New gadgets take on 'Starbucks' security threat

The growth in popularity of both wireless technology and mobile computing has created a potent new threat for network administrators: unauthorized intrusions onto their networks by hackers and viruses that take advantage of loosely secured laptop PCs and public computer kiosks.

Malicious hackers and worms can slip past heavily fortified network perimeters by compromising computers in home offices, tunneling through virtual private network (VPN) sessions from compromised computers, or taking advantage of wide-open public wireless hotspots like those offered by coffee house giant Starbucks Corp. The threat has prompted increased attention to the issue of so-called "end point" security for mobile computers from major technology vendors, including Cisco Systems Inc. and Microsoft Corp.

Now two companies say they have the answer to the problem: plug-in hardware devices that lock down sensitive information and secure communications over wireless and wired networks.

On Monday, Seclarity Inc. of San Francisco will unveil its SiNic Wireless NIC (network interface card). The device can send and receive standard IEEE 802.11 wireless network traffic and comes with its own embedded operating system, encryption software and firewall to secure communications to and from desktop, laptop and server systems. The same day, RedCannon Security of Fremont, California, will release Fireball KeyPoint, a USB (Universal Serial Bus) token that is being billed as a "secure mobility appliance," with a built-in Web browser, e-mail client and encrypted document store that allows travelling employees to work securely from any PC or laptop computer.

Developed with funding from the U.S. military, Seclarity's SiNic Wireless card looks like other wireless LAN cards but is actually a fully-contained, standalone Unix computer. The device fits into any standard PC Card slot. It contains 32MB of memory and its own processor, which is used to manage 802.11a, b, and g traffic and encrypt and decrypt traffic using a built-in PKI (Public Key Infrastructure) module. The card runs a hardened and customized version of the NetBSD operating system, as well as a customized stateful proxy firewall. It also stores and manages user access policies, said Adrian Vanzyl, chief executive officer (CEO) of Seclarity.

The idea is to separate critical security functions from the operating system of the notebook, which is more complicated and vulnerable than the SiNic card. It makes security transparent to users and to applications running on the PC, reducing the likelihood that users will tamper with or disable critical security functions, Vanzyl said.

Wireless connections to and from the SiNic card are authenticated from origin to destination, making it impossible for outsiders to "sniff" sensitive information from wireless traffic or from insecure host systems, he said.

"End point security often means restricted mobility for users -- they're told they can't leave the (corporate) network, or they can't log in from Starbucks," he said. "With our solution, if a guy logs in from Starbucks and a hacker or another user tries to get to a file ... he can't, because the machine will ask for a valid certificate."

A separate management system that runs on Windows 2000 or Windows 2003 servers acts as the root PKI certificate authority for systems using the SiNic cards and also controls device enrollment in the PKI system, access policy management, software updates and auditing, he said.