Former Cisco Engineers Found Start Up Rohati Systems

Start-up Rohati Systems pitching network-based entitlement control device.

Five former Cisco engineers have co-founded a start-up called Rohati Systems whose products take dead aim at traditional perimeter firewalls.

A traditional firewall and its access control lists "is not capable of doing its job today from an access-control perspective," says CEO and President Shane Buckley. "Nowadays, your IP address just doesn't represent who you are."

Rohati will mark its debut this week with a network-based entitlement control device designed to limit access to applications, such as Microsoft's SharePoint collaboration suite, based on the user's authentication.

Called the Transaction Networking System (TNS), the appliance is intended to reside close to the data assets it protects, usually in the data center. It checks whether users should be permitted to access application data stored there based on user credentials that might include Kerberos, VPN SSL or Microsoft authentication protocol NTML.

TNS functions at the application layer to establish Layer 7 access-control lists to limit who has what access to data, Buckley says. Use of the TNS begins by putting the device in monitor mode to let it watch the users accessing the data, capturing all the transactions, such as opening and closing files.

"This way, the appliance is learning all the transactions in the network," Buckley says. This enables the appliance to build a policy that managers can refine, such as permitting or denying, or allowing reading, writing or deletion.

Now in beta and expected to ship in July, the appliance makes use of the OASIS standard called the eXtensible Access Control Markup Language (XACML) for the data-management policy.

"The appliance has a set of policies on who can have access to what based on directory attributes," Buckley says, adding that one advantage is that no changes to existing applications or new client software is required. TNS competes most directly with entitlement software from CA, Oracle, IBM Tivoli Software and Securent, which was acquired by Cisco last November for $100 million. 

Every time a user goes to access an application, a check for authorization will be made by TNS, but speed shouldn't be an issue, Buckley says, because the two models of the product, the TNS-100 and the TNS-500, scale between 4G and 40Gbps, are built on Infiniband technology and support as many as 6 million connections. In the future, the TNS is likely to be developed to do more than provide access control to applications.

"Because we control the application, this gives us the ability to do things like content cloaking, blocking out sensitive content to the viewer," Buckley says. Content filtering of various types could also be integrated into the basic architecture.

Rohati, which joined the Jericho Forum, the group dedicated to encouraging alternatives to traditional perimeter firewalls for e-commerce, is targeting TNS for organizations that allow business partners to share network resources with internal users.

JDS Uniphase, among others, is said to be a beta tester.

Others say they want to give it a test run, too.

At Mercy Medical Center in Baltimore, Mark Rein, senior director of IT, says the healthcare provider allows clinical-equipment vendors such as GE, Philips and Siemens to remotely maintain software for X-ray machines and other medical equipment. But "today there's no way to keep them from hopping from server to server or X-ray to X-ray" once they've gained access via a VPN, Rein points out.

Mercy Medical Center will begin testing the Rohati appliance this summer in the hope of tackling its complicated access-control situation.

TNS 100 starts at $20,000 and TNS 500 starts at $85,000.

More on Rohati's founders

Rohati's five co-founders departed Cisco in the spring of 2006 to launch their start-up. Here's more on them:

* Abhijit Patra, vice president of software engineering: Spent more than nine years at Cisco, where he was responsible for the architecture and delivery of products across multiple platforms, including ATM, L3 switch and L4-L7 service modules. He also led the development of two purpose-built security service modules for Catalyst 6500-SSL Acceleration and SSL VPN, from concept to completion. Prior to this, he was a key architect/designer for the 8500 Switch.

* Prashant Gandhi, vice president of product marketing and strategy: Spent eight years at Cisco, where he held product marketing and strategy positions, primarily in the Cat 6000 and Data Center business units. While at Cisco, he led the definition of multiple strategic products including IPTV and IP Gaming; Metro Ethernet; the next-generation Catalyst 6500 forwarding engine; Ethernet DSLAM; deep packet forwarding engine; trusted security; self-managed networking; network virtualization, and XML Web services, as well as Cisco's next-generation data center switch. Additionally, he was the early marketing liaison for the company's Data Center Ethernet initiative.

* Anant Thakar, vice president of hardware engineering: Spent nine years at Cisco, where he held the role of lead system architect. Thakar architected and designed several of Cisco's supervisor boards, high-density 10G Ethernet line cards, as well as derivative products for the Metro Ethernet market. Earlier in his career, he started Helios Microsystems.

* Kirti Prabhu, vice president of software engineering:  At Cisco he led development teams in San Jose and India that architected and delivered the company's Firewall Services Module, a service blade for the Catalyst 6500 switch, as well as application inspection for all networking and VoIP protocols and the application firewall. He also developed and led platform software and redundancy initiatives for the first two generations of the Catalyst 6500 supervisor modules. Before Cisco, Prabhu worked for Zexel USA.

Nagaraj Bagepalli, director of software engineering: Spent nine years at Cisco, where he held senior engineering positions in L4-7 switching and security. Was the key architect in designing and developing two purpose-built security services modules -- SSL acceleration module and SSL VPN acceleration module -- for the Catalyst 6500/7600 switch family. He was also involved in proposing and architecting a Deep Packet Forwarding Engine, which acts as a companion to the L2/L3 forwarding engine and provides deep packet classification, inspection and forwarding capability for the Cat 6000 platform. Prior to Cisco, Bagepalli held engineering positions at Wipro Infotech.

This story, "Former Cisco Engineers Found Start Up Rohati Systems" was originally published by Network World.


Copyright © 2008 IDG Communications, Inc.

Discover what your peers are reading. Sign up for our FREE email newsletters today!