The growth in popularity of both wireless technology and mobile computing has created a potent new threat for network administrators:
unauthorized intrusions onto their networks by hackers and viruses that take advantage of loosely secured laptop PCs and public
computer kiosks.
Malicious hackers and worms can slip past heavily fortified network perimeters by compromising computers in home offices,
tunneling through virtual private network (VPN) sessions from compromised computers, or taking advantage of wide-open public
wireless hotspots like those offered by coffee house giant Starbucks Corp. The threat has prompted increased attention to
the issue of so-called "end point" security for mobile computers from major technology vendors, including Cisco Systems Inc.
and Microsoft Corp.
Now two companies say they have the answer to the problem: plug-in hardware devices that lock down sensitive information and
secure communications over wireless and wired networks.
On Monday, Seclarity Inc. of San Francisco will unveil its SiNic Wireless NIC (network interface card). The device can send
and receive standard IEEE 802.11 wireless network traffic and comes with its own embedded operating system, encryption software
and firewall to secure communications to and from desktop, laptop and server systems. The same day, RedCannon Security of
Fremont, California, will release Fireball KeyPoint, a USB (Universal Serial Bus) token that is being billed as a "secure
mobility appliance," with a built-in Web browser, e-mail client and encrypted document store that allows travelling employees
to work securely from any PC or laptop computer.
Developed with funding from the U.S. military, Seclarity's SiNic Wireless card looks like other wireless LAN cards but is
actually a fully-contained, standalone Unix computer. The device fits into any standard PC Card slot. It contains 32MB of
memory and its own processor, which is used to manage 802.11a, b, and g traffic and encrypt and decrypt traffic using a built-in
PKI (Public Key Infrastructure) module. The card runs a hardened and customized version of the NetBSD operating system, as
well as a customized stateful proxy firewall. It also stores and manages user access policies, said Adrian Vanzyl, chief executive
officer (CEO) of Seclarity.
The idea is to separate critical security functions from the operating system of the notebook, which is more complicated and
vulnerable than the SiNic card. It makes security transparent to users and to applications running on the PC, reducing the
likelihood that users will tamper with or disable critical security functions, Vanzyl said.
Wireless connections to and from the SiNic card are authenticated from origin to destination, making it impossible for outsiders
to "sniff" sensitive information from wireless traffic or from insecure host systems, he said.
"End point security often means restricted mobility for users -- they're told they can't leave the (corporate) network, or
they can't log in from Starbucks," he said. "With our solution, if a guy logs in from Starbucks and a hacker or another user
tries to get to a file ... he can't, because the machine will ask for a valid certificate."
A separate management system that runs on Windows 2000 or Windows 2003 servers acts as the root PKI certificate authority
for systems using the SiNic cards and also controls device enrollment in the PKI system, access policy management, software
updates and auditing, he said.
The SiNic card makes it very difficult for malicious hackers or others to capture sensitive data by offering "end to end"
protection from data's point of origin to its destination, said Chris Byrnes, senior vice president for security at Meta Group
Inc. By offloading processor-intensive encryption onto a NIC, the company also sidesteps the slowdowns that often accompany
encryption with software clients, he said.
That said, the SiNic card is not right for every company, Byrnes said.
"Companies have to want to secure all their communications," he said. "Obviously, you need (secure communications) when you're
going over the Internet, but there are a lot of solutions that let you secure Web-based traffic at little or no cost -- like
(Secure Sockets Layer)."
For companies that want to secure non-Web communications between network endpoints, there are many competing technologies
that don't require companies to deploy new hardware, such as IPSec (Internet Protocol Security) and VPNs, he said.
"Those technologies are no better or worse than (SiNic)," Byrnes said, adding that SiNic's approach might be easier for companies
to manage in large deployments.
The product will be most attractive to organizations that handle large amounts of highly sensitive data across their entire
operation, such as banks and government agencies, he said.
While the U.S. military is testing the first batch of SiNic cards, Seclarity is also targeting private sector companies in
regulated industries such as banking and health care. The cards are available immediately and pricing varies with the number
and type of cards, Vanzyl said.
For RedCannon Security, the issue isn't how to secure end-point systems but how to trust communications to and from mobile
workers who are using end-point systems that are almost certainly not secure.
RedCannon's new Fireball KeyPoint USB token provides a secure environment that mobile employees can use to securely retrieve
e-mail, manage documents and browse the Web from uncontrolled computers such as public kiosks, hotel business centers or personal
computers connecting over public wireless hotspots.
The keychain device contains its own processor and either 256MB or 512MB of storage, a customized version of the Internet
Explorer Web browser and e-mail client software based on Microsoft's Outlook client. A data vault using 128-bit AES (Advanced
Encryption Standard) file encryption allows users to encrypt and decrypt documents by dragging and dropping them into and
out of the vault from a Windows desktop, said John Myung, CEO of RedCannon.
When users plug the KeyPoint into a USB-equipped computer running Windows 2000 or Windows XP, antispyware software developed
by RedCannon scans the host computer for spyware, key loggers, Trojan horse programs and other threats, providing a report
on the safety of the machine. After the initial scan, users can access the KeyPoint applications for surfing or e-mail from
a central console that appears on the Windows desktop, he said.
The Web browser looks similar to Internet Explorer and stores all files containing personal information, such as Web cookies
and temporary Internet files, in a secure area on the appliance. The e-mail client allows mobile workers to send and receive
POP3 (Post Office Protocol 3) or Web-based e-mail. The appliance uses Secure Sockets Layer (SSL) to encrypt and download mail
to the USB appliance instead of the host system, and users can import their contacts to the USB appliance, Red Cannon said.
A separate Fireball manager application allows IT administrators to set access rules for KeyPoint applications, require spyware
scans before enabling connections to corporate networks, recover lost or forgotten passwords and audit Web and e-mail traffic
from the device. Security policies and signed XML updates for KeyPoint devices can be downloaded from network shares or Web
directories using secure Hypertext Transfer Protocol (HTTP).
The KeyPoint USB security appliance is available beginning July 1. A 256MB version will sell for $149 and the 512MB version
for $299 from RedCannon's Web site, http://www.redcannon.com.
Seclarity is offering SiNic wireless cards immediately. The company did not provide specific price information, saying that
the price varied depending on the number of users and type of devices.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
