IGEL Cloud Gateway (ICG) has withstood the hacking attempts by the IT security specialists from Swiss company Compass Security. “Based on the results of the security review conducted in August 2017, Compass Security considers the security level of the IGEL Cloud Gateway implementation as good. Analysts have not identified vulnerabilities that significantly affect the confidentiality and integrity of the customer product and their information assets,” says the report, which was completed in the end of September.
Exposed to the Internet
That Gateway is used to implement secure connections between the Universal Management Suite (UMS) inside a corporate network and endpoints outside it, e.g. in a home office or road warrior scenario. As ICG is located in the cloud or in the company’s demilitarized zone (DMZ), it could be exposed to attacks and eavesdropping attempts from anywhere on the Internet. The penetration test has proven in practice what ICG promises: Secure connections that guarantee integrity and confidentiality of the data transferred.
Concept and Implementation Have Stood the Test
The testers reviewed the concept of the product, analyzed an ICG installation with tools of the trade such as Nmap, Nessus, Burp Suite and Wireshark, and finally tried their hand at manual hacking. They found no weaknesses of high criticality and only one of medium importance: UMS backup files are not encrypted. This poses a risk as they may contain confidential data such as passwords, but it cannot be exploited remotely from an Internet-based attacker. The risk can be mitigated by keeping backups in a secure storage location, possibly on an encrypted medium. In addition, IGEL is working to eliminate a few issues of low relevance in upcoming releases.
The product versions tested were IGEL Cloud Gateway 1.02.100, UMS 5.06.100 and IGEL OS 10.02.120. Read an extract of the Security Assessment report here. Download pdf HERE.