Remote Access

Securing Remote Access with SSL VPNs
Part 4: Adding SSL VPN endpoint controls
— continued

by Lisa Phifer VP Core Competence, Inc. [July 10, 2008]

Classify me
Now the "clientless" party starts. Many web browsers can deliver ActiveX controls, Java applets, or even program installation packages to unmanaged endpoints. The appliance will combine whatever SSL knows about the tunnel endpoint (e.g., operating system, browser type, IP address) with whatever it might learn from one of these dynamically-downloaded SSL VPN agents. These observations can be used to classify the endpoint into a Zone, referenced by Access Control rules.

Classification is how we can give our Admins broad access from managed laptops but limited access from public PCs (see figure), or check the safety of Suppliers endpoints even though we don't manage them.

In Part 5, we will demonstrate classification on different devices and browsers, and it is very important to understand these implications when defining Communities with Zone restrictions. Simply put, you can observe far more about a Win32 PC running Internet Explorer—if you apply too many restrictions, other devices and browsers will never be able to satisfy them. For demo purposes, we stuck to a few rudimentary checks.

The EX-1600 classifies endpoints into three kinds of Zones:

Deny Zones are used to prohibit endpoints that pose too much risk or cannot be secured. Here, we downgrade our PowerUsers by mapping those on Unsupported Devices into the default zone shared by other staff members.

Standard Zones are used to enable access from compliant, safe, or otherwise acceptable endpoints. Here, we classify PowerUsers on known, trusted endpoints into their own Managed Device Zone.

Quarantine Zones are special places, reserved for endpoints that fail these checks but should be given remediation instructions or resources. We did not quarantine Power Users; we just gave them default access. However, we did quarantine others who could not pass endpoint classification.

The same default zone applies to every Realm and Community; be careful who ends up there. You can define as many Quarantine Zones as you want—this is a safer way to apply Community-specific rules when no other Zone is matched.

Now must define those Deny, Standard, Quarantine, and default Endpoint Control Zones. A Zone classifies endpoints based on Device Profiles. For our demo, we specified a few simple Device Profiles (see figure). Here, we depict a Managed Device Zone that forces PowerUsers to satisfy one of two Device Profiles: ManagedPC or ManagedWM. We also require Suppliers to satisfy a Safe Windows Zone that we defined as Windows XP SP2+ with just about any recently-updated Anti-Virus program.

This list summarizes our Zones and Device Profiles, but these objects can actually be very complex. To understand Endpoint Control Zones, we must drill down into Device Profile attributes (see figure). At this level, we start to see that Device Profiles depend on operating system. Furthermore, many more attributes can be checked on Win32 devices than on Linux, Mac, Windows Mobile, or other devices.

Above right, we illustrate a Win32 profile that looks for a client certificate issued by our trusted CA. Above left, we show a Windows Mobile profile that checks for the directory housing the Aventail MobileConnect client. On most operating systems, the EX-1600 can look for installed applications, directories, or filenames. On Windows devices, you can also search for registry keys and client certificates. Built-in and optional Advanced Win32 checks are the most extensive, specifying short cuts for a wide variety of anti-virus, anti-spyware, personal firewall programs, versions, and updates.

SSL VPN products vary quite a bit when it comes to endpoint control, and most are still expanding support for non-Windows devices (especially mobile devices). Look carefully at each SSL VPN appliance to see what endpoint attributes can actually be checked per OS. Also consider whether the SSL VPN can be integrated with third-party endpoint security products used to assess and remediate managed devices.

At this point, we have classified access requests into Endpoint Control Zones, based on what the appliance could learn about the source endpoint (Device Profiles). The last step is to apply Standard Zones to Access Control rules. In this figure from Part 3, we can see that our Access Control rules let PowerUsers reach many more resources from endpoints in the Managed Device Zone (that is, Managed PCs and Managed Windows Mobile phones).

Go to page three: Keep me safe >