Yoggies Gatekeeper Pro is an engineering marvel—the tiny device provides in-depth network-based threat protection for individual hosts on the go.
Yoggie has packed some serious technology into Gatekeeper Pro, which is barely larger than a business card. The 500MHz security processor was designed specifically for security functions, and the dual-memory design makes it difficult for intruders to permanently alter the embedded hardened Linux operating system: One memory unit contains a read-only copy of the device OS, which is automatically written to the second memory unit at device boot time.
With this innovative design, Gatekeeper Pro offers a variety of security solutions in a dedicated personal device. Leveraging Kaspersky Labs anti-virus technology, Gatekeeper Pro can block the transmission of viruses and spyware before they touch the protected client machine. Integrated proxies for HTTP, FTP, SMTP and POP3 (Post Office Protocol Version 3) provide further protection to commonly exploited communications. A bi-directional firewall, IPSec (IP Security) client and IDS/IPS (intrustion detection system/intrustion prevention system) technology also are included.
The device performs spam filtering and phishing defense using MailShells engine; Web content filtering is based on SurfControls technology. The device also includes a protocol validation engine, which Yoggie calls Layer-8 technology, to provide a measure of defense against new or unknown attacks.
Because the protection is network-based, Yoggie (at least theoretically) eliminates many of the concerns administrators may have about host-based security solutions. Because Gatekeeper Pro is dedicated hardware, there is no need to worry about conflicting security solutions, wasted memory and CPU cycles dedicated only to security, or even the hassle of managing multiple systems.
All that said, though, Gatekeeper Pro cannot provide file system-level security—users can still get infected with malware introduced via USB thumb drives or CD/DVDs, and additional software is needed to clean existing malware. To combat this shortcoming, Gatekeeper Pro comes with a one-year subscription for Kasperskys desktop Anti-Virus, which, of course, administrators will need to manage and may be an extraneous and unnecessary cost for companies with existing anti-virus solutions.
Each Gatekeeper Pro appliance costs $220, which includes a one-year update subscription. Update subscriptions are $40 a year per device thereafter (which includes the Kaspersky client software license). Yoggie soon will also offer a Gatekeeper Basic model for $180 that lacks the e-mail security, Web content filtering and anti-spyware capabilities that come with the Pro model.
During tests, eWEEK Labs could install Gatekeeper Pro in two different ways: inline or redirect. In inline mode, we connected one of Gatekeeper Pros Ethernet ports to our network switch and the other to our Lenovo ThinkPad T60 test system. To power Gatekeeper Pro, we could either connect the device to the laptops USB port or use an optional power supply.
In the inline mode, Yoggie can protect any kind of device or operating system, as it is truly a network security product. The client is actually in a NAT (Network Address Translation) subnet behind the device, isolated away from the rest of the network.
However, inline mode works only if the user is connected to the wired network, something less likely in todays wireless world. Yoggie therefore offers a redirect mode, which requires that a driver be installed on the client operating system.
At this time, Yoggie offers a driver only for Windows XP. The driver sits below the operating systems network stack, diverting all incoming data to Gatekeeper Pro (which is connected to the PC solely via USB) for verification and cleaning before handing it back to the operating system. In this manner, Gatekeeper can protect the computer whether it connects to the network via Wi-Fi, WWAN (wireless WAN), Bluetooth, or a USB- or PCMCIA-based wired connection.
The driver recognizes when the Gatekeeper device is present, and, by default, will deny the protected PC access to the network when the Gatekeeper has been removed from the USB port. Administrators can configure a password for users to enter that will bypass Yoggie security, temporarily opening up the computer to network access (and, of course, attack).
Our penetration tests showed the Gatekeeper Pro up to the task of protecting our test system from external attack. Port scanning with Nmap Security Scanner, we verified that the Gatekeeper firewall stealths all ports (rather than closing them). We did have the option to forward individual ports if the protected system hosts any services. We also found that Gatekeeper Pro successfully cleaned virus-infected files we attempted to download via FTP and HTTP, including malware compressed in Zip files.
Yoggie has worked to make Gatekeeper Pro simple to configure and manage, but this simplicity masks what the device is really doing. For instance, we could adjust the devices security from low to medium to high using a slider bar on the devices Web-based configuration GUI. Unfortunately, the on-screen display and the user documentation do nothing to describe the technical differences between the different settings, other than some vague generalizations about the trade-off between security and functionality.
According to Yoggie officials, one of the primary differences in security levels is in the firewall. In the standard Medium setting, the default behavior is to block all inbound traffic and allow all outbound connections. The High setting, on the other hand, allows outbound communications only on a few ports. (We will post more differences in settings as we find them at blogs.eweek.com/signaling_it/.)
As mentioned above, each Gatekeeper Pro can be managed individually via the devices Web management page, but corporations should look into acquiring a Yoggie Management Server, a separate appliance used to centralize Gatekeeper policy management and reporting for an entire enterprise. Unfortunately, we were unable to acquire and test this component in time for this review.
Initially, we encountered highly sluggish behavior when Web surfing through the Gatekeeper Pro. Because the device is a Web proxy, it will do its own DNS (Domain Name System) lookups when a user requests a page. Unfortunately, the Gatekeeper Pro accepts only one DNS server entry in its configuration. If for some reason a DNS server is temporarily sluggish or out of commission, the Gatekeeper Pro will founder until DNS function is restored because the device cannot revert to a secondary DNS server as a normal client device would do.
The Gatekeeper Pro does have its limits as to the amount and types of traffic it can deal with.
The device can only scan files smaller than 10MB; administrators must choose whether to block the transmission of larger files or scan only part of files larger than that. In addition, GateKeeper Pro has only a USB 1.1 port, which can pass a maximum of 12M bps of traffic. USB 2.0, on the other hand, theoretically supports up to 480M bps of traffic. The use of USB 1.1 could bottleneck the data connection when using redirect mode on a fast LAN segment. Yoggie officials claim the device was meant to be used on the road, where users would undoubtedly encounter slower network speeds, rather than in the office, where Yoggies defenses would be somewhat superfluous given an enterprises existing network defenses.
We do have some concerns about the Gatekeeper Pros form factor. Its impressive that Yoggie has packed so much functionality into so small a device, but the small size also means is can be easily lost. The device also seems awkward dangling from the USB port on its rubber tether. Wed like to see Yoggie create a PCI Express Mini-Card form factor, then partner with laptop OEMs to embed the device in systems. Or, to improve the external version, wed like to see Yoggie add a USB port to the appliance so users can have a measure of protection from threats borne from external hard drives.
Implementers should also be aware that Yoggie does not yet have support resources in the United States, and online help or forums are non-existent. We had to call Israel for technical support, but customers should expect reasonably quick response by emailing [email protected].
Technical Analyst Andrew Garcia can be reached at [email protected].
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.