DirectSecure lets you dynamically segment and isolate cross-platform systems by not relying on user authentication, but instead uses machine authentication to ensure that only trusted systems on your network can establish network communication with each other. This end-point authentication of a computer's machine credentials is based on Kerberos, PKI certificates, or pre-shared keys. Optionally, encryption can be enforced to secure communications between end points. Microsoft provides this capability as a standard part of the Windows platform and refers to this functionality as server and domain isolation (SDI). DirectSecure extends this same capability to non-Microsoft platforms, thereby enabling comprehensive support of mixed UNIX, Linux and Windows environments.
DirectSecure enforces the logical boundaries that you define through end-point authentication policies that are created, distributed and managed through Active Directory Group Policy. Policy deployment occurs seamlessly when a computer joins the Active Directory domain. Through Centrify's support for Group Policy, the same policies that Microsoft provides for Server and Domain Isolation can be applied to UNIX and Linux systems.
Policies are enforced by the built-in IPsec functionality found in modern Windows, UNIX and Linux platforms. Instead of the traditional use of IPsec as a tunneling and network encryption protocol (such as remote access through VPN), both Microsoft SDI and DirectSecure employ IPsec "transport mode" for end-to-end security between computers, even across Network Address Translation (NAT). Because IPsec is a Layer 3 security protocol, it provides security for all IP-based traffic and operates transparently to users and applications. Therefore, applications don't need to support IPsec — and require no modifications — to be compatible with this form of authentication and encryption.
With these policies in place, trusted systems are now protected and can easily communicate with each other without any additional steps and/or login procedures. Unmanaged or rogue computers are not able to establish network communication with systems protected within the logically isolated network.