AppGate secures intranet access from PDAs, laptops
Product name: AppGate Mobile Client
Company name: AppGate Network Security AB
Price: From $5000 for server and 25 mobile clients
Client platforms: Sony Ericsson P800/P900 (mobile client) or Win32, *NIX, MacOS,
PPC (Java clients)
Bottom line: Can secure many intranet applications with minimal client-side
fuss.
In a nutshell: Secure Shell (SSH) authenticates and encrypts port-forwarded
applications from most handhelds/laptops to VPN-protected intranet servers.
Pros:
Using mobile and Java-based clients, covers broad set of mobile devices
No installation required for Java; no client configuration required for either
client
Robust security options, including AES encryption and PKI authentication
Cons:
Forwards single-port applications and proxies FTP, NetBIOS and SOCKS, but cannot
tunnel all IP through VPN without generic networking driver (Win XP/2000 only)
Connection status and debug aids are limited in Sony Ericsson Mobile Client
Wireless carrier's WAP gateway (or network's firewall) must permit SSH
Description:
When it comes to securing handheld traffic, IPsec
VPN clients can be somewhat
difficult to find, install, and configure. Many companies are considering
alternatives that reduce client-side administration and tackle common handheld
challenges like limited bandwidth, small displays and diverse operating systems.
I recently tested the AppGate Mobile Client for Sony Ericsson P800/P900 -- one
component in AppGate's rather unique multi-platform SSH VPN.
AppGate's solution consists of VPN server software, running on Solaris or HP-UX,
and VPN client software, running on remote (wired or wireless) devices.
AppGate's client is available in several formats, including a download-on-demand
Java client for Win32, MacOS, *NIX, Pocket PC and Sharp Zaurus. I tested the
Java client briefly, but focused my attention on AppGate's mobile client: A
Symbian-based application that can be installed on Sony Ericsson wireless
phones.
Unlike most IPsec VPN clients, the mobile client requires no configuration. The
user simply launches the client, enters the VPN server's host name, login and
password (or other credentials, depending upon authentication type). Upon first
connection, the user is prompted to accept and save the server's public key.
While connected, specific application ports are forwarded over an encrypted,
authenticated SSH tunnel.
For example, I used T-Mobile's GPRS service to connect my P800 to a demo AppGate
Server. Based on a role associated with my identity, the server told my client
to tunnel TCP traffic sent to ports 80 and 143. At the far end of the tunnel,
the AppGate Server relayed that traffic to web and IMAP servers inside a
protected intranet. Whenever I browsed demonet.appgate.com or read e-mail from
demo.appgate.com, my HTTP and IMAP requests were compressed, AES-encrypted, and
forwarded to the AppGate Server. But when I browsed other sites or used other
protocols, traffic was sent over the Internet in the usual fashion. These port
forwards and protection suites were determined by the AppGate Server,
simplifying client setup and preventing user misconfiguration.
Simple GUIs are wonderful when all goes well but can be frustrating when
something goes awry. My P800 was originally provisioned to use a T-Mobile WAP
gateway that blocked SSH (port 22). But I could only tell was that my request
timed out -- carrier assistance was needed to identify the culprit. Fortunately,
re-pointing my P800 to an alternate WAP gateway did the trick. I also found it
hard to tell when my VPN connection was disrupted, because no status indicator
is visible when using other applications over the VPN connection. I applaud
AppGate for keeping the mobile client simple ("lite"), but would prefer having a
little more information. On other platforms, the Java client does present more
detail, both before and during VPN connections.
I only tested password authentication, but AppGate supports a slew of methods,
including certificates, raw public keys, two-factor tokens (SecurID) and smart
cards (Telia EID). In addition to AES, AppGate supports 3DES, Arcfour, and
Blowfish encryption. A compression option can reduce bytes transmitted over
slower or metered networks where bandwidth is at a premium. To learn more about
AppGate security and supported platforms, consult this white paper.
Increasingly, mobile devices like the Sony Ericsson P800 and P900 (its
just-announced successor) are being paired with third-party software to enable
secure access to enterprise applications and company networks. Many companies
are familiar with IPsec and SSL VPN products but may overlook SSH-based
alternatives like AppGate. If you need to secure specific intranet applications
with minimal client setup on a variety of mobile devices, then be sure to take a
look at AppGate.
About the author: Lisa Phifer is vice president of Core Competence, Inc., a
consulting firm specializing in network security and management technology. She
is also a site expert to SearchMobileComputing.com and SearchNetworking.com.