As SSL VPN remote access systems – that is, technology used to connect internal company resources and data to people working from home or on the road – becomes more mainstream, and organizations extend their internal infrastructures to users who are not necessarily employees, endpoint security has become an increasing concern.
It is no longer enough to protect your company assets from an unknown malicious intruder. Organizations need to protect against trusted employees connecting from their un-patched home computers or protect against that same trusted employee entering their sensitive user credentials on a public terminal at a conference, for example.
With so many different types of users connecting from a slew of various devices, and needing access to vastly different internal resources, it’s important to inspect every requesting host to ensure both the user and the device can be trusted.
The Door Is Open
Since SSL VPN technology has opened remote access to the masses, and all that’s required for this access is a browser, administrators must be able to detect not only the type of computer being used (laptop, PDA, kiosk, etc.) but also its security posture. With so many Internet-ready devices available, at any given moment there could be a Windows computer, a Linux box and a WAP phone all trying to gain access. Inspecting each of these to make sure it’s something you want to allow before users enter their credentials is an absolute necessity. If the inspection fails, how should the problem be fixed so that the user can have some level of access? If the requesting host is admissible, how do you determine exactly what they are authorized to access? And, if a user and their device are allowed, what is the guarantee that nothing proprietary either gets taken or left behind? The key challenge is to make certain only a ‘safe’ system is allowed to access your highly sensitive infrastructure.
Bottom line: allowing an infected device access onto the network is just as bad as allowing an invalid user to access proprietary internal information. This is where powerful “endpoint security” features on an SSL VPN device can take over. Endpoint security features, in essence, prevent infected PCs, hosts, or users from connecting to the network. Its auto remediation capabilities for infected PCs also helps reduce help desk calls and prevents sensitive data from being snooped by keystroke loggers and malicious programs.
The Prelogon Inspection
Validating a user is no longer the starting point for determining access; the device that they’re using now gets first review.
Prelogon checks run prior to the actual logon page appearing, so if the client is not in compliance, they won’t even get the chance to log on. These checks can determine if antivirus or a firewall is running and if it is up-to-date, along with many more inspectors.
The best SSL VPN devices can direct the user to a remediation page for further instructions or even turn on the antivirus or firewall for the user. Inspectors can look for certain registry keys or files that are part of your corporate computer build/image to determine if this is a corporate asset. Prelogon can retrieve extended Windows and IE information to ensure certain patches are in place. If, based on those checks, the SSL VPN device finds a non-compliant client but an authorized user, it can create a secure, protected workspace for that session and have the user enter their sensitive information with what’s known as a secure virtual keyboard.
What’s more, the best SSL VPN devices feature a simple GUI which makes complex enforcement of policies simple and flexible. Using these interfaces, it is possible to create a prelogon security policy which evaluates each endpoint system looking to logon to the SSL VPN device’s controlled network. The SSL VPN device provides various pre-built inspection templates, including those that check for different antivirus/firewall programs, the presence of a Google desktop or client certificates, to name a few. It also allows you to start with a blank template to allow complete custom-built policies. All an administrator needs to do is “point and click” to build the rules and, based on the result, the action to take.
For the user, after typing in the secure SSL VPN device address, they get visual indication of the inspection as it gathers information about the end user’s system. Hopefully, the outcome is a success and the user gets their logon page. The second outcome, of course, is logon denied. It’s common to educate the user as to why the failure occurred and possible steps to resolve the problem: “We noticed you have antivirus installed but not running. Please enable your antivirus software for access.” In certain deny instances, the SSL VPN device could immediately re-direct the client to a remediation server. Rather than deny logon with details, you can automatically send them to a remediation Web site designed to correct or update the client’s software environment, assuring policies required for a pre-logon check are satisfied without any user interaction.