Remote Access

Securing Remote Access with SSL VPNs
Part 4: Adding SSL VPN endpoint controls
— continued

by Lisa Phifer VP Core Competence, Inc. [July 10, 2008]

Keep me safe
Endpoint Control Zones can keep infected endpoints out, quarantine non-compliant endpoints, or adjust access rules to reflect how trustworthy the endpoint appears to be. On the EX-1600, they can also be used to provide authorized users with a safer environment throughout the VPN session.

In-session safety can involve limiting access from endpoints that pose high risk, taking steps to avoid storing any sensitive information on the endpoint, and protecting the user from spyware that might be running on the endpoint. Here again, SSL VPN products tend to be diverse. Some vendors (including SonicWALL Aventail) partner with endpoint security vendors to deliver solutions that go beyond the features native to the SSL VPN appliance. For example:

Public kiosk computers over which you have no IT control may not be able or willing to execute all of your endpoint checks. To reduce risk, you might hide the details of your network using server-side content translations (e.g., URL mapping, cookie stripping) and web cache controls. Graphic terminals are another common approach for accessing back-end applications while limiting exposure to endpoint malware.

Computers over which you can exert some control are good candidates for security add-ons that provide a virtual environment or "safe sandbox" for the user during a VPN session. Available EX-1600 data protection add-ons include Aventail Secure Desktop and Symantec (Sygate) On-Demand (see figure). Alternatively, basic cache control can be applied.

Although we did not have a license to use it, the Aventail Secure Desktop can create a virtual Win32 desktop session that encrypts all data before writing it to disk. When the SSL VPN session ends, Secure Desktop erases all files downloaded onto the endpoint during the session, along with any temporary files recorded by the web browser.

On non-Windows devices and other endpoints that cannot execute Aventail Secure Desktop, the EX-1600 can fall back to Aventail Cache Control (see figure). This ActiveX control removes browser history, temporary files from the browser cache, passwords, and cookies from the endpoint after each SSL VPN session. These clean-up actions can even be taken after a specified inactivity timeout—a common concern when authenticated VPN users simply walk away from public or home PCs.

These data protection options can restrict which endpoints get classified into Standard Endpoint Control Zones. Data protection is a powerful way to reduce risk when SSL VPNs are accessed from unmanaged devices—or even from managed devices that are mis-configured or out-of-date. However, requiring data protection can unexpectedly force some endpoints into Quarantine or default zones, depending upon OS, browser type and even the browser's configuration. We had to experiment to truly appreciate these consequences.

In fact, now that our appliance has been configured with a complete set of demo SSL VPN policies, it's time to take them out for a spin.

In Part 5, we will illustrate end user experiences and how they vary, based on endpoint device, location, and of course the resources that each individual is allowed to access. We will also dig into those all-important SSL VPN access methods and show how each method impacts application access.

—End

< Back to page one

< Back to page two