Category: Security appliance
Name of tool: NetSwift iGate and iKey
Company name: Rainbow Technologies
Price: $16,995 plus per-user fees
Platforms supported: Windows-only clients supported, but browser Java-based configuration and reporting software runs on pretty much anything.
*** = Hey, not bad. One notch below very cool
Hardware-based authentication and fine-tuned access controls for intranet and extranet applications.
Simple and easy to use
Offloads SSL processing from Web servers
Only Windows clients supported with iKey hardware
If you are deploying extranet Web applications, you have a choice in terms of what to do with handling user authentication. You can set up VPNs for everyone, but that involves making sure that the connections will work across various firewalls. You can set up a remote dial-in server, but that means you need enough ports. You can add your partners to your own LDAP or Active Directory entries, but that could mean a lot of work, and keeping them separate from your internal users isn't easy. You could marry your Web server to a database and password-protect particular areas of your Web site, but that is dicey if the passwords become public.
Or you could use an appliance.
What a great idea. However, there are lots of different security appliances: firewalls, Web servers, intrusion-alert systems and the like. A different take is Rainbow Technologies' Netswift iGate box. The iGate is fairly unique in that it offers a way to connect authorized clients to protected Web resources. It also is a way to improve SSL operations, because it off-loads these protocols from the Web server itself, something that takes up a big chunk of Web processing power. You don't need to run SSL on your Web server because the iGate is taking care of the security apparatus.
The appliance works with individualized USB-based hardware keys called iKeys that contain most of the crypto information for each external user. These users fire up their browser, download some small software that provides the authentication routines and insert their key into their PC's USB port (only Windows clients are supported, one drawback). After typing their PIN, they are connected to the appropriate internal Web server that their access rights allow. No muss, no fuss and no elaborate crypto infrastructure to maintain. While you can use the iGate with user names and passwords without the keys, I wouldn't recommend it. The hardware key makes it so much easier. The company calls this "reduced sign-on."
Of course, if you already have put together this elaborate crypto infrastructure, the iGate may not be an attractive choice. The hardware keys aren't cheap -- at around $50 per unit in quantity, the dollars can add up. But they do avoid assembling a messy series of software products, such as buying SSL certificates for your Web and database servers, and getting VPN credentials for your users. They also make it easier for corporations to assemble different external applications pools so that conflicting user groups don't get into each other's networked applications. That is the good news.
Setup of the iGate took about two hours, and most of that time was fooling around with getting the right version of the Java Virtual Machine installed on my Windows XP desktop (thanks to Microsoft for making that a chore). Once set up, access to my Windows IIS Web server was blocked for non-authenticated users and allowed for the authenticated ones. The iGate operates in two different modes. The simplest is called one-arm mode, whereby the unit is just another network node. The more sophisticated and secure mode is called IP mode, which activates separate LAN and WAN Ethernet interfaces on the front of the box. In this mode, the iGate can be placed outside of the normal LAN traffic pattern, isolating the Web applications traffic.
You can fine tune the iGate as carefully as you'd like: it can protect entire domains, particular directories and anything in between. For enterprises that are looking to deploy external Web applications securely, it deserves a closer look.
**** = Very cool, very useful
*** = Hey, not bad. One notch below very cool
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.
About the author
David Strom is the senior technology editor for VAR Business magazine. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at firstname.lastname@example.org.
For more information on this topic, visit these other resources:
- Executive Security Briefing: Problems with authentication
- Web Security Tip: Protecting your Web server from anonymous access
- Best Web Links: Authentication/Access Control