Review: Application Security Gateway

By on

Controlling how your enterprise's employees are able to access external networks can be a difficult problem for most security managers.

Controlling how your enterprise's employees are able to access external networks can be a difficult problem for most security managers. Add to that the growing need to allow external users access to internal applications, and it suddenly becomes the stuff of sleepless nights.

The Application Security Gateway (ASG) is designed to address both these needs. Whether an employee is trying to access a gambling site or a hacker is seeking out an application to hijack, this software will deal with the problem.

The real problem for us, however, was getting the software to work in the first place. The vendor sent an engineer to install the product on our test server – a modest Pentium 4-based affair running Red Hat Linux 9 (the minimum specifications for the application are even more modest than that).

The application is designed to run on Red Hat Linux, Solaris, Nokia IPSO or Windows NT/2000 operating systems and our server had been set up fresh with everything on default settings. Other computers on the network could see the Linux server, but it took a good few attempts to get the software up and running properly.

When the server is eventually running, it does run reasonably well. There were a few speed issues with it initially, but these seemed to have died down by themselves for reasons unclear to us.

The software sits on a server that in turn is positioned between the internal network and the corporate firewall. The application will only allow traffic to reach the outside world from approved authenticated applications.

The printed documentation provided was a bit on the thin side (bordering on non-existent), but there are plenty of PDF manuals supplied on the installation CD.

The ASG server can be managed from any web browser and it is very granular and complex in use. An administrator can be exceedingly defined in what users can and cannot do. The browser console itself looks nice and our first impressions are that it is well laid-out.

Defining what can or cannot be accessed can be a time-consuming activity if a tough policy on what users can or cannot access is in force. It does mean that administrators have a lot of control over access rights, even down to certain web pages on an individual site.

The administrator's guide seems to be reasonably thorough, and does indeed go through what needs to be done. However, there does appear to be quite a lot that needs to be done before anything useful can be achieved. And despite the pretty browser interface, getting things going requires a lot of steps.

Accessing the outside world is done via two methods. The first is the Clientless Agent, which sits on the server where the Permeo application is installed.

This provides the authentication needed between the server and the client machine. The Clientless Agent controls which applications can do what, as far as accessing the outside world is concerned. Putting a browser on the list of allowed applications allows users to have full web access.

The Clientless Agent does allow for easy setup for thousands of users to access allowable applications, as any authenticated user can use any application put into the list.

These users can be authenticated using a variety of methods, including Radius, LDAP, RSA SecurID and Windows Domain. It also uses SSL, AES, DES and triple-DES encryption.

Really, the main problem with accessing through this agent is that there does not seem to be any clear way of defining a policy on who can access what – anyone that can be authenticated can use any application in the Clientless Agent.

The vendor told us that policies could be defined to allow individual and group access, but we failed to find such instructions in any of the documentation.

Also, users have to navigate through the Clientless Agent website and pick an application off the list before getting onto the internet. Another drawback with the Clientless Agent is it only supports users accessing applications through desktops running Windows operating systems.

The vendor has another trick up its sleeve, however, with the Premium Client. This is an additional method of authentication to the ASG server that allows client applications to access the ASG transparently.

Here there is a much greater range of operating systems supported as well as more options for customizing access rules.

External users can use the remote access features to gain access to internal networks. This is done by setting up different access rules to encrypt the connection using SSL. Mobile users would have to change a few settings on their Premium Client to allow external access.

As for security, it works. We could not bypass the product once it was installed. There was no apparent way of accessing external networks without first having to authenticate ourselves to the server with the Premium Client or picking applications off the Clientless Agent website. Overall, this is a secure product and it has a lot to offer. It will take a long time to get to grips with the software as it does a lot.

Even though the browser interface is aesthetically pleasing, it could still do with a little tweaking to make everyday tasks easier to perform.

For:

Secure access for internal and external users. Server software supports a good range of operating systems.


Against:

Browser looks more intuitive than it really is.


Verdict:

A good security gateway product that is marred slightly by its interface.

Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?