OPSEC Partners

SentriNET v2.0

Product Version Certified: 2.0
Certified for use with: Check Point Next Generation

Product Description: SentriNET provides biometric authentication for network and application log on. The system stores digital data from a scan of the user's fingerprint (it does not store an exact image of the fingerprint) and matches it against freshly captured data each time the user attempts to log on.


Key Features and Benefits OPSEC Integration

Company Description: Since it's establishment in 1989, BMS Biometrics has become a worldwide market leader in the design and manufacture of biometric solutions, including use of fingerprints, smartcards or tokens. As a software developer, its non-proprietary authentication software solutions have been supplied to both private and public sector organisations worldwide (BMS Biometrics has over 700 installations in the UK National Health Service), making a significant and tangible difference to the protection of assets held on IT systems. It has accumulated a wealth of experience in implementing biometric solutions that provide the right level of protection for customer information, based on the specific risks to their businesses.

Key Features and Benefits

SentriNET utilizes existing Directory Services, Windows 2000 - ADS.
SentriNET stores both multiple templates per user and their type of scanner used, increasing resilience if fingers are damaged.
The system provides strong authentication of end-users' identities before granting them VPN access to internal resources.
Simplicity of deployment: SentriNET supports remote enrolment of users with and initial secured password replace on completion of biometric enrolment with the fingerprint template.
SentriNET supports smart cards as an alternative to directory services for template storage, allowing actions to be taken when the car is inserted or removed e.g. log the users out or suspend the session to a screen saver.
No third party databases: most biometric solutions require an intermediate server for log on, which can be costly and require additional overhead for data integrity.
No additional management tools: SentriNET operates with the existing network user management tools.
Resilience or directory services: being part of, rather than additional to, the existing computer infrastructure, fingerprint templates are replicated, backed up etc. as part of the daily operations of the network.
Non-hardware specific, SentriNET is designed to operate with scanners from Siemens, Sony, Cherry Keyboards, Biolink, BAC, Ethentica, Precise Biometrics etc.
The architecture of SentriNET allows for both additional devices to be added and for other types of biometrics to be used e.g. voice or face recognition.

OPSEC Integration

SentriNET allows for a method of biometric authentication to any OPSEC™ compatible application, including FireWall-1® and VPN-1®.

Biometric templates are stored within an LDAP-compatible file structure. SentriNET LDAP compatibility is implemented via Active Directory's Services within the Windows 2000 environment. When a user attempts to access protected network rescores, FireWall-1® will call into action the authentication process via RADIUS. The authentication process is based on the SentriNET user profile; biometric, token, PIN or password.

An authentication request containing a user identification is received by VPN-1/FireWall-1® from the VPN-1® SecuRemote™ / SecureClient™ client. The VPN-1/FireWall-1 Gateway will then retrieve the user logon method from the SentriNET user profile within Active Directory, an authentication request is made at the client based on this user profile. There is no need for the authentication server to be located within a firewall-protected partition of the network, although this is the generally adopted method of use. VPN-1/FireWall-1® does not need any additional hardware or software in order to allow for SentriNET authentication.