What's on the PC, Mac?

By Joel Snyder
Network World, December 19, 2005

Original Article on Network World Web Site

Don't look to your SSL VPN for too much help with end-point security issues.

The fast-spreading plague of Internet-based viruses, worms and Trojan horses has turned the Internet into the technological equivalent of a ghetto filled with crack houses. To protect their networks, security specialists have turned their gaze toward end-point security strategies that promise to check the security posture of the client machine before it connects to the network.

In the LAN arena, everyone from Cisco to Microsoft has come up with an end-point security architecture. Because SSL VPNs bring remote users into the network, end-point security strategies have crept into SSL VPN products. If anything, the argument is stronger: A remote access user is more likely to be in unfriendly or uncontrolled network environments, and thus, in greater need of evaluation.

SSL VPNs offer their own innate protection against viruses and malware. When SSL VPNs are used as Web proxies, the end user doesn't have direct access to the network. Therefore, the most vicious threats are not directly relevant. This turns out to be a very good thing, because our testing showed that end-point security in SSL VPNs is so poorly designed and implemented that it will only work in certain constrained cases. If there's a train wreck of a technology in this product niche, end-point security is it.

End-point security technology can be delivered in several ways. Several vendors, including AEP and Array, lean entirely on a third party, Sygate (now owned by Symantec), to provide a centralized model for security scanning. The theory is that if you have Sygate for some other purpose (such as a personal firewall), then you can integrate cleanly with an existing system.

Other SSL VPN vendors, such as Aventail, integrate with several third-party tools, giving you a choice based on your corporate standard.

The final delivery option for vendors is to grow their own. Vendors put together their own technology, often in combination with some OEM product, such as the Opswat software development kit. Aventail, Caymas, Check Point, F5, Fortinet, Juniper, Nokia and Nortel all build their own end-point security software to varying degrees.

Sometimes end-point security is delivered as part of the product; other times, it's an add-on at extra cost.

For this test, we defined end-point security in two parts: integrity checking, that is, seeing whether the connecting system meets security requirements; and protective services, such as cache cleaners and virtual desktops. Based on our security policy, we focused on the integrity checking aspects.

Our test mandated two simple requirements: Windows PCs needed a current anti-virus product loaded and running, and our security policy should vary based on that first requirement. For example, if a user's machine had current anti-virus, that user could get to most Web services, but if it didn't, we'd only grant access to specific directories on certain Web servers.

We might as well have asked for a trip to the moon, because not a single product made it all the way through our testing without a significant failure. Some couldn't detect our corporate anti-virus, Sophos. Others locked up systems, blocked access inappropriately or came back with wrong answers. Only a few let us describe a policy that we wanted.

Two vendors stood out for having different approaches. SonicWall's SSL-VPN 2000 sidestepped the whole issue by not having any end-point security checking.

With Fortinet's Fortigate-3600, end-point security checking is tied to its network-extension client. Therefore, you can't apply policy unless you're doing it on the network-extension client. Fortinet's approach is not as strange as it sounds. The thinking is that you don't really care so much about the status of an end system when it's accessing only Web sites or running Terminal Services or Citrix clients. Fortinet complements this approach by having a strong suite of protective services on the gateway, including its own anti-virus and intrusion-prevention engine. Of course, you could have strong end-point security checking and on-device protective services, such as with Check Point's Connectra that offers application-layer threat detection and F5's Firepass that has anti-virus and limited threat detection.

To understand the mess of end-point security, you must break the problem down into pieces, starting with policy definition. All products start by describing policy, what it is that you want the end-point security scanner to check for. In the best case, you want to run the end-point security check before the logon process, because you want to be able to look for malware, such as keystroke loggers. AEP, Array, Aventail, Check Point, F5, Juniper and Nokia all offer that option.

Typical elements of your end-point security policy might include checks for operating system choice, anti-virus and personal firewall status, or some specific file, registry key or process running. We didn't want all that. We just wanted to be sure that a Windows anti-virus was running and current - a simple enough test. From that group, only Aventail, F5, Juniper and Nokia products gave us any support for non-Windows platforms by being willing to scan our test Macintosh laptop.

Even within the Windows world, products from Aventail, Caymas, Fortinet, Nokia and Nortel didn't have a template for Sophos anti-virus. AEP's Netilla Security Platform and Fortinet's Fortigate-3600 couldn't detect our anti-virus, even when running as Administrator on XP. Many other products (AEP, Array, Caymas, Check Point, F5, Fortinet, Juniper and Nortel) couldn't detect our anti-virus when running as a non-privileged user on XP. And some products - from Aventail, Caymas, Nokia and Nortel - could say that we had Sophos, but had no idea whether the virus signatures were up to date. Add in the products that outright blocked access on occasion because the security scanner couldn't run on Firefox browsers - Array and Aventail - all did this for some test scenarios - and you might be wondering why anyone would want this endpoint security scanner stuff.

Nokia also deserves a special censure for its end-point security system, because it offers two with different policies and completely different capabilities. One is used for network-extension scenarios, while the other handles all other uses, such as Web proxy and port forwarding.

Aventail offers the choice of three, third-party tools in addition to its own native capabilities. We tested only Aventail's own product.

There were some bright spots in what is otherwise a dismal part of these products. F5's GUI for developing end-point security policy is brilliantly conceived. With a simple flow chart (rendered in a Web browser), you can easily see what you're looking for and what is going to happen if it succeeds. That well-done GUI alone might inspire you to want to use end-point security, but be careful: F5's checker nearly blocked access to Windows Firefox users, failed to properly detect Sophos running in Windows and misdetected our Treo (running PalmOS) as a Windows system.

Our test results show that end-point security is a feature to be used with extreme care in the world of SSL VPN. If your goal is to verify that company-owned and company-managed PCs running Windows and Internet Explorer are up-to-date and in compliance with your policy, many of the products we tested would work and have a great deal of flexibility.

However, you can't reliably offer services to an unpredictable mix of these tightly controlled corporate assets combined with the random run-of-the-mill Windows or Mac laptops, PDAs or mobile phones.