Assessing the underlying value of end-point security verification

It works best when you don't need it.

Our Choice Test expert assesses the underlying value of end-point security verification.

End-point security technologies based on SSL and VPN that verify client machines for security posture work best, when you need them least. And, conversely, don't work well at all when you need them most.

If you were hoping that end-point security assessment would help you figure out which random PCs to allow on your network, sorry, that won't help. But if you wanted to keep tabs on the PCs that you firmly control, well, yes, this technology will do that. Whether you get much benefit from that prospect is hard to say.

Our testing showed that end-point security checking doesn't work very well on random systems running random operating systems with random anti-virus and personal firewall capabilities. We ran 11 SSL VPN products through 11 client scenarios and had a very low success rate as far as end point security checks were concerned (see full results).

What should IT folks assigned to security management do in this case? Start by designing an SSL VPN so that you don't need to know the security posture of the end user. To that end:

  • Use the fine-grained access controls of your SSL VPN device to tighten things as much as possible, and use threat mitigation technology to help even more.

  • If your SSL VPN device has intrusion-prevention technologies built-in, turn them on. If not, consider whether the risk is worth putting an IPS next to your SSL VPN box on the network.

  • Avoid network extension when you don't need it, and focus on the access methods that have the smallest window of vulnerability. When you have to offer network extension, make sure that it's restricted to the users and systems that truly have a requirement for full access.

If network-extension users are using corporate laptops, sure, feel free to turn on the end-point security checker. First, though, make sure you know what you're going to do with that information. Are you going to cut the users off if the computer doesn't comply with policy? Give a restricted level of access? Redirect them to other resources, such as a Web-only connection? As with many security projects, there's no point in asking questions unless you know what you're going to do with the answers.

What if you have to offer a network-extension service, but don't control the systems on the other end of the wire? End-point security checkers aren't going to help you here. That's when you need to focus on a combination of fine-grained access controls within the SSL VPN device added to external firewall, IPS and other threat-mitigation devices to minimize the risk.

The nice thing about most SSL VPN deployments, though, is that they aren't used to replace pure network access. They bring users into the network through Web browsers or, sometimes, through port forwarding. In terms of security, the level of concern you need to assert with that kind of access is dramatically lower than with real, full network connectivity. Yes, there is a potential for loss of information. Keystroke loggers, for example, are ready to capture passwords and other data. But it's not as if the PC is sitting on your network or even anywhere near your network.

The window of vulnerability with SSL VPN is very small when compared with a typical IPSec VPN deployment. SSL VPN, then, is saved from the failure of end-point security checkers by its own inherent security.

If you're using SSL VPN network extension as a replacement for an IPSec VPN, that's another story. Then you are giving the PC much greater access to your network, and then the potential for problems on that PC to spread into the unprotected corporate network is much greater. There, the argument for end-point security assessment has greater validity.

End-point security technology probably will work on your own PCs. If you have a tightly managed laptop deployment where you control the horizontal and the vertical, you can easily add an end-point security checker into your standardized laptop image. You are already loading on the company personal firewall, the corporate anti-virus, and the organizational configuration rules and access controls. Pile an end-point security checker on top of that, locked down with group policies and all the elegance of Windows management, and you're going to have a pretty good success rate.

Of course, if employees are already running corporate-issued laptops, then their end-point security posture is pretty well known to begin with. They've got the standard firewall, anti-virus, anti-spyware and so on. If you're a sophisticated Windows shop and have been through the school of hard knocks, you probably don't give most end users administrator access on their own laptops, which means that the security settings are pretty stable.

In the case of the corporate-issued laptop, end-point security assessment, whether on the corporate LAN or in conjunction with an SSL VPN, is going to give you some marginal benefit. It'll help identify those laptops that have been out of touch for two months and are missing service packs or haven't updated virus files. Whether you're willing to use that information to block access to the corporate network is another question entirely. That's a pretty drastic penalty to impose on the poor sales guy in Bologna who hasn't had a chance to get his software updated because he's so busy closing deals.

< Previous story: The perfect SSL VPN | Next story: Terms and conditions >

Learn more about this topic

Sabre flies with SSL

08/29/05

Juniper extends SSL VPN wares

08/15/05

WatchGuard touts SSL VPN entry

08/15/05

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.