Maintaining the Lock Box NetLOCK's enterprise management capabilities are its key features. After you install the agent on each node, management occurs on a separate management station, which keeps security policing behind the scenes. The management station can run on any platform for which there is an available agent.

For every agent being managed, a separate configuration profile for the client is set on the management worksta tion. You can configure the clients, or agents, within the management domain on the manager to communicate through specific encryption methods. This capability lets you manage specific agents on an individual basis. With the default profile, you can also set encryption policies. Additionally, you can configure agents to automatically revert to default communication with other nodes not requiring an encrypted session. This makes NetLOCK ideal for communication over the Internet.

Each manager controls a single management domain of agents. To establish secure communications with an agent in another domain, I had to configure the two domains as "cooperative domains." This enabled the domains to share public keys for cross-domain authentication.

NetLOCK's ability to set client port-filtering is particularly useful. Through the management interface, you can configure clients to block traffic on any desired port on the client. I blocked IP application traffic that I didn't want the clients to capture, inclu ding FTP and HTTP traffic.

To test the encryption's legitimacy, I used a packet sniffer to sample all five of the encryption algorithms generating traffic among nodes configured to pass encrypted data. The sniffer could tell us only that the traffic was IP traffic; it couldn't identify what kind of IP data was encrypted within the scrambled encapsulation. NetLOCK encrypts the entire IP packet, along with a security header, and it adds a routing header with the destination address.

For IP communications, NetLOCK uses an encapsulation method similar to the Internet Engineering Task Force's proposal for standardizing IP security, IPsec. NetLOCK's method wraps network layer traffic with a new header and an encrypted content to send data across the network. NetLOCK is promising to offer full compliance to IPsec once it is a standard.

Christopher Smith is a network consultant working at Syracuse University. He can be reached at chsmith@mailbox.syr.edu.