Company name: Sygate Inc.
Price: $46 per user
Full agent platforms: Windows XP/2000
Cache Cleaner only: Win32, Mac OS 9/X, Linux RH9
Bottom line: Significantly improves
In a nut shell: Mitigates public PC threats by checking integrity prior to Web portal/SSL VPN connection, encrypting data while connected and wiping hosts clean afterward.
- Cache Cleaner avoids leaving Web pages, file attachments, cookies, passwords and URLs behind on any unprotected PC, Mac, or RedHat host
- On Windows XP/2000, Virtual Security Agent checks AV/firewall/OS levels and creates a secure desktop environment to defeat viruses and keystroke loggers
- Portals or SSL VPN gateways can invoke SSP at login to enforce the company's security policy, based on location or device
- To check for other programs or patches, you'll need the next release
- No integrity checker or secure desktop for Mac/Linux
- Doesn't run on PDAs
- Can optionally deny use of non-browser applications, but can't stop users from visiting public Web sites while connected
Today, many companies are turning to Web-based remote access methods like webmail (e.g., Outlook Web Access), enterprise portals (e.g., mySAP) and SSL VPNs (e.g., Aventail). Unlike VPN clients, browsers can be found on any public host. This makes Web-based access possible at kiosks, business centers and Internet cafes. It also makes access feasible from unmanaged hosts owned by employees and business partners. Unfortunately, there's a real possibility that public, partner or home PCs have been compromised by viruses, spyware or other malware. Sygate's Security Portal (SSP) reduces this risk by making access safer before, during and after each Web session.
Sygate's Cache Cleaner, a "thin" version of SSP, runs on Mac, Linux or any Win32 host. If you've ever used a public PC, you've probably noticed saved passwords, URLs, forms values and even cached Web pages left behind by others. Cache Cleaner automatically wipes out these values when the browser session ends, when window closes or an inactivity timeout expires. Enforcing post-session clean-up is essential for any secure Web portal.
But that's not really enough. To improve security before and during each session, there's an expanded SSP version called the Sygate Virtual Security Agent (SVSA) that combines the Cache Cleaner with a Host Integrity Checker and Virtual Secure Desktop.
- The Host Integrity module can verify presence of specific AV programs (e.g., Norton, eTrust, McAfee, Panda, TrendMicro), recent AV updates, personal firewalls and Windows XP/2000 service packs. If the check fails, the user is redirected to a specified error page URL. Otherwise, the user is redirected to a portal or SSL VPN page -- typically, the login page. Sygate plans to add custom integrity rules in the next release (e.g., checking for other programs or individual patches).
- A Virtual Secure Desktop can be launched automatically after the check succeeds. The VSD acts as an encrypted sandbox, hiding all user keystrokes and files from malware that might exist on the PC. Any files created during the session are stored in the VSD folder, scrambled with 168 bit 3DES. The user is unable to access unencrypted files on the PC during the session. This effectively prevents cross-contamination between the local and virtual desktop. By default, the VSD is deleted when the session ends -- a "super Cache Cleaner." Nothing that happens during the session is visible to others during or after the session.
Because different environments warrant different security measures, you'll want to configure several policies. Policies are chosen at connect time based on location and device. SSP 1.0 can check for the presence of a certificate, registry value or compare the host's IP address to defined range(s). For example, a company certificate can be installed on teleworker PCs, checked by a policy that enables VSD reuse. A default policy could then be used to enforce tighter security on unknown PCs -- even restricting access to just the browser.
I took SSP for a short test drive, using the editor to configure home and unknown profiles with different parameters. I ran my policies locally, but typically policies would be copied onto your portal server or SSL VPN gateway. Whenever I opened the SSP "homepage," an ActiveX, Java, or executable was downloaded to my PC (in this order of preference). Download-on-demand is essential for unmanaged hosts where you can't install software in advance. Even Sygate's executable installs without administrator permission, increasing public PC compatibility.
I encountered no problems during my test drive, but note that results could vary by host type and Web/VPN server. It's a good idea to check with Sygate if your host or server/VPN environment is unusual. According to Sygate, SSP has been tested with common webmail systems, many enterprise application portals and SSL VPNs from Aventail, Neoteris (Netscreen), uRoam (F5), Netilla, Nokia and others.
If you're an individual worried about security when using public PCs, SSP won't help you. SSP is a centrally-administered, policy-based solution for companies who run their own Web portals or SSL VPNs. However, if your company is considering browser-based remote access, SSP can help you stop those Web sessions from letting infected PCs in, being abused by malware or leaving confidential data behind.
About the author: Lisa Phifer is vice president of Core Competence, Inc., a consulting firm specializing in network security and management technology. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in April 2004