VPNs, whether IPSec- or SSL-based, allow remote PCs access to the network. Sometimes these computers are under corporate management, but many times they are not. They are home-office PCs, business partner systems, or public Internet terminals. Any might lack up-to-date anti-virus signatures; indeed, they already may be full of malware.
The best way to reduce your exposure to these threats is to automate edge security by enforcing policies on every client device that attaches to the network. Companies such as Sygate, WholeSecurity, and Zone Labs (recently acquired by Check Point) provide software that performs client integrity scans to determine the trust level of a host system. Users are then granted or denied access based on the results of these scans.
All but two of the SSL VPN systems in this roundup partner with one or all of these vendors to provide security at the network’s edge. The others ship their own homegrown software. The part that’s missing, however, is an industrywide standard — something that will allow security policies to be enforced across multiple vendors and platforms. That’s where Cisco and Microsoft hope to step in.
Cisco’s take on end-point security is currently in limited, but growing, release. NAC (Network Admission Control), part of the Cisco Self-Defending Network initiative, uses client software called Cisco Trust Agent to query information such as patch levels or virus signature dates, relaying the results back to a central policy enforcement system. If the client doesn’t meet certain requirements, it isn’t granted access to the network.
Not to be left out, Microsoft is working on NAP (Network Access Protection), its answer to the end-point security problem. Still very much in its infancy, NAP will be part of the next Windows Server platform, code-named Longhorn. As do other vendors’ solutions, NAP provides client trust status information back to a policy enforcement engine, where access is granted or denied. Microsoft’s advantage is that it can build NAP client integrity hooks into the next desktop version of Windows, eliminating the need for separate client-side software.
Cisco and Microsoft have announced they will partner to make sure each system works with the other, but the extent to which they will actually interoperate remains to be seen. If these networking giants live up to their promises, however, IT administrators will soon have a standard way to know and trust the devices attached to their networks. And that’s a good thing because, after all, you can’t let just anyone in.