Many companies have augmented or even replaced IPsec VPNs with secure remote access solutions based on SSL. Given that SSL VPNs can be used from unmanaged home or public PCs, it is critical to assess the remote endpoint's security when deciding whether to permit access to corporate resources. This tip explores why and how network access control functions are used to strengthen SSL VPNs, and their relationship to industry NAC initiatives.
Opportunity and risk
By using the Web browser as a client platform, SSL VPNs make it possible to deliver remote access to devices that lie far beyond IT control, from home PCs and Internet kiosks to business partner laptops and executive PDAs. This "anytime, anywhere" approach can extend access to many more workers while reducing the cost of providing it. By 2008, Gartner expects, SSL VPN will be the primary remote access method for two out of three teleworkers and more than 90% of employees requiring occasional remote access.
However, connecting unmanaged endpoint devices to corporate networks adds risk. If a teleworker's home PC is infected with a worm or trojan, its VPN tunnel can be exploited to relay those threats to corporate resources. If an Internet kiosk harbors a keystroke logger, the user's entire VPN session -- including login and password -- can be stolen. In both situations, users tend to leave sensitive data behind where others can find it, from cached passwords to temp files. Clearly, delivering secure anywhere access to unmanaged endpoints requires mitigating these risks.
Filling the void
Fortunately, SSL VPN vendors have been hard at work solving these challenges. Today's SSL VPN appliances offer a fairly mature set of network access control functions to combat these threats:
These network access control functions may or may not exist in your favorite SSL VPN product. Endpoint-specific limitations also apply -- integrity checks that cannot be performed with administrator rights,
To continue reading for free, register below or login
To read more you must become a member of SearchNetworking.com
or virtual environments that can be established only on Win32 PCs. SSL VPN features have expanded considerably over the past few years, however, reflecting field experience and technology maturity. Take a fresh look at the network access control functions available to you -- you may be pleasantly surprised.
Relationship to NAC
Readers familiar with Cisco's Network Admission Control, Microsoft's Network Access Protection, or TCG's Trusted Network Connect may be thinking, "Wait a minute! These functions sound a lot like [ NAC | NAP | TNC ]." In fact, many of the concepts and techniques embodied by those industry initiatives emerged from the SSL VPN market, from endpoint integrity checks to browser-based dissolvable client software.
SSL VPNs are expected to play a big role in NAC adoption. Infonetics predicts that more than two-thirds of SSL VPN gateways will be used as part of an NAC deployment by 2008. In some cases, those SSL VPNs will be one part of a broader NAC strategy. All three infrastructure architectures view VPN gateways as one type of network enforcement device. Many SSL VPN vendors have either announced support for NAC architectures or participate in one or more NAC initiatives. For example, Cisco, Microsoft (Whale), and Juniper sell SSL VPN appliances that fit into NAC, NAP and TNC, respectively. Caymas Systems even has an SSL VPN appliance that supports both NAC and NAP.
When deployed as part of a broader NAC strategy, one obvious approach is to have the SSL VPN appliance focus on controlling network access by offsite remote users: travelers, teleworkers, day extenders, mobile professionals. However, some analysts believe that SSL VPNs could play a starring role in NAC. Specifically, as the network perimeter evaporates, more and more devices may be considered "remote" (external). Some enterprises may choose to run all network access -- onsite and offsite -- through an SSL VPN appliance. Doing so could leverage the SSL VPN industry's heritage of applying network access control to offer safer access from potentially risky endpoints.
About the Contributor: Lisa A. Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for over 20 years and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
[IMAGE]
[IMAGE]NETWORK SECURITY SCHOOL MENU
[IMAGE]
[IMAGE] Network Security School: Home
[IMAGE] Lesson: Home
[IMAGE] Lesson webcast
[IMAGE] Lesson podcast
