Intelligent Application Gateway (IAG) Server 2007 overview
IAG Server (formerly known as WHALE) is a SSL VPN appliance that considerably simplifies the way you can provide remote access to applications. The acquisition of IAG from Whale Communications, was one of those instances where we liked the product so much, we bought the company.
Most SSL VPN solutions are hard to implement, because they do not work from most locations, due to an inability to install client-side software and/or due to firewall restrictions. With IAG Server you simply need a web browser (Internet Explorer, Firefox...) to get access to the published applications.
The uniqueness of IAG Server resides in the fact it will give remote users access to a specific application but not to the local network or servers themselves (the remote user’s machine is never connected to the corporate network). To explain: IAG Server typically would not handle packets from layer 1 to 6 and will only send/receive packets from layer 7 (application layer) to the remote user. In other words it means the remote user does not even get a company’s network IP address. So the user has absolutely no network access at all to a company network, but still he/she will be able to access published applications such as Outlook Web Access, Domino, SAP, WebSphere, SharePoint (Just some examples of the predefined application-specific positive logic to protect back-end servers out of the box).
Out of the box IAG Server is able to work with 60 authentication vendors such as RSA Security, Vasco, Swivel, ActivCard Aladdin. It also works with numerous authentication systems and protocols such as Active Directory, RADIUS, LDAP, NTLM, Lotus Domino, PKI and TACACS+
Another great feature is the “attachment wiper”. This feature will systematically erase all traces of the session from the access device (with a pre-downloaded ActiveX or Java applet).
Every time the remote user logs off or simply closes the internet browser, the applet will kick off and delete any trace, including cookies, user credentials memorised by the browser, URL entries, temporary files created by the downloading of files or any other mechanism during the user session. The “attachment wiper” will overwrite seven times the disk clusters where those files were stored, making any reinstatement attempt technically impossible, even with the help of the FBI/NSA forensic tools!
The other main feature of IAG Server is its capability to instantly generate an “endpoint report”.
IAG will be able to see if there any anti-virus or a certain patch or application level on the remote machine. So depending of the policy and the user group membership we have the possibility to actually dynamically limit access to some features. For example we could define the fact that if a remote user does not have the latest version of the corporate anti-virus solution, he will not be allowed to upload any attachment to his emails.
IAG Server simply eliminates the risk of network attacks and operating system vulnerabilities as it only provides a means to access specific applications (or some of the features only) to approved users from approved machines.
Michael RIVA, MCSE: Security, MCT
