As SSL VPN remote access systems – that is, technology used to connect internal company resources and data to people working from home or on the road – become more mainstream, and organizations extend their internal infrastructures to users who are not necessarily employees, ‘endpoint security’ has become a growing concern. With so many different types of users connect from a slew of various devices and need access to vastly different internal resources, it’s important to inspect every requesting host to ensure that both the user and the device can be trusted.

The Door is Open
Since the SSL VPN technology has opened remote access to the masses, and all that’s required for this access is a browser, administrators must be able to detect not only the type of computer being used (laptop, PDA, or kiosk) but also its security posture.

Allowing an infected device access onto the network is just as bad as allowing an invalid user to access proprietary internal information. This is where powerful ‘endpoint security’ features on an SSL VPN device can take over. These features, in essence, prevent infected PCs, hosts, or users from connecting to the network. Its auto remediation capabilities for infected PCs also help reduce help desk calls and prevent sensitive data from being snooped by keystroke loggers and malicious programs.

The Pre-logon Inspection
Validating a user is no longer the starting point for determining access; the device that they’re using takes up that place now.

Pre-logon checks run prior to the actual logon page appearing, so if the client is not in compliance, he won’t even get the chance to log on. These checks can determine if antivirus or a firewall is running and if it is up-to-date, along with many more inspections.

The best SSL VPN devices can direct the user to a remediation page for further instructions or even turn on the antivirus or firewall for the user. Inspectors can look for certain registry keys or files that are part of your corporate computer build or image to determine if this is a corporate asset. Pre-logon can retrieve extended Windows and IE information to ensure certain patches are in place. If, based on those checks, the SSL VPN device finds a non-compliant client but an authorized user, it can create a secure, protected workspace for that session and have the user enter his or her sensitive information with what’s known as a secure virtual keyboard.

What’s more, these devices feature a simple GUI that makes complex enforcement of policies simple and flexible. Using these interfaces, it is possible to create a pre-logon security policy, which evaluates each endpoint system looking to logon to the SSL VPN device’s controlled network. The SSL VPN device provides various pre-built inspection templates, including those that check for different antivirus and firewall programs, the presence of a Google desktop or client certificates, to name a few. It also allows you to start with a blank template to allow complete custom-built policies. All an administrator needs to do is ‘point and click’ to build the rules and, based on the result, the action to take.

For the user, after typing in the secure SSL VPN device address, he gets visual indication of the inspection as it gathers information about the end user’s system. Hopefully, the outcome is a success and the user gets the logon page. The second outcome, of course, is ‘logon denied’. It’s common to educate the user as to why the failure occurred and provide him with the possible steps to resolve the problem: e.g., “We noticed you have antivirus installed but not running. Please enable your antivirus software for access.” In certain deny instances, the SSL VPN device could immediately re-direct the client to a remediation server. Rather than deny logon with details, you can automatically send them to a remediation Website designed to correct or update the client’s software environment, assuring policies required for a pre-logon check are satisfied without any user interaction.

Protecting Your Resources
Ultimately, as the ever-expanding virtual network grows, it is the internal corporate resources that require the most protection. Most organizations don’t necessarily want all users’ devices to get access to all resources all the time. Working in conjunction with the pre-logon sequence, the leading SSL VPN systems can gather device information (like IP address or time of day) and determine if a resource favorite should be offered. A protected configuration measures risk factors using information collected by the pre-logon sequence; thus, they work in conjunction. The SSL VPN device can create detailed protected configurations using a variety of security measures. It can check whether a logon is coming from a trusted network, what antivirus software the endpoint is running, or which certificate the client is using. The many different checks cover protection criteria such as loggers, virus infections, information leaks, and unauthorized access. Administrators can then select the safety feature needed for each risk factor.

Post Logon ‘Residue’
Post logon actions can protect against sensitive information being ‘left’ on the client. A solid SSL VPN device can impose a cache-cleaner to eliminate any user residue such as browser history, forms, cookies, auto-complete information and more. The SSL VPN device can close a Google desktop search, for example, so nothing is indexed during the session. For systems unable to install a ‘cleanup’ control, the SSL VPN device can be configured to block all file downloads, avoiding the possibility of the inadvertent left-behind temporary file – yet still allow access to needed applications. Post logon actions are especially important when allowing non-trusted machines access without wanting them to take any data with them after the session.

In summary
1) Inspect the requesting device, 2) protect resources based on the data gathered during the check, and 3) make sure no session residue is left behind.

Conclusion
Security in a remote access environment is typically a question of trust. Endpoint security features give the enterprise the ability to verify how much trust can be placed and determine whether the client can get all the resources, some of the resources, or none at all. A strong SSL VPN system with integrated endpoint security protects your company’s internal resources and provides:
* Automatic detection of security-compliant systems, thus preventing infection
* Automatic integration with a large number of virus scanning and personal firewall solutions
* Automatic protection from infected file uploads or email attachments
* Automatic re-routing of infected or non-compliant systems to a self remediation network – reducing IT help desk calls
* A secure workspace, preventing eavesdropping and theft of sensitive data

The bottom line is that as more and more people work at home or on the road using an increasing number of different access devices, a strong SSL VPN system with comprehensive endpoint security features is no longer a luxury for a business; it has become an absolute necessity.

The author is Director, Product Management, F5 Networks.He can be reached at a.dhillon@f5.com