E-Gap Remote Access Appliance

Control the Endpoint

After you set policies to limit which computers are allowed access to e-Gap, the appliance enforces those policies, checking compliance for each client computer. Policies may include the required use of specific security applications--for example, antivirus products from vendors such as Network Associates, Symantec and Trend Micro, or desktop firewalls including those from Sygate, Symantec and Zone Labs. If what you use isn't on the list of recognized products, you can ask Whale to define the application--reps told me it takes less than a week.

The product's application-detection feature can determine whether a product is running, which version it is and when it was last updated. You can also direct e-Gap to look for digital certificates on the client and the Attachment Wiper--an ActiveX component that clears the browser and other caches of temporary files. The Attachment Wiper, policy-compliance checker and SSL VPN client are all downloaded when the user connects to e-Gap.

I wanted to create an access policy that would let remote users request a digital certificate from our Microsoft Certificate Server. I went into e-Gap's policy editor and, using simple Boolean logic, configured the appliance to make sure the user's computer didn't have a known digital certificate, the Attachment Wiper was operating, and valid antivirus software was running.Next, I connected to e-Gap and successfully accessed the certificate server with a client that met the criteria. I then logged off e-Gap, disabled Norton AntiVirus, reconnected to e-Gap and tried to access the certificate server again. My attempt failed because my antivirus software wasn't running as required. Unfortunately, e-Gap checks for policy compliance only at the opening of an SSL VPN session. In other words, if your antivirus program suddenly stops running later in the session, e-Gap won't detect the change. This is scary, as one of MyDoom's tricks is to disable antivirus and firewall software.

My fears were confirmed when I disabled Norton AntiVirus in midstream. I was able to connect to the certificate server without a hitch. Whale must ensure that e-Gap can continuously monitor the status of critical programs and disable access to the VPN if the computer falls out of compliance; otherwise, the protection value is negligible.

Another drawback is that e-Gap's policy enforcement is available only with ActiveX on Microsoft desktops. While Internet Explorer on Windows is the leading browser in desktop deployments, the lack of support for any other browser is unfortunate.

On the plus side is version 3.0's ability to enforce policies on a per-session and per-application basis. Two-tiered policy configuration lets you establish a minimum set of requirements that a client browser must meet for basic operations (for instance, reading e-mail or surfing the corporate intranet) and a more stringent set of requirements for more sensitive activities (for example, uploading and downloading files, or using terminal applications like Citrix or Terminal Services).

To test the two-tiered access feature, I first configured the default global policy to grant portal-page access to any authenticated user. I then applied our more stringent access policy, requiring the antivirus software and the Attachment Wiper to be activated in order to connect to my certificate server.Two-tiered policy configuration is ideal when you want access to be based on the user's location and IP address. That kind of flexibility puts granular control in your hands.

Negotiating Authentication

Version 3.0 introduces streamlined, graded authentication. E-Gap uses repositories to define which servers will verify users. The product supports a wide variety of authentication servers from Active Directory, NetWare and Windows NT using HTTP, LDAP, RADIUS and TACACS (Terminal Access Controller Access Control System).

If various repositories are defined, you can write a policy requiring authentication by multiple methods or by a system of the user's choosing. Once the user logs in, e-Gap will cache the credentials and use them whenever a Web application or a supported application requests authentication.

To test this graded approach, I defined two authentication realms: Low and High, both Active Directories. All users who authenticated to e-Gap used the Low repository. I wanted to have a separate authentication for a specific Web server, so in the application definition, I selected the High repository. When I tried to access the Web server, I was prompted to give credentials for the High repository and was granted access--all that without having to modify files!

Earlier versions of e-Gap offered support for group-based access controls, but the addition of two-tiered authentication is a huge step forward.

Wrap e-Gap

Also new to e-Gap is form-based login support. Some Web applications use a 401 return code, which tells the browser to prompt the user for credentials before allowing access to the site. You can configure e-Gap to cache those credentials by default and use them as needed for single sign-on to Web sites. Login forms, however, need custom support so that e-Gap knows how to process them and client-to-Web-server integrity remains intact.E-Gap ships with support for a few applications that use Web-based form authentication, such as Citrix Metaframe. You can define custom applications by editing an XML file to supply information such as form field names and what a successful response from the Web server should look like.

Unfortunately, I didn't see any improvements in e-Gap's logging and troubleshooting capabilities. Still, version 3.0 adds a lot of needed features in an intuitive and useful way.

Mike Fratto is editor of Secure Enterprise, and a contributing editor to Network Computing. Write to him at [email protected].

Post a comment or question on this story.Whale Communications' e-Gap Remote Access 3.0 ensures client-to-Web sessions remain intact by inserting JavaScript that automatically submits a completed form from the user's browser. When a user attempts to access a site that uses a form-based application, the e-Gap presents the user with a form that has the necessary authentication fields. The user submits the form to the e-Gap and the e-Gap fills in the form from the Web server. It then sends the form to the client browser with a JavaScript embedded that automatically submits the form when the page loads. When the e-Gap gets the automatically submitted form from the browser, it forwards it onto the Web server.

The Web server authenticates the user and returns a response back to the e-Gap which checks to ensure the user really was authenticated. If the process is successful, the e-Gap presents the user with the application. If it is unsuccessful, it presents the user with an "access denied" page. This seems complicated, but Whale chose this method so that applications that use cookies will maintain an end-to-end state. Luckily, form-based authentication shouldn't have to be configured on a daily basis.0