Security from the outside: Yoggie Security System’s Gatekeeper Pro

Last week, Monsters and Critics told you about the unique chance to look at what is bound to be a major tool in combating cyber criminals. The tool is hardware based; there is no software to load and only a few simple settings to configure if you wanted too.

Yoggie Gatekeeper Pro is a Linux based, external security device, which is designed to protect mobile computers and workers from attack when outside the office. The unique feature of this tool, as well as the method of security is that it is hardware based, and that it resides outside the computer. Currently, security on a computer is separated into two different categories; it is either software based or hardware based. There is also a third option that is employed by many large IT operations, that is using both to secure the network and the users. The third security solution works, for the most part, defending the network form several forms of attack, and the users as well but only if they are connected to the network.

In the related news article, (, Monsters and Critics covered the basics of the Gatekeeper tool and explained some of how it works. In this follow-up story, we will cover the tool and the questions that David from Yoggie and the management team in the global headquarters were able to provide.

The Gatekeeper is a credit card sized device that attaches to the laptop. Powered over USB or optional AC device, the Gatekeeper does not look like much at first glance. It looks almost like a toy really, but it packs enough protection to fill a server room full of hardware appliances. There are thirteen layers of protection offered by the Gatekeeper. The granular protection and management offered by the Yoggie Management Server (TMS) added a final fourteenth layer of protection to the corporate environment.

The Gatekeeper device offers several types of advanced protection that cost thousands in the IT realm of security. URL filtering, Anti-Spam and Phishing protection, Malicious content filtering, Spyware and Virus protections, IPS and IDS (Intrusion Prevention and Intrusion Detection systems) as well as VPN, and Firewall. Adding to that list is the software found on the computer, typically Anti-Virus (Norton for example) and some form of Firewall. Many companies also allow remote access over VPN which is another risk, and yet more software to manage on the end users computer. The Gatekeeper will replace all of those and contain them in the mini-computer outside of the office while attached to the mobile device.

Speaking from experience one question to Yoggie was posed as a hypothetical, concerning how the Gatekeeper and the YMS would perform in normal IT setting.

Imagine a Mid-level IT department managing one hundred twenty computers total, with a mix of laptops and desktops. There are the sales people, Sprint GSM cards, and their laptops to manage too. Like most companies they use Norton Enterprise, MX Logic (at the co-lo for mail server it runs BSD), Windows 2000, 2003 and XP-Pro on the systems. There is a whole host of Cisco products in place. The network is both internal and outward facing, with servers running things in-house and things that are public for customers. How can YMS and the Gatekeepers benefit this company?

“I’ll demonstrate with the simplest and most straightforward example,” said one Yoggie Security Systems Manager. “With all the technology that you’ve mentioned, at the end of the day the laptop-carrying users leave the organization and go out to sit and relax at the local Starbucks. Even though they have all the software installed and all the management servers, they are still sitting on the very same wireless local area network as all other Starbucks customers share. Anyone can easily deploy, just for instance, layer 2 attacks which no software firewall can block – An attacker would simply need to run, for instance, “Cain and Able” and deploy “ARP Poisoning: and see everything passes from and to the laptop (Such as the email account username/password). Even if you’re connected to a secured/encrypted network. With the Yoggie Gatekeeper providing true external hardware protection – This would be prevented. The YMS will of course show the IT admin all the security events from all the organization’s Yoggie Gatekeepers wherever they are in almost real time. The IT manger will be able to set or update the security policies in a single central location and it will immediately propagate to all the Yoggie units.”

The firewall is based on Linux Netfilter, the IDS/IPS is the industry standard Snort. Anti-Virus and Anti-Spyware is by Kaspersky. Anti-Spam and Anti-Phishing are by MailShell. Web Filtering is by SurfControl. In addition to those, they also have their own patent- pending proprietary engines: Layer-8 Security Engine, Multi-Layer Security Agent, and Adaptive Security Policy. Rules for Snort are sent out with the YMS updates and can be instantly deployed to the devices in the field.

The Layer-8 Security Engine is a proprietary technology that defends from unknown and new viruses, Spyware, worms etc. It sits on top of the proxies (HTTP, FTP, POP3, and SMTP) and analyzes the objects that arrive from these protocols. It uses a four-step mechanism to identify harmful files disguised as harmless files with innocent file-types.

File-Type Detection, Decompression, Operation ID, and Rating. File-Type is ‘true content type detection engine,’ which detects the identity of the file type using different algorithms instead of the announced MIME type. The engine then analyzes the file content by using different decompressing engines to reach the content of the compressed files (commonly used method by hackers to hide attacks).

A scanner and rule base, designed specifically for the different content types, is activated on the content to identify the “operations” (commands, patterns, packets and tokens) included in the file. Based on its rule base, each operation is then tagged with an index value from one to one-hundred. The Multi-Layer Security Agent monitors the scanning results provided by the different security systems (Anti-Virus, IDS/IPS, Firewall, anti-Spyware, URL category, etc.) and builds a puzzle to identify an attack even if it is not recognized by each of the individual subsystems.

An attack may start by trying to detect or create a back door (using buffer overflow, security hole, or security bug) followed by a mobile code that is takes advantage of this back door. The creation of the back door itself may use a different mobile code or network level attack.  Therefore, there is a strong relation between attacks and malicious behavior at the packet and network level and the appearance of malicious mobile code thereafter. The MLA engine constantly scans to detect and relate behavior at packet level, with the appearance of mobile code and active content at the OSI layer 7 and above.

To do this, the MLA constantly accesses the log and events reported by the Firewall, IPS and IPS (packet level), as well as the events provided by the Layer 7 proxies (HTTP, FTP, etc) and the L-8 engine. The MLA constantly matches packet behavior with expected malicious mobile code at the application layer by using an updated rule base and multiple layers’ signatures.

“For example, a packet containing VBS mobile code may be comprised of many different TCP/IP packets that are constructed into a VBS file at the HTTP proxy. The VBS file may include a malicious operation at the first half of the file. The MLA, using an updated rule base and signatures, may detect the fact that the current collection of packets is part of VBS file and that the malicious act has a specific packet signature and rule. The MLA agent will then be able to end the download of the malicious VBS even before it was fully downloaded, avoiding the security risk all together,” Yoggie said.

Making it user friendly, the Gatekeeper provides three-security levels; High, Medium, and Low. Using the YMS the administrator can define the security policy that will be executed in every level. The administrator may also define the default policy for every Yoggie Gatekeeper. These policies differ in their filtering and risk levels. The High security level will engage all security agents using the most severe policies, filtering even suspicions operations (balanced by the MLA anti false positive functionality). In contrast, the Low level will be more forgiving. The High policy should be used in a very dangerous environment, such as an unsecured hot spot, while the Low should be used in secured environments according to the white paper on the Gatekeeper.

So far, the focus and talk is aimed at IT administration, and environments. What about the home users, can they use the Gatekeeper? The kicker about this tool is that people at home can benefit from it as well. The Gatekeeper also adds something for parents. “[The] Gatekeeper inspects websites accessed by home users. It combines an advanced dynamic Internet content filtering engine with user-defined white and black lists. Unlike locally installed parental control solutions, Yoggie applies the policy to the entire network, providing greater control to the parents without disturbing the privacy of individual computer users,” according to the details on Home Base solutions.

There is talk about a new line of Gatekeepers from Yoggie aimed directly at the home market. Details are vague now while the product is in development. If the product comes to market soon, things like the .ANI exploit and the worries over zero-day attacks on Windows and other platforms will lower considerably if not all together.

Rich Clark, one of the testers and Information Security Analyst, told M&C that, “I personally use the Beta device on my own notebook and it has prevented unauthorized scanning/installation of unauthorized software from being installed. I anticipate further benefits when the ability to configure the appliance in more granularity [when the ability] is available to me. These two demonstrations will prevent much unanticipated system downtime due to installation of unauthorized software on control system machines.”

Good news for both the home and office user, as the device gets more usage the live tests will prove its value or its defeat. From the results so far, the value is already there. The choice is a little forward you can spend $220 or several thousands of dollars in related hardware, to get the same results.

The Yoggie Gatekeeper Pro is priced at $ 220; Gatekeeper Personal is currently $179; Gatekeeper SOHO is listed at $249. Enterprise IT departments deploying the Yoggie solution will also buy the YMS, listed $5,000, and designed to manage up to 500 Yoggie units in the field. Full details and more information is online at

Further Reading on M&C