Wednesday, September 5, 2007

Secure Internet Access

When looking at almost all information about Sun Secure Global Desktop (SSGD) it seems that SSGD is only used for access to applications from the Internet which are normally only accessible via the intranet (from within the office). But SSGD can do more ...

The common way to use SSGD is to access applications running on different types of application servers (Windows 2000/2003, *nix, mainframe and more) from the Internet (any device, any time, any place).

SSGD is designed to perform the task of bringing office applications in a secure way to the Internet, but SSGD can also bring Internet to the office :)

Sometimes you might come across a company where access to the Internet is not allowed because of multiple reasons, the most common are:

  • Viruses can be installed on the workstation
  • Key-loggers can be installed on the workstation
  • Security leaks in applications (think of a leak in MSN)
  • Installation of insecure applications (for instance: ActiveX components)
There are ways to find solutions for these security issues like installing a proxy, a content/spam/virus filter/scanner, a application firewall (ISO/OSI up to level 7 ) , a messaging gateway. But there is one simple thing which is hard to handle. An employee can simply copy/paste information from a company application to a messenger (MSN/ICQ) or attach documents to a message via an external webmail application.

For all the above issues SSGD can be the solution!


The users can access a browser with access to the internet via SSDG on some sort of 'browser'-host. This 'browser'-host can be a stripped down OS (Windows 2003 or *nix) with only a browser and a couple of readers/plugins (Office readers, PDF viewer, quicktime player, shockwave player, etc). Without Client Drive Mapping and copy/paste to the 'browser'-host turned off, there is no direct way to leak information to the internet.

In this scenario is it impossible for an hacker to get access to the employees workstation. Think for instance about a key-logger. When a key-logger is accidentally downloaded form the internet it can only be installed on the 'browser'-host. The key-logger can 'read' passwords for the web-applications accessed via the 'browser'-host, but it can not 'read' any password on the employees workstation. So no password can be logged for all company applications.

Virtualization can be used to enhance the security of the 'browser'-host. When using for instance VMWare ESX 'reinstalling' the 'browser'-host can be done within minutes, just clone a new virtual machine from a template. This 're-installation' can be done every night or even dynamical when using tools like the VDA-Kit.

Think creative and see the many senario's where SSGD can be a solution and solve issues :)

1 comment:

Fat said...

Hope you don't mind but wanted to link to you from wikis.sun.com