AEP SureWare A-Gate AG-600
Price: $8,995/400 users
The appliance provides clientless access to HTTP and Windows Terminal Server apps and full access to client-server apps from Windows XP/2000 clients. It has four Ethernet interfaces, features high availability and session-level failover and handles 400 simultaneous connections. Enterprises will appreciate its capacity to cluster up to 16 boxes for supporting thousands of users.
AEP packs strong security in the AG-600, which runs a hardened version of Linux. Booting the box over a serial connection initially blocks access to system resources. You'll need to set a password and options for Web-based administration, remote root logins to the network, SSH, syslog and SNMP to unlock configuration. This is a radical departure from security hardware that, once connected, and without so much as a password, allows anyone to configure network and device settings.
We launched a browser, authenticated and proceeded to solve the obfuscated text riddle, or 'completely automated public Turing test to tell computers and humans apart' (CAPTCHA) utility. CAPTCHA is an image with slightly skewed characters and numbers, designed for enhancing authentication and preventing automated attacks. You decipher and type a displayed code and enter a user name and password.
Configuration is a comprehensive process using GUI setup tabs, although the interface conspicuously lacks a help menu. We methodically assigned IP addresses to Ethernet interfaces and configured the LAN/WAN interfaces, DNS server, incoming access to port 443 (SSL) and external gateway to route traffic to the Internet.
Setting up digital certificates for authenticating users is a breeze. Clicking on the site security tab allows you to create a certificate signing request (CSR). We pasted our CSR into a VeriSign form to access a trial certificate, and, with our new SSL-site identity, we configured the remote access policy. AG-600 supports two Windows authentication options: LDAP for AD domains, and the Windows Server Message Block file sharing protocol (SMB) for old-school domain services. A-Gate also integrates with Sun LDAP and Novell NDS servers. Its RADIUS support hooks into other authentication methods, including CASQUE, Crypt-Card and SecurID. Our configuration using the internal database and Windows SMB domain authentication worked flawlessly.
AG-600 provides two modes of VPN access: A-Gate Anywhere can proxy application traffic via a Java applet, for instance, to Windows Terminal Services; the A-Gate Central is a thin-client SSL VPN that enables access to TCP/UDP applications. Users launch the client by clicking the link on the user A-Gate portal page, which is customizable to reflect user's branding. Establishing WAN access to these services was an easy configuration of A-Gate's host MYSQL database, server names and IP addresses. But, adding the Anywhere Web servers to the remote access configuration, and again in the portal page, was bothersome; an automated mechanism would be easier.
Policy configuration was a challenge. While we easily defined a HTTP global access policy for authenticated users, the GUI made it tough to configure more granular access control rules. It's confusing to decipher how menu branches relate to others in the tree. A more intuitive grid or matrix for defining devices, URL strings as services and authorized users/groups would be simpler.
While AG-600's granular policy and portal elements could use some tweaking, this hardcore appliance provides enviable security defaults and convenient access to sensitive applications.
About the author
George Wrenn, CISSP (firstname.lastname@example.org), is a technical editor for Information Security and a security director at a financial services firm. He's also a fellow at the Massachusetts Institute of Technology.
This review orginally appeared in Information Security magazine.
This was first published in August 2005