Product name: AppGate Mobile Client
Company name: AppGate Network Security AB
Price: From $5000 for server and 25 mobile clients
Client platforms: Sony Ericsson P800/P900 (mobile client) or Win32, *NIX, MacOS, PPC (Java clients)
Bottom line: Can secure many intranet applications with minimal client-side fuss.
In a nutshell: Secure Shell (SSH) authenticates and encrypts port-forwarded applications from most handhelds/laptops to VPN-protected intranet servers.
- Using mobile and Java-based clients, covers broad set of mobile devices
- No installation required for Java; no client configuration required for either client
- Robust security options, including AES encryption and PKI authentication
- Forwards single-port applications and proxies FTP, NetBIOS and SOCKS, but cannot tunnel all IP through VPN without generic networking driver (Win XP/2000 only)
- Connection status and debug aids are limited in Sony Ericsson Mobile Client
- Wireless carrier's WAP gateway (or network's firewall) must permit SSH Description:
When it comes to securing handheld traffic, IPsec VPN clients can be somewhat difficult to find, install, and configure. Many companies are considering alternatives that reduce client-side administration and tackle common handheld challenges like limited bandwidth, small displays and diverse operating systems. I recently tested the AppGate Mobile Client for Sony Ericsson P800/P900 -- one component in AppGate's rather unique multi-platform SSH VPN.
AppGate's solution consists of VPN server software, running on Solaris or HP-UX, and VPN client software, running on remote (wired or wireless) devices. AppGate's client is available in several formats, including a download-on-demand Java client for Win32, MacOS, *NIX, Pocket PC and Sharp Zaurus. I tested the Java client briefly, but focused my attention on AppGate's mobile client: A Symbian-based application that can be installed on Sony Ericsson wireless phones.
Unlike most IPsec VPN clients, the mobile client requires no configuration. The user simply launches the client, enters the VPN server's host name, login and password (or other credentials, depending upon authentication type). Upon first connection, the user is prompted to accept and save the server's public key. While connected, specific application ports are forwarded over an encrypted, authenticated SSH tunnel.
For example, I used T-Mobile's GPRS service to connect my P800 to a demo AppGate Server. Based on a role associated with my identity, the server told my client to tunnel TCP traffic sent to ports 80 and 143. At the far end of the tunnel, the AppGate Server relayed that traffic to web and IMAP servers inside a protected intranet. Whenever I browsed demonet.appgate.com or read e-mail from demo.appgate.com, my HTTP and IMAP requests were compressed, AES-encrypted, and forwarded to the AppGate Server. But when I browsed other sites or used other protocols, traffic was sent over the Internet in the usual fashion. These port forwards and protection suites were determined by the AppGate Server, simplifying client setup and preventing user misconfiguration.
Simple GUIs are wonderful when all goes well but can be frustrating when something goes awry. My P800 was originally provisioned to use a T-Mobile WAP gateway that blocked SSH (port 22). But I could only tell was that my request timed out -- carrier assistance was needed to identify the culprit. Fortunately, re-pointing my P800 to an alternate WAP gateway did the trick. I also found it hard to tell when my VPN connection was disrupted, because no status indicator is visible when using other applications over the VPN connection. I applaud AppGate for keeping the mobile client simple ("lite"), but would prefer having a little more information. On other platforms, the Java client does present more detail, both before and during VPN connections.
I only tested password authentication, but AppGate supports a slew of methods, including certificates, raw public keys, two-factor tokens (SecurID) and smart cards (Telia EID). In addition to AES, AppGate supports 3DES, Arcfour, and Blowfish encryption. A compression option can reduce bytes transmitted over slower or metered networks where bandwidth is at a premium. To learn more about AppGate security and supported platforms, consult this white paper.
Increasingly, mobile devices like the Sony Ericsson P800 and P900 (its just-announced successor) are being paired with third-party software to enable secure access to enterprise applications and company networks. Many companies are familiar with IPsec and SSL VPN products but may overlook SSH-based alternatives like AppGate. If you need to secure specific intranet applications with minimal client setup on a variety of mobile devices, then be sure to take a look at AppGate.
About the author: Lisa Phifer is vice president of Core Competence, Inc., a consulting firm specializing in network security and management technology. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.