IT Pro Verdict
Unlike a lot of security products, this is part of a coherent solution that can be deployed piecemeal. The fact that you can force all the clients to use the YGP is a major plus point. When added to the ability to turn every device into part of a huge distributed firewall, this becomes very attractive. What it needs, however, is applications to use that data, reporting engines to correlate the data and online tutorials and white papers to help users make the most of this.
There is no escaping the fact that any network activity brings risk. Even connecting through the company network to the outside world carries some risk of infection with malware, spyware or virus. This risk is exacerbated when the computer in question is either a laptop or a home computer used by an employee to access corporate resources.
Despite the vast investment by IT departments in security products for laptops and home workers maintaining a common standard of security is not easy. Part of the problem is the inherent complexity of security products, especially Virtual Private Network (VPN) products. When things go wrong they take a lot of support yet without them, allowing users to access the corporate network is a risk.
There is another problem that affects these two groups of computers. They are no longer connecting to a network that is under the control of the IT department. This opens up the risk of attack via the networks that they use for connection to the internet. Applying and managing a consistent set of security rules can be extremely difficult. Without consistency, especially for mobile users, security is easily compromised.
Yoggie Security Systems believes it has the solution. Most solutions install software on the remote computers which can be infected, attacked and potentially compromised without being detected. Yoggie uses a two part hardware solution security solution (client and management server) that can be used to create and deploy rules as well as force all network connections to go through their device.
For this review we looked at the Yoggie Management Server (YMS) and Yoggie Gatekeeper Pro (YGP) products as a combined solution. The new Yoggie Pico Pro (YPP) USB device did not ship during the review. When the YPP does ship it will come in at just 105 with a yearly software licence of 21.
So how does it do?
The YMS is a rack mount device that uses a hardened Linux distribution as the operating system. We were sent one of the first units they had available and it arrived with a power adapter. There was a single sheet describing initial setup and that was it. Yoggie are still in the process of finalising their user guide and that will eventually be supplied via a CD in the box.
The YGP is the client side unit. It is a small hardware unit, about the same size as a mobile phone (just a little thicker at the base) that comes with a built in USB connector. There is a separate Ethernet cable for connecting it to the computer if you don't want to go via USB. A Software and Driver CD also contains the manual which is provided in printed form along with a quick start guide.
Installing the YMS gave us a little trouble. There are two ways of connecting to the YMS in order to do the initial configuration, either using a crossed network cable or via the network. Connection must be done through the LAN1 port and we could not get the YMS to recognise the laptop we were using.
After changing the network cables and resetting the YMS several times, we finally managed to get a connection although it took a while for the YMS to recognise the device. Once we had achieved a direct connection, it was possible to switch to a network connection. It seemed that the YMS just needed to wake up and talk to us.
Once connected, you need to allocate the YMS an IP address. This can be either via DHCP or a fixed IP address. This is a security appliance so allocating it a fixed IP address is the most sensible approach. You must keep a careful note of the IP address as the YMS hides its IP address from other devices. You should also change the default password.
Once the address has been allocated, you simply click apply and the YMS is ready to go. Unlike a lot of hardware appliances you do not need to reboot in order to make it pick up the new network address.
Configuring and tuning the YMS took very little time although we spent time playing with the different options over a period of time. To work with the management console you connect over https. The YMS has a very easy to work with menu system and the only thing we needed to do initially was tell it about our Gatekeeper Pro.
Setting up the YGP was a different story. The issue here is about choosing exactly how you want to control your network connections - redirection or pass-through/wired mode. The YGP can manage wired and wireless connections to a device. Alternatively it can even be connected to the ADSL modem in a small branch office (up to 5 users) and used to filter traffic coming in and out of the modem.
Installation of the YGP was a complete doddle on Windows XP and Windows Vista. One of the cool things about the YGP is that you can choose not to install the driver on your machine if you don't want to. This does mean that you need to use both an Ethernet cable and the USB cable to talk to the YGP but it relegates the USB to simply providing power not data.
However, if you want to 'enforce' the use of the YGP to manage network connections, you do need to install the driver. Redirection mode also requires that the driver is installed on the laptop. For those using the YMS you can disable access to this feature so that the user cannot decide when they do and do not want to have the YGP enforced.
If you want to use the YGP in redirection mode you need to install the driver.
When you first connect to the YGP, Windows pops up the Add Hardware wizard. Yoggie recommends closing this window and only doing the installation through their wizard. If you have a YMS in the network, you can select Corporate Mode, if not select Standalone mode. Corporate mode registers your YGP with the YMS.
You are asked to register the software and use the Licence Key which is stuck onto the CD case. When you are finished you get a little green Y in a shield in the bottom right area of the screen indicating that you are connected.
If you only want to use the YGP in pass-through or wired mode, you do not need to install the driver. However, you do still need to connect to the YGP via a web browser and go through the same configuration and setup as for redirection mode.
Once the YGP has been connected to the laptop, you can use the management console to administer and manage it. Once you have set the user details and changed the default password you need to configure the security controls for the YGP. This is where life gets just a little complicated and is why having the YMS to create policies and manage the YGPs throughout an organisation is a good idea.
There are three levels of security policy for the YGP - Low, Medium and High. As you move between the different levels, you will find that what you can do with your laptop changes and this should come as no surprise to anyone. By default the YGP starts in Medium mode.
As well as setting the Security Policy, you may want to manually configure the network settings for both your internal (office based) networks and external (wireless hotspots, home, hotel) networks. This can be as simple as setting it to use DHCP or as complex as hard coding IP settings.
If you are using a YMS you can set the YGP to use the built-in VPN. However, much will depend on how your network is configured and what other VPN or security solutions you are using.
A cool feature of the YGP is that it examines EVERY inbound and outbound email. This allows it to determine what the email is, whether it is Spam or allowable and to make decisions on how it is to be treated. As it does this without having to be plugged into your email client it is a low risk solution.
The problem for most users will come when they try and configure the Advanced Security Settings which includes things such as web filtering, file sizes and firewalls. In fact, the firewall settings is a challenge not just for the user trying to configure their own YGP but also for any administrator setting policies at the YMS level.
Once this is done, you can begin to use the YGP.
When we first had problems configuring the YMS we considered just resetting the box to factory defaults. This cannot be done. Yoggie has taken the decision not to allow the YMS to be reset either through a hardware switch or through the software. As an enterprise device where this may need to be done at some point, this is a mistake.
The YMS also lacks a versioning utility allowing me to rollback changes. This means that saving the settings file, making changes and then reapplying a known-good configuration is not available. As a security device, no rollback is a dangerous position to be in. Fine tuning takes time and there are good reasons for wanting to reverse changes.
The YGP is promoted as a 13-in-one security device with built-in firewall, anti-virus, anti-spam, VPN and a range of other facilities. Great idea and much better than doing this with a range of software products. Unfortunately, the implementation needs more thought before I would deploy the YGP and the YMS across an organisation.
Take the firewall as a perfect example. Any application installed on a Windows laptop that needs to talk to the outside world has to be configured in the Windows Firewall. On both XP and Vista I have literally dozens of entries. This is because every single port has to be individually allowed so an application that can use five ports such as Windows Media Services on Windows XP, has five separate entries.
Yoggie has no tool to import the local Windows Firewall into the YGP. This means having the confidence or knowledge to setup each entry in the YGP before turning the Windows Firewall off. From a corporate support perspective this is a nightmare. It is highly likely that some users will be running applications that only affect them and if that means configuring the firewall then you have to touch each machine.
That's doesn't make it any worse than now but it does detract from the goal of a centrally managed distributed firewall solution. There is also no configuration option to ensure that the Windows Firewall is disabled when the YGP is attached. Without this option, any problems means checking which program may be denying access. This is the sort of problem that will cause users to refuse to use the YGP and force IT into either allowing users to turn on/off YGP protection or go to war with the users by insisting that they must use it.
The ability to scan all incoming and outgoing email without having to be integrated into the email client is a serious bonus point. This is a feature that normally only exists on large appliances and putting it into a portable device is very useful.
One thing that we didn't find was the ability to build a set of heuristics based on the Spam and malware that each user was facing. This is something that the YMS might do automatically but it would help to be able to import all the knowledge from these edge devices, build a single large dataset and then push that back down to the edge devices.
Take that one step further and allow that information to be exported as a set of rules that could be imported into Exchange and other firewalls and this becomes a very flexible, dynamic, security solution.
Like most devices the YMS and YGP both support web filtering and these are features that are often underused. What will come as a shock to any mobile user, is that anything they do while on the road can be reported on to the YMS. Breaches and other attempts to get round the filtering rules could prove embarrassing and care should be taken before setting this on as well as how it should be set.
The reporting features in both the YMS and YGP are extensive. Unfortunately, there seemed to be no way to build custom reports across a wide set of data or to export data easily elsewhere for reporting.
One of the new trends with security reporting data is to enable the datasets to be exported into BI products. This then allows administrators to compare incidents across time and correlate that data with other axis such as the machines that were infected and the sites that they were connected to. Such work can often help to track down how a problem occurred and identify any machines that could have been compromised.
Yoggie is a new company having only been formed in 2005. This is their first wave of products and, sadly, the v1 tag is showing. The lack of manuals and technical data for configuring the YMS and interpreting the reports is fairly typical of all v1 products. In a security market, however, this is something that needs to be addressed very quickly.
Even in its current v1 state, Yoggie has something here that will force a lot of security companies to take serious notice. With a little more effort, they could well force a lot of changes to the way security is done. In a few years time, maybe they will even be shipping the YGP as a chipset to motherboard manufacturers making it a de-facto standard.
Verdict
Unlike a lot of security products, this is part of a coherent solution that can be deployed piecemeal. The fact that you can force all the clients to use the YGP is a major plus point. When added to the ability to turn every device into part of a huge distributed firewall, this becomes very attractive. What it needs, however, is applications to use that data, reporting engines to correlate the data and online tutorials and white papers to help users make the most of this.
Multi-Layer Security Agent Layer-8 Security Engine URL Categorisation & Filtering Anti-Spam Anti-Phishing Antispyware Antivirus Transparent Email Proxies (POP3; SMTP) Transparent Web Proxies (HTTP; FTP) Intrusion Detection System / Intrusion Prevention System VPN Client Stateful Inspection Firewall