Permeo oversees application access

Poor installation, documentation are the downfall for otherwise effective Application Security Gateway

Permeo’s Application Security Gateway gives enterprise managers the means to provide pinpoint control over how internal users access external networks and how remote users access the network. With Permeo ASG, you no longer have to worry about whether users are running auctions on eBay or visiting porn sites. It also means that your applications can’t be hijacked to send sensitive data to places it shouldn’t go.

I found Permeo ASG to be effective and reasonably straightforward to manage — when it was finally up and running. Even with on-site support from factory engineers, it took three tries before we could get Permeo’s software implemented and functioning properly.

Exacerbating the situation, Permeo’s documentation is thin and inadequate. You’ll need to have your support staff well trained in maintaining and operating ASG if you plan to make this product the vital part of enterprise security it’s designed to be. Even then, staffers will probably need to keep Permeo’s support number taped to their phones.

Installation Frustration

I installed the Permeo Applications Security Gateway on an IBM x335 server running Red Hat Linux version 9. As shipped, the ASG only works with Solaris or Red Hat Linux. The company says ASG will work with SuSE Linux with a few modifications, but fails to document those modifications. You will also need to load the server software manually.

The Permeo ASG sits between your network and the firewall leading to the outside, where it will allow only approved traffic from authenticated applications to reach the Internet. Users must access those authenticated applications from one of two Permeo clients; if they use an unauthenticated version of the app, they won’t be able to access the relevant data or network beyond the ASG.

Although you can manage the ASG server from the console using the Web browser, it’s just as easy to use any browser-equipped client. ASG allows you to be extremely specific in what you allow network users to access. If the destination isn’t on a user’s list, the packets will never pass beyond the ASG.

Because you can be so specific in the limits of Internet access, you need to familiarize yourself with the Web sites you’re accessing. Not only will you have to provide a top-level Web address, for example, but you’ll also have to provide the details of any subsequent domain change, something that happens fairly often. Despite having to update these addresses, the specificity is worth the effort — you can even restrict users to certain pages within a given Web site.

Permeo ASG uses an agent to provide authentication between the ASG server and the client machine. The Permeo Clientless Agent, a Web site on the Permeo server, controls which applications are allowed access to outside networks. Apps placed in the Clientless Agent can go beyond the ASG’s boundaries; if an app isn’t listed, it can’t access the outside world, and listed apps can only go where Permeo says they can go.

For example, placing Microsoft Internet Explorer in the Clientless Agent Web site allows users to browse the Web with full access. Users can still browse sites on their local network with their local version of IE, but they won’t be able to reach anything beyond the ASG machine without first going to the Clientless Agent and running the application from that site.

Although it is somewhat clunky to use, the Clientless Agent does ease the process of setting up access for a large number of users because you only need to put apps into the Clientless Agent once to cover all users. A traditional name and password access or a RADIUS server can authenticate users.

However, the Clientless Agent is basically an all-or-nothing access policy for everyone. It complicates the process of reaching the Internet because users must choose their applications from the Clientless Agent Web site first. Also, it only works with Windows, which limits your options.

To go beyond Windows, Permeo offers an additional authentication method between the ASG server: the Premium Client. The Premium Client does not involve a Web site and enables application and Internet access through the ASG transparent. It works with Windows, Unix, and Linux, and allows much more access customization than the Clientless Agent.

To get this level of customization, the Premium Client must be installed on each user’s machine. The client is middleware that lives just above the IP stack and intercepts network calls to authenticate them before they leave the computer.

Documentation Detour

Implementing the Permeo ASG starts by setting up the access rules on the server. Pull-down boxes and clicks handle most settings, but operations must be conducted in a specific — and undocumented — order. By simply using ASG for a while, it’s not hard to learn the correct order, but it will require extra study if you let long periods of time pass between changes.

Along with the complexity of managing the server software, a specific sequence of commands must be manually typed to get the Permeo ASG software running on the server. The problem? Permeo doesn’t supply the list of commands.

Although you can always create a script to load the server automatically when returning from a shutdown, Permeo doesn’t provide the script. One of your Unix or Linux people will have to reload the ASG on the server after you take the gateway machine down.

Permeo ASG works well once it’s running. I couldn’t get past it without authentication and without using either the Premium Client or the Clientless Agent to access applications.

The ASG also works as a remote access security solution, its original purpose. It provides SSL encryption for the connection when you set the ASG so that outside clients have different access rules. Traveling users access apps through the same Premium Client on their laptops, and change a setting for internal or external use.

The Permeo ASG is good at what it’s intended to do — regulate access to the Internet and various applications. It would be much better if Permeo included useful documentation and created a less Byzantine means of implementation and management. ASG could be a significant security enhancement, but whether it’s worth the tradeoffs in time, effort, and frustration depends on your enterprise’s needs.

InfoWorld Scorecard
Implementation (15.0%)
Manageability (25.0%)
Value (10.0%)
Security (35.0%)
Ease of use (15.0%)
Overall Score (100%)
Permeo Application Security Gateway v 5.0 3.0 5.0 7.0 9.0 7.0 6.6