The growth in popularity of both wireless technology and mobile computing has created a potent new threat for sysadmins: unauthorised intrusions onto their networks by hackers and viruses that take advantage of loosely secured laptop PCs and public computer kiosks.
Malicious hackers and worms can slip past heavily fortified network perimeters by compromising computers in home offices, tunneling through virtual private network (VPN) sessions from compromised computers, or taking advantage of wide-open public wireless hotspots like those offered by coffee house giant Starbucks. The threat has prompted increased attention to the issue of so-called "end point" security for mobile computers from major technology vendors, including Cisco and Microsoft.
Now two companies say they have the answer to the problem: plug-in hardware devices that lock down sensitive information and secure communications over wireless and wired networks.
Today, Seclarity will launch its SiNic Wireless NIC (network interface card). The device can send and receive standard IEEE 802.11 wireless network traffic and comes with its own embedded operating system, encryption software and firewall to secure communications to and from desktop, laptop and server systems.
At the same time, RedCannon will release Fireball KeyPoint, a USB token that is being billed as a "secure mobility appliance", with a built-in Web browser, e-mail client and encrypted document store that allows travelling employees to work securely from any PC or laptop computer.
Clarity of vision
Developed with funding from the US military, Seclarity's SiNic Wireless card looks like other wireless LAN cards but is actually a fully-contained, standalone Unix computer. The device fits into any standard PC Card slot. It contains 32MB of memory and its own processor, which is used to manage 802.11a, b, and g traffic and encrypt and decrypt traffic using a built-in PKI module. The card runs a hardened and customised version of the NetBSD operating system, as well as a customized stateful proxy firewall. It also stores and manages user access policies, said Adrian Vanzyl, chief executive officer of Seclarity.
The idea is to separate critical security functions from the operating system of the notebook, which is more complicated and vulnerable than the SiNic card. It makes security transparent to users and to applications running on the PC, reducing the likelihood that users will tamper with or disable critical security functions, Vanzyl said.
Wireless connections to and from the SiNic card are authenticated from origin to destination, making it impossible for outsiders to "sniff" sensitive information from wireless traffic or from insecure host systems, he said. "End point security often means restricted mobility for users - they're told they can't leave the corporate network, or they can't log in from Starbucks," he said. "With our solution, if a guy logs in from Starbucks and a hacker or another user tries to get to a file, he can't, because the machine will ask for a valid certificate."
A separate management system that runs on Windows 2000 or Windows 2003 servers acts as the root PKI certificate authority for systems using the SiNic cards and also controls device enrollment in the PKI system, access policy management, software updates and auditing, he said.
The SiNic card makes it very difficult for malicious hackers or others to capture sensitive data by offering "end to end" protection from data's point of origin to its destination, said Chris Byrnes, senior vice president for security at Meta Group. By offloading processor-intensive encryption onto a NIC, the company also sidesteps the slowdowns that often accompany encryption with software clients, he said. That said, the SiNic card is not right for every company, Byrnes said.
"Companies have to want to secure all their communications," he said. "Obviously, you need secure communication when you're going over the Internet, but there are a lot of solutions that let you secure Web-based traffic at little or no cost - like Secure Sockets Layer."
For companies that want to secure non-Web communications between network endpoints, there are many competing technologies that don't require companies to deploy new hardware, such as IPSec and VPNs, he said. "Those technologies are no better or worse than SiNic," Byrnes said, adding that SiNic's approach might be easier for companies to manage in large deployments.
The product will be most attractive to organisations that handle large amounts of highly sensitive data across their entire operation, such as banks and government agencies, he said. While the US military is testing the first batch of SiNic cards, Seclarity is also targeting private sector companies in regulated industries such as banking and health care. The cards are available immediately and pricing varies with the number and type of cards, Vanzyl said.
For RedCannon Security, the issue isn't how to secure end-point systems but how to trust communications to and from mobile workers who are using end-point systems that are almost certainly not secure.
RedCannon's USB token provides a secure environment that mobile employees can use to securely retrieve e-mail, manage documents and browse the Web from uncontrolled computers such as public kiosks, hotel business centers or personal computers connecting over public wireless hotspots.
The keychain device contains its own processor and either 256MB or 512MB of storage, a customized versions of Internet Explorer and Outlook. A data vault using 128-bit AES (Advanced Encryption Standard) file encryption allows users to encrypt and decrypt documents by dragging and dropping them into and out of the vault from a Windows desktop, said John Myung, CEO of RedCannon.
When users plug the KeyPoint into a USB-equipped computer running Windows 2000 or Windows XP, anti-spyware software developed by RedCannon scans the host computer for spyware, key loggers, Trojan horse programs and other threats, providing a report on the safety of the machine. After the initial scan, users can access the KeyPoint applications for surfing or e-mail from a central console that appears on the Windows desktop, he said.
The Web browser looks similar to Explorer and stores all files containing personal information, such as Web cookies and temporary Internet files, in a secure area on the appliance. The e-mail client allows mobile workers to send and receive POP3 or Web-based e-mail. The appliance uses Secure Sockets Layer (SSL) to encrypt and download mail to the USB appliance instead of the host system, and users can import their contacts to the USB appliance, Red Cannon said.
A separate Fireball manager application allows IT administrators to set access rules for KeyPoint applications, require spyware scans before enabling connections to corporate networks, recover lost or forgotten passwords and audit Web and e-mail traffic from the device. Security policies and signed XML updates for KeyPoint devices can be downloaded from network shares or Web directories using secure HTTP.
The KeyPoint USB security appliance is available beginning July. A 256MB version will sell for $149 and the 512MB version for $299 from RedCannon's website.
Seclarity is offering SiNic wireless cards immediately. The company did not provide specific price information, saying that the price varied depending on the number of users and type of devices.