-64) • Red Hat Enterprise Linux 5 (x86-64) • Windows 2003 Standard Edition, SP2 (x86-32 and x86-64) • Red Hat Enterprise Linux 6 (x86-64) • Windows 2003 Enterprise Edition, SP2 (x86-32 and x86-64) • SuSE Linux Enterprise Server 11 • Windows 2008 Standard Edition (x86-64) • Linux on System z • Windows 2008 Standard Edition, R2 (x86-64) • Windows 2008 Enterprise Edition (x86-64) Apple • Windows 2008 Enterprise Edition, R2 (x86-64) • Mac OS X 10.6, 10.7 IBM Community Enterprise Operating Systems • IBM AIX 5.3 (POWER, 64-bit) • CentOS 5 (x86-64) • IBM AIX 6.1 & 7.1 (POWER, 64-bit) Solaris HP • Solaris 8 (64-bit SPARC) • HP-UX 11i v1 (64-bit PA-RISC) • Solaris 9 (64-bit SPARC) • HP-UX 11i v2 (64-bit Itanium) • Solaris 10 (64-bit SPARC) Technical Specifications Authentication x.509v3 certificate-based Security Standards IPsec, IKE, x.509v3, FIPS 140-2 IPsec Data Encryption 3DES (168-bit key), AES-128, AES-256 IPsec Data Integrity HMAC SHA-1 Certificate Authority Embedded x.509v3 certificate-based with automatic certificate management Connection Authentication x.509v3 certificate-based with verification using DSS Key Management Automatic key generation and updating using IPsec standard Internet Key Exchange protocol (IKE), Diffie- Hellman Key Exchange, Identity Protection Scalability Supports up to 100,000 agents www.apani.com, 2929 E. Imperial Hwy Suite 110, Brea, CA, 92821, USA, America +1.714.577.1600, United Kingdom +44 (0)118 9298060 Document Number 003ds1010v10 © 2011 Apani Networks. Apani and EpiForce are registered trademarks of Apani Networks. All other marks are the property of their respective owners.