By Andrew Garcia  |  Posted 2005-05-30 Print this article Print

Sygate Inc.s Sygate On-Demand 2.5 provides excellent endpoint integrity assurance and new covert malware protection for remote Windows-based machines and complements existing SSL VPN or Web application implementations. However, when fully featured, On-Demands price is significantly higher than the prices of competing solutions.

On-Demand 2.5 provides host integrity checks, an encrypted temporary work space called the Virtual Desktop, and new malware checks and network connection controls—all through an on-demand Java applet that is downloaded to users machines as they attempt to access the protected resource.

On-Demand 2.5, which shipped last month, is significantly more expensive than competing on-demand solutions from Check Point Software Technologies Ltd. and Whole Security Inc. With all features enabled, a 1,000-concurrent-user license costs a whopping $45,500, roughly two to three times more expensive than some competitors. However, On-Demand 2.5 features may be purchased a la carte, so prices will vary according to feature set.

On-Demand 2.5s improved Adaptive Profiles capability let us create security policies based on where a user was connecting from and whether a machine was known or trusted. We targeted policy enforcement according to host IP address or operating system, among other things, and created policies for internal users, corporate partners, trusted machines on the road and unknown kiosks.

We installed On-Demand 2.5 in conjunction with our Microsoft Corp. Exchange Server 2003 OWA (Outlook Web Access) deployment. We installed the On-Demand Manager console directly on the OWA server itself but could also export the XML-based policy files to other machines.

On-Demand 2.5 provides its own policy-creation interface in the On-Demand Manager. The level of integration with the management consoles of third-party SSL (Secure Sockets Layer) VPN products or wireless switches varies, however, so administrators may need to use the On-Demand Manager and import the policy files to the device.

In tests, On-Demand 2.5 worked well from kiosks or other machines that prohibit administrative rights. If a recent copy of Sun Microsystems Inc.s Java run-time engine is already installed on the remote machine, On-Demand 2.5 downloads and scans seamlessly, no matter what local rights the user has.

Rather than implement a secure browser environment, On-Demand 2.5 leverages the Virtual Desktop that provides an encrypted temporary work space not only for Web applications but also for desktop applications. After the user terminates a session or triggers an inactivity timeout, the Virtual Desktop closes and destroys almost all traces of user activity (including the Web history and cache), except for the debug log. When Connection Control is active, the debug log records all Web sites visited during the Virtual Desktop session—an issue Sygate will address in a forthcoming build, officials said.

Connection Control provides whitelists or blacklists for network resources. For instance, we configured one policy to deny access to all FTP servers from the Virtual Desktop, or we could allow traffic solely to the protected Web application.

The Malicious Code Prevention module—a feature subset of the Virtual Desktop—defends against many known keystroke loggers and screen scrapers used to intercept passwords and other critical information.

We installed several keystroke loggers on our test machines. Although On-Demand 2.5 did not notify users of the presence of the malware, the keystroke loggers couldnt capture input into the Virtual Desktop. But the fox is still in the henhouse, so to speak: Wed like to see Sygate add options to notify users of present malware—particularly for known or semitrusted machines.

Next page: Evaluation Shortlist: Related Products.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel