Access Control and User Authentication:
This excerpt from the ISCS documentation illustrates the novel way in which ISCS handles access control and user authentication -- one of ISCS' great advantages.
A subnet can NAT to a completely different subnet throughout the entire global environment (e.g., to resolve conflicting IP address space among clients for a multi-client MSP or between offices during a merger). All it takes is a single mouse click and entering the NAT subnet.
Public TTL alteration:
The Time To Live field for any packets sent over a public interface for a subnet, range of servers, single server or a specific service on a server may be altered by simply entering the new value for the TTL. An e-tail set up is a perfect illustration. Picture a web server farm on a DMZ through which customers place on line orders. The web servers communicate through the firewall with a database farm on the private network where transactions are executed and customer information such as credit card records are stored. One might set the public TTL for the database servers to 2. If an attacker cracks the public web server, uses it to compromise the database server and then attempts to transfer the database server's data across the Internet to some malicious site, the database server's packets will not make it past the ISP's router because the TTL is expired.
ISCS automates the creation of even the most complex NAT including some-to-may, many-to-some, nested and overlapping NAT ranges. The user is presented with the options to address any conflicts and ISCS does all the rest.
Macro scalability and granular control:
ISCS allows the encapsulation of an entire network in a single server. This allows an administrator to grant broad access very quickly with a minimum of policies. However, ISCS Best Match technology ensures that one can define specific servers within this same network with no danger of the broader privileges being granted to the more specific server. The SuperRanges and SubRanges are identified and the SubRanges are literally removed from the SuperRanges. This is much safer by isolating more specific addresses from less specific address via rule order. The combination creates the ability to scale up to large environments with a minimal rule set and scale down to highly granular control.
Many more illustrations and examples are available in the screen shots section.