What Do You Get with SafeConnect?
The software user licenses are based on the average number of concurrent users. This means you only purchase licenses based on who you know and based on an average. And given it is an average, the system continues to operate if you exceed your license count
The appliance operates as a true “out-of-line” network device, and “fails open” —presenting no single point of failure, performance bottle-necks or maintenance-related or scheduled network outages.
Our remote installation and speed to deployment is fast, really fast! Our current installation record stands at 8 minutes flat. We are looking for a customer who can break this record.
SafeConnect comes with the industry’s only proactive maintenance and support service. This means we monitor the health of your system 24x7x365. If a problem is detected we proactively work to correct it. This is how maintenance is supposed to be.
SafeConnect works with your directory services (i.e. LDAP, MS Active Directory) to enable user authentication. The system also automatically identifies devices on the network. These two functions work automatically to match users to devices. This allows for security policies to be applied based on user groups (student, employee, guest, vendor, etc.), access method (wired, wireless, VPN) or by device type (Windows, MAC, gaming, mobile etc.)
The biggest challenge in managing network performance and security today is the dramatic increase in the number of mobile devices connecting to the network. SafeConnect can keep you one step ahead by being able to identify, authenticate, on-board and monitor these devices in an automated way.
Ultimately, the “experience” is the result of the way Impulse does things. And it all goes back to our user-centric business philosophy. This full-service solution approach combines Impulse’s products with expert technical support and network insight. As a result, our clients gain an enduring and evolving solution that is able to address ever-changing security, intelligence, and visibility and control demands.
The industry’s most comprehensive, client-centric managed services delivery model (aka The Impulse Experience) includes access control architecture that drastically simplifies the enablement of network security, control and intelligence; a decade of experience and technology leadership in BYOD enablement and in Education; and significant IT cost reductions in the areas of network infrastructure, maintenance and support costs.
SafeConnect provides the ability to not only automate the enforcement of security and compliance policies, but also gathers a wealth of context-aware device information so you can make informed and intelligent decisions about your network. Impulse’s Contextual Intelligence™ technology delivers real-time device information that correlates identity/role, device type, and location (along with other attributes such as ownership and compliance status) over time to power its SafeConnect solution.
Information gleaned “in context” regarding mobile devices on the network (both real time and historically) allow IT managers to make better decisions on network capacity, risk mitigation, and forensic analysis required for addressing compliance. Accessing real-time contextual information also reduces the number and length of help desk calls by improving the end user experience.
In addition to Impulse’s existing Layer3 Policy Based Routing (PBR) network enforcement, the latest version of SafeConnect introduces a new device enforcement option—RADIUS-Based Enforcement (RBE). RBE delivers dramatic scalability enhancements and more granular network and application access role assignments for 802.1X/WPA2 Enterprise and Open wireless network environments.
As the numbers of mobile devices increase and affect network density, a more flexible, scalable and dynamic mechanism is needed to enforce BYOD security policies. Capitalizing on existing customer investments in wireless technologies, RBE utilizes network communication standards to manage device role and access control.
A key benefit of RBE is its non-reliance on VLAN Steering. Within a wireless network environment, VLAN manipulation is a resource burden to design, deploy, and support; in addition to contributing to a poor end user experience every time a device is forced to change VLANs. Impulse’s RBE assigns network access privileges to a specific device versus moving a device to a common/shared VLAN.
SafeConnect is specifically designed as a vendor-independent solution that easily integrates into existing (or future) network architecture. No switch manipulation. No forklift upgrades. Fewer moving parts.
The SafeConnect system simply requires access to one or more Layer3 switch/router points of network aggregation that supports Policy Based Routing (PBR), and either NetFlow or sFlow. SafeConnect’s continuous posture assessment capability can also leverage technology to assign per-user quarantine roles for clients that are not compliant with security requirements, and participate in Single Sign-on (SSO) Authentication using 802.1x–WPA2 Enterprise.
Out of Line Solution
SafeConnect is an appliance-based NAC solution that is implemented as a true “out-of-line” network device. The SafeConnect Policy Enforcer Appliance sits out-of-line with the core network and fails open—presenting no single point of failure, performance bottle-necks or maintenance-related or scheduled network outages. In the event of a failure all existing and new users to the network are unaffected and have uninterrupted access to network resources.
No Changes to LAN/WAN Required
SafeConnect is network switch hardware and software vendor independent and integrates into the existing network architecture with no changes or continuous manipulation of Layer2 network switch devices, wireless access points, or VPN concentrators required.
Directory Services Integration
SafeConnect utilizes directory services infrastructure (i.e. LDAP, MS Active Directory, RADIUS) to authenticate end user devices. The system can also apply identity- or role-based policies and enforcement rules based on how a user is defined within the directory system (student, employee, guest, vendor, etc.) Users who cannot be authenticated can be quarantined or blocked from accessing the network. SafeConnect also features a Single Sign-On (SSO) authentication capability that could allow existing AD managed users to maintain their existing login process user experience.
How Does SafeConnect NAC Work?
The Policy Enforcer
The SafeConnect Policy Enforcer is a pre-configured hardware and software appliance bundle. It is installed on your premises (and is also available virtually) and connected to your existing Layer3 switch/router in an out-of-line network fashion. A single Policy Enforcer can manage network access policies for up to 10,000 concurrent endpoint devices. For environments with more than 10,000 current endpoints additional enforcers are added. SafeConnect is currently running on hundreds of environments with over 25,000 concurrent endpoints. Our largest deployment is managing more than 80,000 devices.The entire system is managed locally by the organization through the SafeConnect Policy Management Console.
The Policy Management Console
The SafeConnect Policy Management Console is a centralized Web-based portal that allows authorized users (typically a policy administrator) to set the acceptable use standards the Policy Enforcer will implement. Administrators can select from a series of pre-configured policies on authentication, anti-virus or anti-spyware protection, patch maintenance levels, and peer-to-peer file sharing, or create their own using the custom policy builder module. Network access can also be managed by group or location, or based on roles users occupy within the organization.
The Policy Management Console also displays real-time policy status reporting to provide valuable insight into group or individual policy compliance. Help Desk personnel can quickly ascertain the security posture and network access condition of any device on the network by searching IP, MAC Address, or User Name. Granular historical database reporting is also available for trending analysis, compliance auditing, and archiving.
Organizations can completely customize the look and feel of the policy notification web pages to match company marketing efforts and enhance the end user experience.
Standard Policy Modules
The SafeConnect system provides the ability to build and assign unique/granular policies based on IP address range, VLAN segment, or subnet, or MAC Address. Assign policies by device type (Windows, Apple, Linux, PDA, Gaming Console, etc.) and by individual user identity based on their role/group membership as defined by the organization’s existing Directory Services (Active Directory, LDAP, etc.) infrastructure.
The SafeConnect Policy Key
The SafeConnect architecture includes a Policy Key (NAC agent) that is non-intrusive and provides the distributed NAC functionality that affords the system its highly scalable attributes and real-time security assessment.SafeConnect currently provides real-time Policy Key assessment support for Microsoft-based Windows (including Windows 7), and MAC OS 10.5 and higher devices.
The Policy Key is typically automatically installed during the initial device registration process, and is updated in stealth-mode (no end user interaction required). The Policy Key can also be pre-distributed by a preferred software distribution method such as active directory group policies, SMS, or via physical media. The Policy Key may be provisioned so that it will self-dissolve after a specified period of time, if it has been inactive (such as 48 hours, or 30 days, etc.). Additionally, the Policy Key has a very small footprint (1Mb size) compared to competing approaches, and consumes less than 1% of system resources.
The Policy Key does not collect any personal information. Nor does it have the ability to act as spyware. It strictly identifies and reports policy status (as can be answered with true/false questions) required for the operation of the solution. The Policy Key continually assesses the end user’s computer for compliance with your security policies. If an end user is not in compliance with an organization’s network access policies, the SafeConnect solution delivers individualized remediation guidance and can isolate the device until the policy breach is resolved.
The End User Licensing Agreement
The attached terms and conditions shall apply to the provision and use of the Impulse SafeConnect™ product and services (individually a “Service” and collectively the “Services”) provided. Click here to read the EULA.
Easy Integration Into Your Network
Impulse will assist in developing a deployment plan and will provide support throughout the production deployment process. Impulse’s managed service offering also includes on-going “how-to” consultative support that will enable the organization to maximize their investment.
- The SafeConnect Policy Enforcer Appliance is installed out-of-line on your premises and is connected to an aggregation point.
- Working with Impulse, you determine your policies and configure your enforcement rules using the SafeConnect Policy Management Console by network segment or directory services group.
- Endpoint devices connecting to the network are intercepted, authenticated, presented with the your acceptable use policies.
- SafeConnect certifies that the device adheres to your endpoint security policies on a continuous/real-time basis and reports any non-compliance to the SafeConnect Policy Enforcer and delivers individualized remediation guidance.