DoD PKI Solutions
Local Admission Control of
DoD CAC Remote Access VPN
There are millions of valid common access card holders in the defense department today. Within the Department of Defense (DoD), any one organization wants a small subset of valid common access card (CAC) holders to participate in its remote access virtual private network (VPN). Later, this organization needs a rapid, unilateral means to revoke access without depending on indiscrete, untimely procedures to invalidate a user's common access card (CAC). The BorderGuard common access card (CAC) based remote access VPN solution answers these needs in a uniquely effective, practical, and secure manner compared with all alternatives. The solution components consist of a "Green List", "Red List", and Active Directory integration. It can be deployed for organizations with thousands of users in less than two hours with all deployment information gathered.
"Green List" – identifies valid common access card (CAC) holders that may participate in remote access VPN. Administrators can import list of users with EDI-PI from Active Directory.
Native Active Directory VPN Integration – requires successful common access card (CAC) Active Directory (AD) authentication or tunnel dissolves. Successful authentication generates Kerberos ticket and LAN admission event record. Remote access end-users or those visiting other bases enjoy the same transparent experience as when they are jacked-in within their home office, without any client, VPN gateway, or Active Directory changes necessary.
"Red List" – terminates existing remote access connections in real time without invalidating credentials or affecting other users. Other systems must terminate all end-user connections to terminate one specific user connection, which can bog down a VPN gateway for half an hour when 100s or 1000s of users must re-authenticate with common access cards (CAC). When intrusion detection systems identify malware activity emissions from a connected CAC holder, an administrator can use "Red List" to terminate that session in seconds and then assign the user to a quarantine zone. Similarly, administrators might use "Red List" to cut-off a disgruntled insider downloading unusually large amounts of data or attacking the intranet.
What's Wrong with Alternatives
- Require costly deployment of at least one Microsoft Internet Authentication Service (IAS) server per unique Windows domain employed by end-user population
- Roughly $6000 per unit including licensing and hardware
- High availability may demand two IAS servers per domain as well as server replication per site
- An organization with 6 unique Windows domains and high availability requirements can spend $72,000 on IAS servers
- Operations costs likely far exceed capital costs
- VPN appliance must be configured to serve as a proxy between end-users and Active Directory (AD)
Why Choose Blue Ridge Networks?
- Deploy system within two hours
- True local Active Directory (AD) authentication resulting in new Kerberos ticket to user
- Dramatic operations and capital cost savings compared to alternatives
- BorderGuard Client VPN or BorderGuard VPN appliance require no Active Directory (AD) configuration parameters or credentials
- Requires no additional set-up; it just works
- BorderGuard VPN appliance and VPN client are FIPS 140-2 certified
- BorderGuard system is only VPN system on Army Information Assurance Approved Products List
- BorderGuard system is JITC certified
- Contact Us Today to learn more about how Blue Ridge Networks can help your organization and to request your FREE Trial.