Sygate Security Portal neutralizes public PC threats

Full agent platforms: Windows XP/2000
Cache Cleaner only: Win32, Mac OS 9/X, Linux RH9

Bottom line: Significantly improves the safety of Web-based remote access from unprotected hosts at business centers, Internet cafes and teleworker homes.

In a nut shell: Mitigates public PC threats by checking integrity prior to Web portal/SSL VPN connection, encrypting data while connected and wiping hosts clean afterward.

Pros:

• Cache Cleaner avoids leaving Web pages, file attachments, cookies, passwords and URLs behind on any unprotected PC, Mac, or RedHat host
• On Windows XP/2000, Virtual Security Agent checks AV/firewall/OS levels and creates a secure desktop environment to defeat viruses and keystroke loggers
• Portals or SSL VPN gateways can invoke SSP at login to enforce the company's security policy, based on location or device

• To check for other programs or patches, you'll need the next release
• No integrity checker or secure desktop for Mac/Linux
• Doesn't run on PDAs
• Can optionally deny use of non-browser applications, but can't stop users from visiting public Web sites while connected

Today, many companies are turning to Web-based remote access methods like webmail (e.g., Outlook Web Access), enterprise portals (e.g., mySAP) and SSL VPNs (e.g., Aventail). Unlike VPN clients, browsers can be found on any public host. This makes Web-based access possible at kiosks, business centers and Internet cafes. It also makes access feasible from unmanaged hosts owned by employees and business partners. Unfortunately, there's a real possibility that public, partner or home PCs have been compromised by viruses, spyware or other malware. Sygate's Security Portal (SSP) reduces this risk by making access safer before, during and after each Web session.

Sygate's Cache Cleaner, a "thin" version of SSP, runs on Mac, Linux or any Win32 host. If you've ever used a public PC, you've probably noticed saved passwords, URLs, forms values and even cached Web pages left behind by others. Cache Cleaner automatically wipes out these values when the browser session ends, when window closes or an inactivity timeout expires. Enforcing post-session clean-up is essential for any secure Web portal.

But that's not really enough. To improve security before and during each session, there's an expanded SSP version called the Sygate Virtual Security Agent (SVSA) that combines the Cache Cleaner with a Host Integrity Checker and Virtual Secure Desktop.

• The Host Integrity module can verify presence of specific AV programs (e.g., Norton, eTrust, McAfee, Panda, TrendMicro), recent AV updates, personal firewalls and Windows XP/2000 service packs. If the check fails, the user is redirected to a specified error page URL. Otherwise, the user is redirected to a portal or SSL VPN page -- typically, the login page. Sygate plans to add custom integrity rules in the next release (e.g., checking for other programs or individual patches).
• A Virtual Secure Desktop can be launched automatically after the check succeeds. The VSD acts as an encrypted sandbox, hiding all user keystrokes and files from malware that might exist on the PC. Any files created during the session are stored in the VSD folder, scrambled with 168 bit 3DES. The user is unable to access unencrypted files on the PC during the session. This effectively prevents cross-contamination between the local and virtual desktop. By default, the VSD is deleted when the session ends -- a "super Cache Cleaner." Nothing that happens during the session is visible to others during or after the session.

Because different environments warrant different security measures, you'll want to configure several policies. Policies are chosen at connect time based on location and device. SSP 1.0 can check for the presence of a certificate, registry value or compare the host's IP address to defined range(s). For example, a company certificate can be installed on teleworker PCs, checked by a policy that enables VSD reuse. A default policy could then be used to enforce tighter security on unknown PCs -- even restricting access to just the browser.

I took SSP for a short test drive, using the editor to configure home and unknown profiles with different parameters. I ran my policies locally, but typically policies would be copied onto your portal server or SSL VPN gateway. Whenever I opened the SSP "homepage," an ActiveX, Java, or executable was downloaded to my PC (in this order of preference). Download-on-demand is essential for unmanaged hosts where you can't install software in advance. Even Sygate's executable installs without administrator permission, increasing public PC compatibility.

I encountered no problems during my test drive, but note that results could vary by host type and Web/VPN server. It's a good idea to check with Sygate if your host or server/VPN environment is unusual. According to Sygate, SSP has been tested with common webmail systems, many enterprise application portals and SSL VPNs from Aventail, Neoteris (Netscreen), uRoam (F5), Netilla, Nokia and others.

If you're an individual worried about security when using public PCs, SSP won't help you. SSP is a centrally-administered, policy-based solution for companies who run their own Web portals or SSL VPNs. However, if your company is considering browser-based remote access, SSP can help you stop those Web sessions from letting infected PCs in, being abused by malware or leaving confidential data behind.

About the author: Lisa Phifer is vice president of Core Competence, Inc., a consulting firm specializing in network security and management technology. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.

Rate this Tip To rate tips, you must be a member of SearchMobileComputing.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Device Security Protecting data on your BlackBerry Going green: Recycling and energy saving tips for mobile devices -- podcast New challenges in mobile device discovery Quiz: Mobile Device Security -- Who else can hear me now? Mobile device security: Guarding the gate Mobile voice encryption gets cheaper, easier to do Top mobile tips of 2007 Mobile device security: Improving mobile authentication Mandate security training to safeguard your mobile fleet Google's Android platform could complicate security Mobile Device Security Research Mobile Security On-device defenses for mobile malware Mobile malware: Coming to a smartphone near you? Protecting data on your BlackBerry Defining your mobile security policy Government regulations and mobile security policies Symbian: Protect your data, not just your device Mobile security policies: Why a policy is important Avoiding data breaches through mobile encryption Mobile security: Setting responsible goals Mobile security: Top oversights Mobile Authentication and Encryption iPhone encryption is a must for the security-conscious enterprise Sybase iAnywhere launches productivity suite that tunnels critical business apps through email Mobile voice encryption gets cheaper, easier to do Avoiding data breaches through mobile encryption Mobile device security: Improving mobile authentication Mobile management: Advice for mobile managers Direct Push security questionable Mobile device encryption - a practice not often applied Access on the road: Putting hotspot security to the test Laptop crypto: Do it, but realize it's not a panacea Mobile Authentication and Encryption Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary mobile VPN  (SearchMobileComputing.com) screaming cell phone  (SearchMobileComputing.com) SMiShing  (SearchMobileComputing.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.