Sygate Inc.s Sygate On-Demand 2.5 provides excellent endpoint integrity assurance and new covert malware protection for remote Windows-based machines and complements existing SSL VPN or Web application implementations. However, when fully featured, On-Demands price is significantly higher than the prices of competing solutions.
Click here to read the full review of Sygate On-Demand 2.5.
2
Sygate Inc.s Sygate On-Demand 2.5 provides excellent endpoint integrity assurance and new covert malware protection for remote Windows-based machines and complements existing SSL VPN or Web application implementations. However, when fully featured, On-Demands price is significantly higher than the prices of competing solutions.
On-Demand 2.5 provides host integrity checks, an encrypted temporary work space called the Virtual Desktop, and new malware checks and network connection controls—all through an on-demand Java applet that is downloaded to users machines as they attempt to access the protected resource.
On-Demand 2.5, which shipped last month, is significantly more expensive than competing on-demand solutions from Check Point Software Technologies Ltd. and Whole Security Inc. With all features enabled, a 1,000-concurrent-user license costs a whopping $45,500, roughly two to three times more expensive than some competitors. However, On-Demand 2.5 features may be purchased a la carte, so prices will vary according to feature set.
On-Demand 2.5s improved Adaptive Profiles capability let us create security policies based on where a user was connecting from and whether a machine was known or trusted. We targeted policy enforcement according to host IP address or operating system, among other things, and created policies for internal users, corporate partners, trusted machines on the road and unknown kiosks.
We installed On-Demand 2.5 in conjunction with our Microsoft Corp. Exchange Server 2003 OWA (Outlook Web Access) deployment. We installed the On-Demand Manager console directly on the OWA server itself but could also export the XML-based policy files to other machines.
On-Demand 2.5 provides its own policy-creation interface in the On-Demand Manager. The level of integration with the management consoles of third-party SSL (Secure Sockets Layer) VPN products or wireless switches varies, however, so administrators may need to use the On-Demand Manager and import the policy files to the device.
In tests, On-Demand 2.5 worked well from kiosks or other machines that prohibit administrative rights. If a recent copy of Sun Microsystems Inc.s Java run-time engine is already installed on the remote machine, On-Demand 2.5 downloads and scans seamlessly, no matter what local rights the user has.
Rather than implement a secure browser environment, On-Demand 2.5 leverages the Virtual Desktop that provides an encrypted temporary work space not only for Web applications but also for desktop applications. After the user terminates a session or triggers an inactivity timeout, the Virtual Desktop closes and destroys almost all traces of user activity (including the Web history and cache), except for the debug log. When Connection Control is active, the debug log records all Web sites visited during the Virtual Desktop session—an issue Sygate will address in a forthcoming build, officials said.
Connection Control provides whitelists or blacklists for network resources. For instance, we configured one policy to deny access to all FTP servers from the Virtual Desktop, or we could allow traffic solely to the protected Web application.
The Malicious Code Prevention module—a feature subset of the Virtual Desktop—defends against many known keystroke loggers and screen scrapers used to intercept passwords and other critical information.
We installed several keystroke loggers on our test machines. Although On-Demand 2.5 did not notify users of the presence of the malware, the keystroke loggers couldnt capture input into the Virtual Desktop. But the fox is still in the henhouse, so to speak: Wed like to see Sygate add options to notify users of present malware—particularly for known or semitrusted machines.
Next page: Evaluation Shortlist: Related Products.
Page Three
Evaluation Shortlist
Check Point Software Technologies Integrity Clientless Security ActiveX-based control that provides better logging and notification than On-Demand but offers only a secured browser environment rather than a comprehensive virtual desktop (www.checkpoint.com)
WholeSecurity Inc.s Confidence Online Enterprise Edition Less reliance on signatures than competitors; also ActiveX-based (www.wholesecurity.com)
Technical Analyst Andrew Garcia can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.