The idea of connecting from outside the perimeter to a computer inside — sitting on someone’s desktop — is the stuff CISO nightmares are made of. It means either punching a hole in the firewall (fat chance of that in any well-secured environment) or bypassing the firewall entirely. That, many will recall, was the bane of our existence in the bad old days when employees had unauthorized desktop modems hidden behind their PCs. Today we still find the 21st century version of that: the rogue
wireless access point.
Route 1, an interesting company that provides identity management services, has introduced MobiKEY, a part of their MobiNET service. MobiNET provides remote connection security and identity management for remote users in a completely unique and secure manner. The MobiKEY is the enabler for the traveling user. It provides two-factor authentication and triggers deployment of an SSL connection that is pulled from the enterprise instead of being pushed to it through a tunnel or gateway.
The key to MobiNET’s secure access is two-fold. First, all connections to the internal network are from the inside out, eliminating the need for a tunnel through the firewall or the use of port 443 for SSL. Second, no assets actually leave the enterprise since the user connects using a virtual desktop and all work is done on the internal computer. That means that unless the user emails something from their internal computer, nothing can leave the internal network. All work remains inside where it belongs.
How it works
When the user receives their MobiKEY, set-up is a snap. However, for large implementations, Route 1 has a provisioning portal that eases the burden of deployment and management. Once the remote software is installed, the user may designate the host computers they will access. In organizational environments those determinations will be made by the administrator. Only allowed hosts will appear on the user’s screen when they insert the MobiKEY.
When the user selects a host, the remote computer sets up a secure SSL link to MobiNET. That link carries the identity of the user, authenticated using the MobiKEY and password (two-factor authentication). The hosts that are authorized for remote use are in regular communication with MobiNET waiting for a user to request a connection. That is outbound communication so no SSL gateway is required at the work site.
As soon as the internal host is notified by MobiNET that there is an authorized MobiKEY user waiting to connect, MobiNET makes the connection and the MobiNET agent on the host delivers a virtual desktop to the user. The user then works on the internal host as if they were sitting at the console. The only data that passes through the MobiNET SSL VPN is the same data one would expect from a KVM switch: keyboard, video and mouse.
There are a couple of benefits here. First, we found performance to be excellent. Working over MobiNET was no different from working at the console when we used a high speed connection. Second, the security is very good. There is no actual internal data passing over the internet or leaving the organization’s enterprise. The KVM data passes through an SSL VPN and is quite secure.
Essentially, MobiKEY turns every laptop into a thin client when it is connected to the internal network.
Additionally, the entire process is simple to set up and manage. This is a managed service at its best. It offers good functionality and it reduces the workload on IT administrators, freeing them for other tasks. There are numerous virtual desktop infrastructure (VDI) opportunities in today’s enterprises. They range from mobile users to high risk users, such as system administrators who need to manage systems remotely.
I ran MobiKEY between two computers connecting over the internet on separate IP addresses. The connection to MobiNET was fast, authentication was clean, and the virtual desktop that was delivered was like working directly on the host console. Set-up was quick, and attacks against both computers were handled exactly as if they were not connected. The host was behind the firewall and thus was untouchable. The laptop had the protection I usually apply to it. Sniffer traces showed that the SSL connection was in place and secure.
— Peter Stephenson, with Mike Stephenson
AT A GLANCE:
Product: MobiKEY and MobiNET
Company: Route 1, Inc.
Price: $160, includes a cryptographic smartcard, plus 30-days free access to TruOFFICE. Volume pricing is available. Subscription to TruOFFICE is $20 a month.
What it does: Allows remote and mobile users to connect to the organization's IT resources from outside the perimeter without compromising in-place protection for the organization's information infrastructure.
What I liked: This product is effective, secure and it could not be easier to implement.
What I didn't like: First-time users initially may have trouble adjusting to the notion that they are working on a virtual desktop, but once that passes, they are likely to find it more satisfactory than sunchronizing computers before travgeling or attempting to use the corporate VPN from a flaky hotel room connection.