HP builds security into Vectra VL600

Secure client systems will become a necessity as the world moves to Internet-based communications. Hewlett-Packard Co.'s Vectra VL600 is a solid choice for companies looking to build in security at the desktop level.

Companies can build secure PCs using parts from multiple vendors, but PC Week Labs' tests show that the systems they get won't be as well-integrated or as affordable as the VL600 "secured client." Corporate sites concerned about authentication, privacy and reliability should consider deploying this one-of-a-kind PC.

With an expected street price of US$1,899, the VL600 includes three nonstandard PC accessories (see photo).The Protect Tools smart-card reader provides authentication for system/network log-ins, Web transactions and other applications. Intel Corp.'s IP Security-compatible PRO/100 S Management Adapter with an on-board encryption processor enables private network communications. And the new PPD (Power Protection Device)ââ,¬"an internal, patented, drive-size battery backup unitââ,¬"ensures that the PC will not lose data in the event of a power-supply glitch.

All these features take advantage of new capabilities in Windows 2000. Windows 2000 Professional comes preloaded on the box, along with HP-supplied security software.

The basic VL600, which has been on the market for several months, includes an Intel 667MHz Pentium III. The security bundle will begin shipping this month.

The security devices are also sold separately; the PPD battery backup costs $89, while the PRO/100 S adapter and ProtectTools card reader will be priced at about $55 apiece. The devices can be used with other makes and models of PCs, but HP is selling its VL600 as the preferred secured-client platform.

Down the road a few weeks, HP's TopTools 5.0 remote management system, now in beta, will be able to detect the presence of IPSec cards remotely, providing an easy way to make sure all PCs in a workgroup are ready to switch over to IPSec.

The PPD, which fits in a drive bay, provides at least 5 minutes of emergency power and prevents data loss due to power interruptions. The device powers only the PCââ,¬"not the monitorââ,¬"so we could not continue to work with the power off. But the device can carry the CPU across momentary outages; if the outage continues beyond 5 seconds, the PPD starts a hibernation routine in Windows 2000 to save data. Even a lengthy hibernation process is usually completed in less than a minute.

However, the product is only a battery backup, not a line-filtering device. Therefore, users will still need at least a good power stripââ,¬"preferably an uninterruptible power supplyââ,¬"to save wear and tear on the PC due to power fluctuations.

For now, the PPD can be used only in the VL600. It requires a specially designed power supply and an altered motherboard. The technology is not proprietary, though, and may appear in other PC makers' products in the months ahead.

ProtectTools, the small smart-card reader that plugs into the serial and keyboard ports, is useful for authenticating users during network log-ins and for signing and encrypting files to be sent to others. It can be used with standard smart cards such as those from GemPlus SCA and Schlumberger Ltd., transferring authentication data, encryption keys and digital certificates to and from the card, which contains a tiny microprocessor and 8KB of memory.

To log in to the PC and network, we simply inserted a card and entered a PIN. Signing and encrypting files from Microsoft Corp.'s Outlook and similar applications require a couple of extra steps, but a little training makes the tasks simple.

The main benefit of smart-card technology is that the card can store all the important authentication and encryption data that a person needs for various systems, and it can be easily carried between workstations. The user needs to remember only one PIN, and the card destroys itself if hacking is attempted.

Windows 2000 provides enhancements for IPSec and encryption, complete with a system of policies that can be applied per IP address rangeââ,¬"some with DES (Data Encryption Standard), some with stronger encryption, others with no encryption. Although an IPSec adapter is not required for use with Windows 2000, the IPSec adapter in the VL600 secured client is a big plus because it offloads all the encryption/decryption duties into the adapter card, saving time and CPU resources.

In tests of FTP file transfers on a 100M-bit LAN, IPSec encryption using DES performed in software alone, without the IPSec adapters, increased file transfer times by anywhere from 43 percent to 113 percent. Using the IPSec adapters, we noted that the same transfers took no more than 44 percent more time than unencrypted transfers.

Our testing even yielded one case in which encrypted data transferred via the IPSec adapter at the same speed as an unencrypted version of the same data.

Encrypting IP network traffic at the hardware level makes it possible to offer the highest level of communications security without modifying applications. Intel's IPSec card is the second to reach the market; 3Com Corp.'s 3CR990 adapter line has been available since June.

Finally, the Vectra case also is equipped with a key lock that can be unlocked from a master key as well as a Kensington lock for cabling it to the desk.

Contributing Editor Ken Phillips can be contacted at kenp@wtp.net.

PC Week Labs Executive Summary: Vectra VL600

Organizations that want tight security can get a lot of what they need easily by buying HP's secured-client PC. The only alternative is to purchase the parts and build a box from scratch. The do-it-yourself approach will take a lot more work, and the PC still won't have the internal power-protection device included in the Vectra VL600.

Short-term Business Impact: The VL600 is an excellent buy for companies that are in the market for new PCs. They can buy robust systems and improve desktop security in one fell swoop. A company that is sticking with its PCs can retrofit them with the same security devices if there is a compelling need, but doing so will take a lot of effort and money. In any case, the VL600's IPSec encryption will deliver a considerable performance hit.

Long-term Business Impact: As the Internet becomes the network, secured PCs featuring both authentication and encryption will become the norm. Companies that face up to the need now might prevent costly mayhem from either internal or external attacks.

Pros: System ships with all software and hardware preinstalled; includes IPSec adapter for encrypted communications, smart-card reader for user authentication and battery backup for disaster protection; IPSec rollouts can be simplified by HP's TopTools utility.

Cons: Power-protection device requires alterations to power supply and motherboard; IPSec-encrypted traffic moves much more slowly than unencrypted traffic.

Hewlett-Packard Co.