What's on the PC, Mac?

The fast-spreading plague of Internet-based viruses, worms and Trojan horses has turned the Internet into the technological equivalent of a ghetto filled with crack houses. To protect their networks, security specialists have turned their gaze toward end-point security strategies that promise to check the security posture of the client machine before it connects to the network.

In the LAN arena, everyone from Cisco to Microsoft has come up with an end-point security architecture. Because SSL VPNs bring remote users into the network, end-point security strategies have crept into SSL VPN products. If anything, the argument is stronger: A remote access user is more likely to be in unfriendly or uncontrolled network environments, and thus, in greater need of evaluation.

SSL VPNs offer their own innate protection against viruses and malware. When SSL VPNs are used as Web proxies, the end user doesn't have direct access to the network. Therefore, the most vicious threats are not directly relevant. This turns out to be a very good thing, because our testing showed that end-point security in SSL VPNs is so poorly designed and implemented that it will only work in certain constrained cases. If there's a train wreck of a technology in this product niche, end-point security is it.

End-point security technology can be delivered in several ways. Several vendors, including AEP and Array, lean entirely on a third party, Sygate (now owned by Symantec), to provide a centralized model for security scanning. The theory is that if you have Sygate for some other purpose (such as a personal firewall), then you can integrate cleanly with an existing system.

Other SSL VPN vendors, such as Aventail, integrate with several third-party tools, giving you a choice based on your corporate standard.

The final delivery option for vendors is to grow their own. Vendors put together their own technology, often in combination with some OEM product, such as the Opswat software development kit. Aventail, Caymas, Check Point, F5, Fortinet, Juniper, Nokia and Nortel all build their own end-point security software to varying degrees.

Sometimes end-point security is delivered as part of the product; other times, it's an add-on at extra cost.

For this test, we defined end-point security in two parts: integrity checking, that is, seeing whether the connecting system meets security requirements; and protective services, such as cache cleaners and virtual desktops. Based on our security policy, we focused on the integrity checking aspects.

Our test mandated two simple requirements: Windows PCs needed a current anti-virus product loaded and running, and our security policy should vary based on that first requirement. For example, if a user's machine had current anti-virus, that user could get to most Web services, but if it didn't, we'd only grant access to specific directories on certain Web servers.

We might as well have asked for a trip to the moon, because not a single product made it all the way through our testing without a significant failure. Some couldn't detect our corporate anti-virus, Sophos. Others locked up systems, blocked access inappropriately or came back with wrong answers. Only a few let us describe a policy that we wanted.