Our penetration tests showed the Gatekeeper Pro up to the task of protecting our test system from external attack. Port scanning with Nmap Security Scanner, we verified that the Gatekeeper firewall stealths all ports (rather than closing them). We did have the option to forward individual ports if the protected system hosts any services. We also found that Gatekeeper Pro successfully cleaned virus-infected files we attempted to download via FTP and HTTP, including malware compressed in Zip files. Yoggie has worked to make Gatekeeper Pro simple to configure and manage, but this simplicity masks what the device is really doing. For instance, we could adjust the devices security from low to medium to high using a slider bar on the devices Web-based configuration GUI. Unfortunately, the on-screen display and the user documentation do nothing to describe the technical differences between the different settings, other than some vague generalizations about the trade-off between security and functionality.As mentioned above, each Gatekeeper Pro can be managed individually via the devices Web management page, but corporations should look into acquiring a Yoggie Management Server, a separate appliance used to centralize Gatekeeper policy management and reporting for an entire enterprise. Unfortunately, we were unable to acquire and test this component in time for this review. Initially, we encountered highly sluggish behavior when Web surfing through the Gatekeeper Pro. Because the device is a Web proxy, it will do its own DNS (Domain Name System) lookups when a user requests a page. Unfortunately, the Gatekeeper Pro accepts only one DNS server entry in its configuration. If for some reason a DNS server is temporarily sluggish or out of commission, the Gatekeeper Pro will founder until DNS function is restored because the device cannot revert to a secondary DNS server as a normal client device would do. The Gatekeeper Pro does have its limits as to the amount and types of traffic it can deal with. The device can only scan files smaller than 10MB; administrators must choose whether to block the transmission of larger files or scan only part of files larger than that. In addition, GateKeeper Pro has only a USB 1.1 port, which can pass a maximum of 12M bps of traffic. USB 2.0, on the other hand, theoretically supports up to 480M bps of traffic. The use of USB 1.1 could bottleneck the data connection when using redirect mode on a fast LAN segment. Yoggie officials claim the device was meant to be used on the road, where users would undoubtedly encounter slower network speeds, rather than in the office, where Yoggies defenses would be somewhat superfluous given an enterprises existing network defenses. We do have some concerns about the Gatekeeper Pros form factor. Its impressive that Yoggie has packed so much functionality into so small a device, but the small size also means is can be easily lost. The device also seems awkward dangling from the USB port on its rubber tether. Wed like to see Yoggie create a PCI Express Mini-Card form factor, then partner with laptop OEMs to embed the device in systems. Or, to improve the external version, wed like to see Yoggie add a USB port to the appliance so users can have a measure of protection from threats borne from external hard drives. Implementers should also be aware that Yoggie does not yet have support resources in the United States, and online help or forums are non-existent. We had to call Israel for technical support, but customers should expect reasonably quick response by emailing firstname.lastname@example.org. Technical Analyst Andrew Garcia can be reached at email@example.com.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
According to Yoggie officials, one of the primary differences in security levels is in the firewall. In the standard Medium setting, the default behavior is to block all inbound traffic and allow all outbound connections. The High setting, on the other hand, allows outbound communications only on a few ports. (We will post more differences in settings as we find them at blogs.eweek.com/signaling_it/.)