InfoExpress CyberGatekeeper LAN

Cyber Infrastructure

A single CyberGatekeeper LAN enforces security-policy compliance for up to 2,000 users. For more users, you'll need multiple boxes. Likewise, if you have more than one protected VLAN on your network, you'll need to use a separate CyberGatekeeper LAN on each, because each device can identify only one VLAN as protected. Agent software, installed on every end node, checks in with the CyberGatekeeper LAN and downloads updated security policies as they're issued.

During initial configuration, the CyberGatekeeper LAN is told the VLAN ID numbers for the PLAN (protected VLAN) and the RLAN (restricted VLAN). When a networked client connects to the RLAN subnet, it receives a DHCP-assigned address. The client then checks in with the CyberGatekeeper LAN.

If the client is compliant with the security policies assigned to it, the switch is directed to move the user's port into the PLAN. At this point, the client requests a new IP address from the PLAN DHCP server.The CyberGatekeeper LAN communicates with the switch via SNMP, telnet or SSH (Secure Shell). In the case of telnet or SSH, the box will log in to the switch, type in the command and password, enter port configuration, and issue a VLAN change command. The switch I used didn't have SSH enabled, so I used SNMP management and the product worked as advertised.

Configuration

After I set up the CyberGatekeeper LAN's IP, I input the management IP addresses and passwords for all my switches into the device. I then designated which switch ports needed to have enforcements enabled. (You don't want to enable enforcement on ports for routers, switch uplinks and nodes for which policy management is unnecessary.) I found the process tedious, as it had to be done manually on each switch. I would have preferred some automation for multiple switch imports or integration with management software.

If you need to plug a hub or switch into a port so you can wire in multiple computers, the CyberGatekeeper LAN will detect multiple MAC (Media Access Control) addresses coming off the port. You can configure the appliance to allow this behavior, as long as all the computers or agents connected are in compliance, or completely disallow unauthorized switch installation.

CYBERGATEKEEPER LAN 2.0, starts at $9,995. InfoExpress, (650) 623-0260. www.infoexpress.com

I tested this functionality with two laptops, one compliant, the other not. First, I connected a small switch to my main switch using an uplink cable. I connected the compliant laptop to the small switch, and it accessed the PLAN. Next, I plugged in my noncompliant laptop, which caused the CyberGatekeeper LAN to place the port on the main switch into the RLAN, thus restricting both laptops. When I put the noncompliant laptop into compliance, both machines could access the PLAN.

Likewise, if a user unplugs his or her machine and someone else plugs into the port, an SNMP trap is sent from the switch to the CyberGatekeeper LAN, which tells the switch to move the port to the RLAN.

You also can allow only a certain MAC address to bind to a port. I tested this by binding a laptop's MAC to a port, then trying to use a different compliant laptop on the port. Despite the laptop being compliant, its MAC address was not bound to that port, so the port was moved to the RLAN.One downside to this technology is that you need managed switches. If you have a nonmanaged switch on an uplink port and do policy enforcement on it, any one policy-noncompliant computer could take everyone on that port offline.

For reporting and logging, CyberGatekeeper can send event information to a syslog server or via SNMP. Moreover, it has a limited built-in report center that you can access through a Web browser. From here, you can see which nodes are connected, dig into denied sessions, and check out application usage and system logs. You can also see to which switch and ports a node is connected.

Policy Files

Policies are a series of checks for conditions based on process name, file size, checksums, dates, version numbers, file presence, registry settings, OS version, computer name, IP address and config file settings. If any policy condition fails, the client is declared noncompliant.

Multiple policies can be created, each one tailored for a different set of conditions. For example, you can have one policy take effect for all Windows 98 users and a different policy for Windows 2000 users who have Microsoft IIS installed.You can have a pop-up message displayed on the user's machine when he or she goes out of compliance. This pop-up may contain information on why the machine is out of compliance, or steps to correct the problem. Depending on how much control you have over your systems, the helpdesk may receive a few more calls. The CyberGatekeeper agent doesn't fix or restore compliance by itself.

You also can tailor policies based only on the end-node system, but you can't create policies to take effect if a user is on a specific VLAN or port. You are able to create policies based on IP address range, which can then be exported to all the CyberGatekeeper products on your network.

Another big plus: Policies can be shared between CyberGatekeeper LAN and Remote appliances, which means you can manage all policies for local as well as remote users from the same location. You can't use wireless with the CyberGatekeeper LAN at this time, but if your wireless users connect to the network via VPN, you can use a CyberGatekeeper Remote for policy enforcement.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs. Write to him at [email protected].

Post a comment or question on this story.0