eTIPS Architecture

In order to address emerging requirements for generalized network based authentication and authorization, eTIPS has been designed around an architecture that incorporates innovative design practices and latest technologies. Avenda understands that a robust architecture must support each of the leading access control and identity based networking frameworks, must easily support future enhancements as this is a rapidly growing area, have the ability to leverage the functionality embedded within endpoint and network devices, and must integrate with existing identity and trust services.

Along these lines, the eTIPS architecture is designed to provide consolidated and unified policy management to eliminate the operational burden caused by multiple disparate policy and access control systems and technologies. Thus, the overall solution architecture is one where eTIPS seamlessly integrates with endpoints, network devices, and backend trust and identity services to create an automated user and device access control platform that can be leveraged across any access method.

eTIPS Solution Architecture

Architecture Highlights

Protocol independent policy model
  • With the myriad of access protocols and methods that are prevalent in today's networks, it is important for a unified policy platform to present the same policy model - representation and configuration of policies - to the network administrator. eTIPS is the only platform in the industry that has been built from the ground up to be protocol and access method independent; no matter what the access protocol is - RADIUS, RADIUS/802.1X, RADIUS/MAC-Auth, web authentication or TACACS+ - eTIPS presents the same policy model to the administrator. Ease of policy creation and consistency in the policies created are the direct benefits of this architectural principle.
Standards compliance and extensibility
  • eTIPS supports standard and common protocols and security algorithms for access requests and for backend trust and identity services. A modular plug-in architecture makes it easy to extend the system to include other access protocols and servers as the need arises.
Flexible policy engine
  • Attributes and credentials for making access control decisions are constantly being expanded. The eTIPS policy engine uses extensible dictionary based rules definitions with a rich set of data sensitive operators to support even the most complex use cases in the enterprise. Policies can be created using static or dynamic attributes present in the session, access protocol and identity stores, in order to make fine grained access control decisions.
Network device independent
  • Attributes are managed internally in a canonical form and exposed to the administrator in a user-friendly form. Data-dictionaries map attributes and credentials between the canonical form and device-specific form. This allows administrators to specify policies in a device neutral manner. It also makes it easy to add support for new devices that might be introduced into the network after initial deployment. eTIPS can thus support a network consisting of devices from different vendors and of different types (wireless, wired LAN, VPN), while presenting a consistent set of policies to the network administrator.
Proactive and reactive access control
  • While access control to date is mostly proactive, meaning that an access control decision is made when a client first connects to the network, it is well recognized that reactive access control, meaning ongoing evaluation of clients' access rights, is also required. The eTIPS architecture has been designed to also support reactive access control mechanisms as these become prevalent.
Distributed and replicated scalability and fault-tolerance
  • eTIPS is a distributed, replicated architecture with no single point of failure. This allows the platform to scale to large enterprises and to continue to operate even if some of the individual servers are not operating. With the proper network design, access control is available even when the network itself is partitioned. Servers can be added or removed on the fly.
Ubiquitous browser based administration
  • Both the management of eTIPS itself and the definition of access control policies are performed from any standard web browser using the latest Web 2.0 user interface technology. Centralized management of all eTIPS nodes - for configuration, monitoring and troubleshooting - can be done from the same administration console.
Rich APIs
  • eTIPS has been built with a rich set of APIs to provide extensibility and to provide integration points for third-party integration. The generalized authentication and authorization services provided by eTIPS are exposed through APIs for third-party application and device integration. A REST based API allows the administrator to use a scripting language to configure all aspects of eTIPS. The eTIPS posture plugin framework and API allows third-parties to integrate custom posture checks.