Keep those remote clients in check

Recently an IPSec VPN user recounted to me an experience he had in which the company he worked for decided that buying small VPN appliances was much better than using software VPN clients on individual PCs.

The company was using the VPN to connect sites rather than for remote access, and some of the remote sites were single-user offices.

These small offices had a mix of appliances and clients made by different vendors because the company had bought up other companies, and some of them had used appliances, others used clients. Things worked pretty well for a while for both groups.

Then Blaster hit and the company found out that the clients were the weak spot where infections leaked in. Not that there was anything wrong with the clients, it’s just that they left open the possibility of end users getting lax about keeping firewalls in place and updating anti-virus software. The lack of a standard desktop configuration and the fact that the remote sites were doctors’ offices that bought their own equipment compounded the problem. Supporting the client on different operating systems with varying software profiles was a huge headache, and so had not been done well.

The appliances on the other hand had been issued, installed between the local networks and the Internet and were remotely managed by the parent company. Firewall configurations, updates and anti-virus checks were all managed centrally without having to deal with the local staff. These sites caused no problem during the Blaster outbreak.

One lesson here is that control of these endpoints is vital not just to protect content traveling between remote sites and headquarters, but also to protect the entire corporate network. A machine connecting via VPN is on the network and can cause just as much trouble as a device the LAN.

Another lesson is that even if your clients and appliances support adequate safeguards, it still requires human vigilance to make sure they are in place when the bad guys strike.