Guardians of the extended enterprise get tough on wayward VPN users with new remote policy enforcement tools. Babysitting network access Enterprise challenges How it works Five critical decision points Tool sample A developer takes her laptop home to get extra work done. Before she starts, she disables her antivirus software, because it scans every file and tends to bog down the compile. The code compiles, she checks her work and is done with it for the evening. She then reads a few e-mails in her personal account and surfs a couple of Web sites. Before logging off for the night, she decides to upload her just-finished code to the office server, so she accesses the corporate LAN remotely via VPN. Unfortunately, she forgets to reactivate her antivirus software, and unbeknownst to her, the laptop has become infected with the Nimda worm. The result is Nimda wreaks havoc across the corporation.Welcome to Dennis Peasley's nightmare. A scenario much like this one led Peasley, corporate information security officer at Zeeland, Mich., office furniture giant Herman Miller, to roll out a new breed of security tool - remote policy enforcement software - to 900 remote users worldwide."If we had remote policy enforcement in place at the time, Nimda never would have gotten into the network," says Peasley, who now uses Zone Labs' Integrity remote policy enforcement tool. "We never would have let the developer in until the firewall and antivirus [signatures] were up to date."Babysitting network accessWithin the last year or so, remote policy enforcement tools have become available from vendors such as\u00a0InfoExpress,\u00a0Sygate Technologies\u00a0and\u00a0Zone Labs . The tools consist of client software, which has personal firewall and management pieces, and server software that communicates with the client and integrates with the corporate\u00a0VPN. The tool checks whether remote VPN users have specific files installed, active and working properly, such as personal firewalls and antivirus programs. If the remote machine doesn't meet corporate security requirements, network access is denied.Offending users are then redirected to a "quarantine" area on the remote policy enforcement server, from where they are prompted to turn on the firewall, restart the antivirus program or download the latest signatures - whatever is required to come into compliance. Only when the remote machines meet the specified security profile are they granted access to the corporate network. "When remote users connect to Herman Miller, all they can get to is the Integrity server," Peasley says. "It checks that they have the Integrity client software running and that they have their personal firewall and the latest antivirus [signatures]. It works as a logical [demilitarized zone] in our environment. Once they have all the criteria satisfied for connecting in, then the system lets them log on to the rest of the domain."Early users say the tools are far better than a VPN alone. "VPN vendors should have had something like this right from the beginning," says Ken Tyminski, chief information security officer at Prudential Financial, in Newark, N.J.Prudential is rolling out Sygate's Secure Enterprise remote policy enforcement tool to 20,000 remote users who currently access the network via a Nortel VPN (see A grand telework plan). "Like most companies, we have a secure VPN, but having a secure VPN and someone connected over it who's not running virus protection is the same as providing a very secure conduit for spreading a virus. That's why these tools are so important," he says.Before these tools, keeping remote machines secure was hit and miss, users say. "Many of the people who connect remotely to us do so infrequently," Tyminski explains. "Virus protection gets loaded on their machine, but they don't get the updates because when we distribute them internally, their machines aren't connected. We distribute to them the next time they connect, but when they're coming in over a low-speed connection and we try to push some of the signature files, it takes forever. And I suspect that as a result of that, people disable the software. Sygate ensures that the software is stable and current."The tools also can block inappropriate software. Peasley says Integrity, through the firewall piece, logs every application accessing the Internet. "So we see when people are running Morpheus for peer-to-peer sharing, for example, which we don't allow in our environment," he says. "We then block those with the firewall. But we can also see the new ones show up and address them as we see fit. It's very proactive."Tyminski agrees. "You wouldn't want somebody running a music-sharing program while connected to us. Sygate's tool lets us check the remote machine for things like Napster or Gnutella and then block access if it finds them," he says. Once the offending software is removed, the remote machine can be granted access to the network.The software also ensures that the remote PC is running current levels of corporate software.Enterprise challengesStill, the tools aren't perfect. They mostly grew up from consumer-based personal firewall products, and that can make configuring them to manage thousands of users difficult."This market is backwards," says Jason Wright, industry analyst\/program leader for security technologies at Frost & Sullivan. "Most security technologies start targeted to the large enterprise, and then filter to the middle market, small office\/home office and consumer. Remote policy enforcement tools started at the consumer end and now vendors are trying to build up the scale to address the enterprise market. But starting small and then building in enterprise-level capability and management is a challenge."Five critical decision pointsAsk vendors these five questions to determine the best policy enforcement tool for you. 1. How well does it work with your VPN? "You want to see if the vendor has partnerships and understand how tightly it can integrate with the [existing] VPN gateway and management console," says Jason Wright, an analyst with Frost & Sullivan.2. How well does it scale? A tool that can manage and enforce policies for 900 remote users might have trouble scaling to 26,000. 3. How easy is it to manage? Ideally, the remote policy enforcement and VPN software can be managed from one console. 4. Can it enforce policies beyond existence of firewalls and antivirus? The best tools ensure the latest versions of firewall and antivirus signatures are in place, and the standard operating system and office productivity software. It should also be able to block nonsanctioned software. 5. How well-designed is its quarantine area? The point of remote networking is lost if access is denied and productivity thwarted. Tools should provide a safe, easy-to-navigate area where users can get in line with security policies. The best tools offer Web-based quarantine areas with user-defined hotlinks to virus signatures or other downloads. \u2014 Joanne CummingsTo that end, all major vendors are concentrating on ease of management in their latest releases. For example, Zone Labs' Integrity 2.0, which debuted at Comdex Fall 2002, now lets users set policies based on user groups, rather than simply the VPN gateway they access. Similarly, Sygate's latest edition offers better reporting tools, and InfoExpress' latest version of CyberGatekeeper adds support for additional types of remote computers, including Macintosh and Windows CE systems."If you can't manage something or configure it correctly, then it won't be secure. These tools are getting better in that respect. We're seeing more features, more options, better intuitive interfaces, all of which will improve the usability and the security. But it's something to be aware of," Wright says.The current tools also are fairly dependent on the VPN installed, and those that can be managed from the VPN console provide the most functionality. When bundled with the Cisco 3000 Series VPN products, Integrity can rely on the VPN to ping the remote machine constantly and ensure compliance even after initial logon. Similarly, InfoExpress and Sygate have a handful of VPN partnerships in place and are scrambling to get more."Users really hate having two management consoles - one for the VPN and one for the endpoint security," Wright says.Cost also is a factor. In the last year, Herman Miller's Peasley has seen Integrity's per-licensing cost nearly double as Zone Labs adds functionality and keeps up with the going market rate. His initial rollout to 900 users cost about $30 a seat, or $27,000. Now, licensing the tool for 400 users is going to cost him about $25,000, he says. "I'm still going to buy the licenses, but I can't do the whole enterprise as planned," Peasley adds, noting that he had wanted to outfit each of the company's 1,600 laptops with the software. "That's getting nuts."To avoid such sticker shock, Paul Burroughs, IT project manager for VPN support and systems integration at KPMG, in Montvale, N.J., plans to buy licenses for all seats at once. Burroughs is considering several remote policy enforcement tools, including InfoExpress' CyberGatekeeper, to protect his more than 26,000 users. InfoExpress charges $6,500 per server, which supports 10,000 concurrent users.Remote policy enforcement tool sample InfoExpress Product: CyberGatekeeper VPN\u2019s supported: Cisco,InfoExpress, Nortel Price: $6,500 per server Sygate Technologies Product: Sygate SecureEnterprise VPN\u2019s supported: Alcatel,Cisco, Enterasys, Netscreen, Nortel Price: About $30 per end point Zone Labs Product: Integrity 2.0 VPN\u2019s supported: Check Point,Cisco 3000 (bundled), Enterasys,Linksys, Lucent Price: About $60 per end point "We're going to roll [remote policy management] out to everyone because we rolled our remote-access product out to everybody," Burroughs says. "Whether they're using remote access or not yet, we have to do that. But we're going to buy all 26,000 licenses up front, so we avoid those pricing issues."Prudential's Tyminski plans to deploy policy enforcement servers to protect the network internally, he says. This will stop, for instance, the case where a user physically traverses the safeguards by entering the office, yanking out a sanctioned machine to plug in a laptop. Using Sygate will deny that user network access."When you think about it," Tyminski says, "the ability to control someone who's connected to your network, whether remotely or locally, to enforce your policies is key."Cummings is a freelance writer in North Andover, Mass. She can be reached at firstname.lastname@example.org.