Category: Security appliance
Name of tool: NetSwift iGate and iKey
Company name: Rainbow Technologies
Price: $16,995 plus per-user fees
URL: www.rainbow.com
Platforms supported: Windows-only clients supported, but browser Java-based configuration and reporting software runs on pretty much anything.
Strom-meter:
*** = Hey, not bad. One notch below very cool
Key features:
Hardware-based authentication and fine-tuned access controls for intranet and extranet applications.
Pros:
Simple and easy to use
Offloads SSL processing from Web servers
Cons:
Only Windows clients supported with iKey hardware
Description:
If you are deploying extranet Web applications, you have a choice in terms of
what to do with handling user authentication. You can set up VPNs for everyone,
but that involves making sure that the connections will work across various
firewalls. You can set up a remote dial-in server, but that means you need enough
ports. You can add your partners to your own LDAP or Active Directory entries,
but that could mean a lot of work, and keeping them separate from your internal
users isn't easy. You could marry your Web server to a database and
password-protect particular areas of your Web site, but that is dicey if the
passwords become public.
Or you could use an appliance.
What a great idea. However, there are lots of different security appliances:
firewalls, Web servers, intrusion-alert systems and the like. A different take
is Rainbow Technologies' Netswift iGate box. The iGate is fairly unique in that
it offers a way to connect authorized clients to protected Web resources. It
also is a way to improve SSL operations, because it off-loads these protocols
from the Web server itself, something that takes up a big chunk of Web
processing power. You don't need to run SSL on your Web server because the iGate
is taking care of the security apparatus.
The appliance works with individualized USB-based hardware keys called iKeys
that contain most of the crypto information for each external user. These users
fire up their browser, download some small software that provides the
authentication routines and insert their key into their PC's USB port (only
Windows clients are supported, one drawback). After typing their PIN, they are
connected to the appropriate internal Web server that their access rights allow.
No muss, no fuss and no elaborate crypto infrastructure to maintain. While you
can use the iGate with user names and passwords without the keys, I wouldn't
recommend it. The hardware key makes it so much easier. The company calls this
"reduced sign-on."
Of course, if you already have put together this elaborate crypto
infrastructure, the iGate may not be an attractive choice. The hardware keys
aren't cheap -- at around $50 per unit in quantity, the dollars can add up. But
they do avoid assembling a messy series of software products, such as buying SSL
certificates for your Web and database servers, and getting VPN credentials for
your users. They also make it easier for corporations to assemble different
external applications pools so that conflicting user groups don't get into each
other's networked applications. That is the good news.
Setup of the iGate took about two hours, and most of that time was fooling
around with getting the right version of the Java Virtual Machine installed on
my Windows XP desktop (thanks to Microsoft for making that a chore). Once set up,
access to my Windows IIS Web server was blocked for non-authenticated users and
allowed for the authenticated ones. The iGate operates in two different modes. The simplest is called one-arm mode, whereby the unit is just another network
node. The more sophisticated and secure mode is called IP mode, which activates
separate LAN and WAN Ethernet interfaces on the front of the box. In this mode,
the iGate can be placed outside of the normal LAN traffic pattern, isolating the
Web applications traffic.
You can fine tune the iGate as carefully as you'd like: it can protect entire
domains, particular directories and anything in between. For enterprises that
are looking to deploy external Web applications securely, it deserves a closer
look.
Strom-meter key:
**** = Very cool, very useful
*** = Hey, not bad. One notch below very cool
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.
About the author
David Strom is the senior technology editor for VAR Business magazine. He
has tested hundreds of computer products over the past two decades
working as a computer journalist, consultant and corporate IT manager.
Since 1995 he has written a weekly series of essays on Web technologies and
marketing called Web Informant. You can send him e-mail at dstrom@cmp.com.
For more information on this topic, visit these other resources:
