Do SBC and client VMs mean we finally can throw away crazy host-scanning VPN solutions?

Listen to this podcast

Last week, RBC Capital Markets equity research group released a report about Check Point Software discussing an potential upcoming product called "Abra." Abra would be sold in the form of a USB stick that end users plug into personal / non-corporate laptops used to access their corporate environments.

Last week, RBC Capital Markets equity research group released a report about Check Point Software discussing an potential upcoming product called "Abra." Abra would be sold in the form of a USB stick that end users plug into personal / non-corporate laptops used to access their corporate environments. The sticks would have all the antivirus, VPN, and endpoint security software they need (including potentially having application packages for local execution). RBC seems pretty psyched about this, going so far as to say, "We believe remote products such as Abra could ultimately lead companies to adopt a policy of Buy-Your-Own-PC or BYOPC which is becoming increasingly popular because they allow employees to work from the device of their choice..."

I agree 100% with their views about BYOPC, but I hope we don't need things like Abra to make it happen!

What's the easiest way to securely access corporate resources from an untrusted device?

Obviously a remote display protocol-based solution like TS or VDI is an option and probably gives you the greatest amount of security since you can 100% control the execution environment and no data leaves the datacenter. I guess the only real downsides are that it doesn't work offline and you need a lot of backend infrastructure if you're not using TS or VDI anywhere else.

The "other" way that companies have been handling remote access is via VPNs. VPNs were simple back in the good old days, but now the security vendors have added millions of features to them (antivirus scans, memory scans, host OS and patch-level compliance scans) that simply meeting all the requirements just to get on the VPN in the first place becomes a goal in itself. (This even happened to me with TechTarget. They finally just updated the web VPN so that it will support Windows 7, but then it didn't recognize my AV even though it was on the list... long story short I spent three hours trying to connect to the VPN and was so tired when I finally did that I shut off my computer and went to bed.)

I mean seriously, if a VPN company's products are so complex that their move to bundle all of them onto a single USB stick is viewed as worthy of a research note, then I think we have a problem!

But of course Check Point isn't the first to go down the put-everything-on-a-USB-stick path. Gabe wrote about Accario's AccessStick two years ago? (There's a rumor that Accario isn't in business anymore, despite their website still being there. Can anyone clarify that? Actually, if Accario isn't around maybe that goes to show how well these all-in-one VPN sticks are received?)

USB stick-based remote access

Even though I'm not a fan of the VPN-on-a-stick, I actually really love the concept of having some kind of USB stick that runs anywhere which is used to remotely access corporate environments. (I'm thinking MokaFive here. Or maybe RingCube for Windows PCs only. Anyone else?)

Of course this thing would have to be secure, so you probably want to go with a stick that has hardware encryption from someone like IronKey.

That got me thinking... when most people think of secure remote access, they think of SecurID. "Wow," I thought, "I wonder if RSA makes a version of the SecurID keyfob thing that doubles as a USB stick? Then we could run our software from there while still having two-factor security!" I am not kidding when I say that I was actually browsing through the results of a [securid usb stick] Google search before I realized how stupid that was! (I mean the whole point of the SecurID's changing password is to ensure that you physically possess the device, so obviously if you have the IronKey or whatever with your certificate on it, then DUH!, you have the second factor! :)

My point, though, is that I do love the aspect of two-factor security, and if the second factor is going to be something you have, then it might as well be a USB stick which works on any computer as opposed to a stupid fob with a flashing number on it.

And if it's going to be a USB stick that works on any computer, I'd probably rather have a complete VM-based secure operating environment as opposed to a something that tried to secure my insecure device.


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

<ironic> what a stupid question !


It will never replace or remove the need for such thng as electric car will never replace all transportation system... but this is a good track to follow for certain people (the portable BYOC system). I had to play with the Bull Globull system (from french comapny named Bull) which is

 - a secure hard drive

 - when you boot on this hard drive from any peripheral, you get your corporate imgae with corporate DC synchronization using a client side hypervisor

 - If you connect it while local OS is booted, it is just a secure hard drive.

As usual, not for everybody but good for some usecase.


All this talk of VPN, and no mention of DirectAccess?



Hi Brian,

I was one of the founders of Accario but left the business in 2008 to pursue other opportunities, however I still remained a shareholder.  The MD of the company appeared to shut it down in October and let all the staff go with no real reasoning, details are still a little sketchy (Customers of Access Gateway scan solutions please contact me for further info/replacement products) and am not sure what has happened to the technology.

With regards to the Access Stick and what subsequently became Wraptor, I don't think the fate of Accario can be put down to the popularity of the technology.  There were significant sales of the technology but several things were learnt along the way:

-Customers do not like to have the device dictated to them, the last thing they want to impose on their employees is another fob to carry around/  They prefer something that can integrate with an existing solution (existing USB keys, Blackberrys etc).

-Ensure multi platform compatibility, customers want it to work on their Macs and Windows PCs.

-Don't underestimate the support issues that can come with this type of technology.  This needs to work on non-corporate assets, there are currently 3 versions of Windows still in support (XP, Vista, 7) each with slightly different security models.  The configuration and software profile on each device will be completely different and security technolgies (client security suites) are designed to stop this type of thing from working.

Personally I still like the concept of what these type of solutions can offer but believe we are still a little bit away technically from the Utopia of a device that can truly work anywhere.  RingCube/MojoPac have also invested heavily in this type of technology but again I assume recognise the limitations of what can be done whilst operating in usermode hence the introduction of kernel mode components for certain scenarios.

There is definately demand for these type of solutions, for a non-technical user the ability to just play and play without any configuration, component installation or security worries on any type machine is a compelling solution.



Something Tim mentioned that I know RSA is starting to do (hell World of Warcraft is already doing it) Why carry a FOB at all...just have your token on something you're already your blackberry or iPhone.  

In any case, there are always exception users that need to transfer files between their TS/VDI session and they're local device.  You'll never completely get rid of end point scanning.  Personally, I think AV is a waste of resources because 99% of viruses are all zero-day anyway, but I'm not going to be the "guy" who made the decision to remove AV from corporate end points!


Brian, you wrote:

"Wow," I thought, "I wonder if RSA makes a version of the SecurID keyfob thing that doubles as a USB stick? Then we could run our software from there while still having two-factor security!"

Along these lines, IronKey Enterprise devices do come with an RSA soft client on board, and IronKey Personal and Enterprise device also include VeriSign's VIP for OTP authentication.

-Full disclosure: Yes, I work for IronKey.



Interesting that you bring up secure remote access. At MokaFive, we had not expected secure remote access to be a big use case, but we have seen a significant increase in the number of customers demanding it and finding benefit in the VM based approach. Unlike VPN approach, which has a few deficiencies (as Tim pointed out),  the MokaFive Client VM approach gives complete cross platform execution. Customers seem to be selecting the solution for the following reasons:

1. Carry the entire desktop on a USB key or a blackberry ( which acts as the second factor itself, plus you don’t need to carry an additional device, and you get offline execution)

2. Use the USB key or Blackberry with any computer, across any platform, MAC, Windows (XP, Vista or 7) PC. The individual OS quirks are abstracted out by the VM so the solution works on any computer.

3. Keep the VM locked- down so incase of zero day virus hit, simply reboot the VM and you will be recovered back to pristine state. (of course, MokaFive personalization keeps the user data and settings intact)


VP of Products & Marketing, MokaFive


I don't buy having to carry around a USB stick for remote access is a valid use case. My f'ing users will loose them and still call the helpdesk and *** about why it's my fault. I agree soft tokens are better than carrying around secureID fobs that are also lost when people really need them. Granted I'll buy that some people need both who are extra special for BCP events. Having all this stuff on your BB is certainly interesting, but I am trying to get rid of corporate owned blackberries. Direct Access requires IPV6 so it's not happening overnight IMO.


@appdetective - Just curious, why would you get rid of corporate owned blackberries in favor of personal liable devices?


@Tony Remote access brother and my boss who wants me to reduce costs. I also don't buy corp BB for everything single user due to cost, but those users would like me to enable access to things like email in a secure manner from their personal devices. I'm into this whole bring your own something thing AKA consumerization. I want to apply it to more than just a PC. When there is no local data, liability is not there. Citrix had a good blog on this the other day that got me thinking.

VMWare also seems to be flirting with actually delivering something, but the mgmt story around that will take years to formulate IMO.