Gadgets Secure PCs on Public Wi-Fi
With the proliferation of hotspots comes a security risk of intrusions onto laptops or public PC kiosks connected to public Wi-Fi networks. Two companies have unveiled a solution: Plug-in hardware devices that lock down sensitive information and secure communications over both wireless and wired networks.
Seclarity of San Francisco is introducing this week its SiNic Wireless network interface card. Also making its debut is Fireball KeyPoint, a USB token billed as a "secure mobility appliance" from vendor RedCannon Security of Fremont, California.
Both are intended to address Network administrators' concerns that malicious hackers and worms can slip past heavily fortified network perimeters through public access networks. They might compromise computers in home offices, tunnel through virtual private network sessions from compromised systems, or take advantage of wide-open public wireless hotspots like those offered by coffee house giant Starbucks. The threat has prompted vendors to pay increased attention to the issue of so-called "end point" security.
Developed with funding from the U.S. military, Seclarity's SiNic Wireless card looks like other wireless LAN cards but is actually a fully-contained, standalone Unix computer. It can send and receive standard IEEE 802.11 wireless network traffic and comes with its own embedded operating system, encryption software and firewall to secure communications to and from desktop, laptop, and server systems.
The device fits into any standard PC Card slot. It contains 32MB of memory and its own processor, which is used to manage 802.11a, b, and g traffic and encrypt and decrypt traffic using a built-in Public Key Infrastructure module. The card runs a hardened and customized version of the NetBSD operating system, as well as a custom stateful proxy firewall. It also stores and manages user access policies, says Adrian Vanzyl, Seclarity CEO.
The idea is to separate critical security functions from the operating system of the notebook, which is more complicated and vulnerable than the SiNic card. It makes security transparent to users and to applications running on the PC, reducing the likelihood that users will tamper with or disable critical security functions, Vanzyl adds.
Wireless connections to and from the SiNic card are authenticated from origin to destination, making it impossible for outsiders to "sniff" sensitive information from wireless traffic or from insecure host systems, he says.
"End point security often means restricted mobility for users--they're told they can't leave the (corporate) network, or they can't log in from Starbucks," he says. "With our solution, if a guy logs in from Starbucks and a hacker or another user tries to get to a file ... he can't, because the machine will ask for a valid certificate."
A separate management system that runs on Windows 2000 or Windows 2003 servers acts as the root PKI certificate authority for systems using the SiNic cards and also controls device enrollment in the PKI system, access policy management, software updates and auditing, he said.
Seclarity is offering SiNic wireless cards now; the company says pricing varies depending on the number of users and type of devices.
The SiNic card makes it very difficult for malicious hackers or others to capture sensitive data by offering "end to end" protection from data's point of origin to its destination, says Chris Byrnes, senior vice president for security at Meta Group. By offloading processor-intensive encryption onto a NIC, the company also sidesteps the slowdowns that often accompany encryption with software clients, Byrnes says.
That said, the SiNic card is not right for every company, Byrnes adds.
"Companies have to want to secure all their communications," he says. "Obviously, you need (secure communications) when you're going over the Internet, but there are a lot of solutions that let you secure Web-based traffic at little or no cost--like (Secure Sockets Layer)."
Companies that want to secure non-Web communications between network endpoints have a choice of many competing technologies that don't require new hardware, he notes. For example, they can choose Internet Protocol Security (IPSec) or VPNs, he says.
"Those technologies are no better or worse than (SiNic)," Byrnes says, adding that SiNic's approach might be easier for companies to manage in large deployments.
The product will be most attractive to organizations that handle large amounts of highly sensitive data across their entire operation, such as banks and government agencies, he says.
While the U.S. military is testing the first batch of SiNic cards, Seclarity is also targeting private sector companies in regulated industries such as banking and health care. The cards are available immediately and pricing varies with the number and type of cards, Vanzyl says.
For RedCannon Security, the issue isn't how to secure end-point systems but how to trust communications to and from mobile workers who are using end-point systems that are almost certainly not secure.
Fireball KeyPoint contains its own processor and either 256MB or 512MB of storage, a customized version of the Internet Explorer Web browser and e-mail client software based on Microsoft's Outlook client. With its encrypted document store, traveling employees can work securely from any PC or laptop computer, even uncontrolled public computers or over public wireless hotspots.
The KeyPoint USB security appliance is scheduled to become available July 1. A 256MB version will sell for $149 and the 512MB version, for $299 directly from RedCannon.
A data vault using 128-bit Advanced Encryption Standard (AES) file encryption allows users to encrypt and decrypt documents by dragging and dropping them into and out of the vault from a Windows desktop, says John Myung, RedCannon CEO.
When users plug the KeyPoint into a USB-equipped computer running Windows 2000 or Windows XP, RedCannon's antispyware software scans the host computer for spyware, key loggers, Trojan horse programs, and other threats, and generates a report about the machine's safety. After the initial scan, users can access the KeyPoint applications to surf or access e-mail from a central console that appears on the Windows desktop, Myung says.
The Web browser resembles IE and stores all files containing personal information, such as Web cookies and temporary Internet files, in a secure area on the appliance. The e-mail client allows mobile workers to send and receive POP3 or Web-based e-mail. The appliance uses Secure Sockets Layer to encrypt and download mail to the USB appliance instead of the host system, and users can import their contacts to the USB appliance, according to Red Cannon.
A separate Fireball manager application allows IT administrators to set access rules for KeyPoint applications, require spyware scans before enabling connections to corporate networks, recover lost or forgotten passwords, and audit Web and e-mail traffic from the device. Security policies and signed XML updates for KeyPoint devices can be downloaded from network shares or Web directories using secure HTTP.