Rainbow's NetSwift iGate Closes the Door on Internet Bad Guys

Flexible access-control configuration options let administrators enable password-based in addition to token-based authentication. This is helpful if users have lost their keys or need only temporary access. Access to resources can be provisioned by user or group. The management tool, the Access Control Manager (ACM), lets you import users from a Windows domain or configure them manually.

Clients will need to provide a driver to handle communication with the USB key; Windows 2000, NT 4.0, 9x, ME and XP are the supported platforms. No Mac or Linux support is offered yet, but given that most mobile employees will be running a Windows-based platform, this shouldn't be too much of a problem. You'll need a certificate for the appliance to provide SSL-enabled access and a Windows-based machine with at least USB 1.0 support to run the ACM.

The price of the iGate, $9,995 for the appliance and 50 user licenses, makes it a somewhat expensive alternative to a traditional VPN solution. Aside from the cost, which could be justified, the product has two significant shortcomings to consider. It supports Web-based resources only, and--here's the biggie--mobile users need reachable USB ports. If your remote employees require access to additional services, this is not the solution for you.I test drove a beta version of the iGate in our Real-World Labs® in Green Bay, Wis. My previous experience with Rainbow's NetSwift 2012 SSL Accelerator (see sneak preview, "Rainbow Scores a SSLam Dunk with NetSwift2012") made setting up the appliance a breeze, though the much improved Web-based GUI and addition of wizards should guide the uninitiated through the process with little consternation.

The appliance supports three physical network configuration options: in-line, IP mode and one-arm (see screen, above). Multiple domains and certificates are also supported. After specifying the IP address of the unit and the virtual IP address--the public address clients will use to access the Web server--I added a single back-end Web server. Multiple back-end Web servers can be supported with traditional load-balancing algorithms to provide high availability.

Next, I started up the ACM and set up resources and users. The ACM is a fairly simple, Java-based application. It offers management of users and resources, configuration of access control mechanisms as well as the backup and restoration of the appliance configuration files. It also can manage multiple iGate appliances. I connected to the appliance, and its configuration was autoloaded into the ACM.

I configured five users (user1 through user5) and created two groups: "Even users" and "Odd users." I then added users to each group. User configuration allows individual settings for authentication and includes options for token only, password only, or token and password. Passwords must be set with an expiration date. I'd like to see a "number of uses" feature also allowed for special circumstances. There are occasions you want to grant one-time access, such as when downloading a file. As handing out a costly token for one use doesn't make good business sense, this option would be an attractive one.

Once the users are configured, tokens are made on a batch or an individual basis. Selecting all the users and choosing to process them in batch mode brings up a dialog with the list of users to be processed and instructions. Pop a key in, and the application senses the insertion and writes the appropriate token to the key. When it finishes, pop the key out, and the user is removed from the list. Although this is a tedious task, processing of this magnitude should need to be performed only once.I set up a resource for the Web server residing behind the iGate appliance--www.test.com, which was locally configured to point to the virtual IP address served by the iGate appliance--and allowed access to only users in the "Even users" group. Once the configuration was complete, I uploaded the configuration to the appliance. Then I had to try it all out.

I started up Internet Explorer and tried to load www.test.com. A dialog instructed me to plug in my key or hit cancel to use a user name/password. On initial use of the key, I was asked to supply a PIN, which is not configured by the ACM. This is the only password that needs to be remembered and is provided to prevent a theft.

Once the PIN was configured, I was presented with the requested resource, as expected. What happened in the background was a challenge-response. The token on the key is actually a shared secret, which is used by the client to create a hashed value. The appliance also knows the shared secret and will create a hash based on that secret. The client sends the hashed value to the appliance, and it is compared. If they match, authentication is granted. Because a password is never transmitted, token-based systems are considered more secure than authentication systems that transmit a password, even if the latter uses encryption.

I pulled out the key and the ActiveX control sensing the event and loaded a "logged out" page into my browser. The browser plug-ins will sense both the removal of the key as well as the expiration of a time-out value that is configured on the appliance and will react by logging the user out of the resource and replacing the location with a notification page. This helps you deal with users who habitually leave browser windows open.

I inserted the key for user3 and attempted to access www.test.com again. This time I was denied, as expected. Resources can be configured based on domain, directory or rudimentary pattern matching on the URI.The iGate solution is an easy-to-manage alternative for providing secure, remote access to Web-based resources--both for mobile employees and for business partners. For more complex remote access environments, however, you'll need to continue using a VPN or other more robust solution.

Technology editor Lori MacVittie has been a software developer and a network administrator. Most recently, she was a member of the technical architecture team for a global transportation and logistics organization. Send your comments on this article to her at [email protected].