If administrators are still unsure about the device or want to allow controlled access, then a Protected Workspace is available. Protected Workspace (PWS) allows you to restrict end users from printing, saving files, or storing information on a client (e.g. laptop) accessing the SSL VPN device. It restricts users to a temporary workspace on the remote system, which contains temporary Desktop and My Documents folders. In protected mode, the user cannot unintentionally or accidentally write files to locations outside the temporary folders. The PWS control deletes the temporary workspace and all of the folder contents at the end of the session. Protected Workspace is especially useful when users are working on devices that should not store information, such as a public kiosk.
Protecting Your Resources
Ultimately, as the ever expanding virtual network grows, it is the internal corporate resources that require the most protection. Most organizations don’t necessarily want all users’ devices to get access to all resources, all the time. Working in conjunction with the prelogon sequence, the best SSL VPN systems can gather device information (like IP address or time of day) and determine if a resource favorite should be offered. A protected configuration measures risk factors using information collected by the prelogon sequence; thus, they work in conjunction. The SSL VPN device can create detailed protected configurations using a variety of security measures. It can check whether a logon is coming from a trusted network, what antivirus software the endpoint is running, or which certificate the client is using. The many different checks cover protection criteria such as loggers, virus infections, information leaks and unauthorized access. Administrators can then select the safety feature needed for each risk factor.
For instance, Fake Company Inc. has some contractors who need network access to Fake’s corporate LAN. While this is not an issue during work hours, FCI does not want them looking around after dark. With the proper configuration, a contractor can log on at 10 p.m. and the SSL VPN device can check the time; it already knows the ‘contractor’ network access favorite is only available during FCI’s regular business hours, which happens to be 9 a.m.-5 p.m. The network access link he normally sees during regular business hours has vanished. If the user’s endpoint posture (in this case, time of day) does not satisfy the defined level, the system disallows access to resources.
Fake may still allow access to certain web applications such as an extranet portal after hours, just not a full SSL VPN tunnel. The combinations can be endless but a good SSL VPN device’s endpoint security features can make the daunting task seem elementary.
Post Logon ‘Residue’
Post logon actions can protect against sensitive information being ‘left’ on the client. A solid SSL VPN device can impose a cache-cleaner to eliminate any user residue such as browser history, forms, cookies, auto-complete information and more. The SSL VPN device can close a Google desktop search, for example, so nothing is indexed during the session. For systems unable to install a ‘cleanup’ control, the SSL VPN device can be configured to block all file downloads, avoiding the possibility of the inadvertent left-behind temporary file – yet still allow access to needed applications. Post logon actions are especially important when allowing non-trusted machines access without wanting them to take any data with them after the session.
In summary: 1) first, inspect the requesting device, 2) protect resources based on the data gathered during the check, 3) make sure no session residue is left behind.
Security in a remote access environment is typically a question of trust. Is there sufficient trust to allow a particular user and a particular device full access to enterprise resources? Endpoint security features give the enterprise the ability to verify how much trust and determine whether the client can get all the resources, some of the resources, or none at all.
A strong SSL VPN system with integrated endpoint security protects your company’s internal resources and provides: Automatic detection of security-compliant systems, preventing infection; Automatic integration with a large number of virus scanning and personal firewall solutions; Automatic protection from infected file uploads or email attachments; Automatic re-routing of infected or non-compliant systems to a self remediation network – reducing IT help desk calls; A secure workspace, preventing eavesdropping and theft of sensitive data.
The bottom line? As more and more people work at home or on the road using an increasing number of different access devices, a strong SSL VPN system with comprehensive endpoint security features is no longer a luxury for a business, it has become an absolute necessity.