VPN popularity is still on the rise, largely because of the stability, reliability, interoperability, and manageability IPSec brings to VPNs. The cost benefits of using the public infrastructure for communication are hard to beat, and the flexibility VPNs give employees helps improve their productivity.
The focus for remote-access VPN installations has moved from the VPN gateway to the client side, where authentication issues and always-on Internet connections make internal corporate networks susceptible to attacks through employees' remote connections.
Addressing this security issue, VPN client software developer, SafeNet Inc. (formerly IRE), has added significant improvements to its leading product Soft-PK, newly renamed SoftRemote.
We reviewed Soft-PK almost a year ago, and much of its core functionality has not changed (see "SafeNet/Soft-PK solidly safeguard nets"). The major additions in SoftRemote include broader support for authentication mechanisms and the inclusion of Zone Alarm, a personal firewall, with the VPN client.
The VPN client has two main components: the Security Policy Editor and the Certificate Manager. With Security Policy Editor, administrators can secure all communications on all interfaces, allowing them to configure multiple VPN tunnels on one client. The Certificate Manager handles digital certificates that are used for authentication to the VPN. It keeps the various certificates that connect several tunnels all in one place.
With SoftRemote, administrators also can create custom installations, with the appropriate security policy already enabled to distribute to end-users. This will save administrators time in distributing the clients and make it easier for end-users to install the VPN software on their own.
Authenticating end-users when creating a VPN tunnel is an ongoing problem. The Internet Engineering Task Force is developing several standards, such as Xauth (Extended Authentication) and CRACK (Challenge/Response Authentication of Cryptographic Keys), to address this issue. Meanwhile, digital certificates are commonly used to provide stronger authentication than the preshared key identified in the IPSec standard. To address this issue, SoftRemote now supports Microsoft CryptoAPI smart cards, which can be used to store digital certificates and other authentication information. It also supports the Schlumberger smart card integration kit.
Bundling the Zone Alarm personal firewall helps make SoftRemote a complete VPN client solution, similar to CheckPoint's SecureClient. SoftRemote works closely with Zone Alarm, even allowing administrators to require that the firewall be enabled before a VPN connection can be established.
Although this is a great feature, we could not see how an administrator could lock the feature and keep the user from disabling the firewall; adding this functionality would greatly increase the security and control the company has over the remote-access configuration. If it's not locked, end-users could disable the firewall and leave the internal corporate network vulnerable to attack, not to mention encouraging a false sense of security on the administrator's part.
In addition, administrators can automatically add secure connection destinations to Zone Alarm's Local Zone, directing the firewall to treat these remote locations the same as other addresses in its Local Zone. The Local Zone defines trusted computers, and systems in the Local Zone can easily connect via the Internet with other computers in the Local Zone. Grouping trusted computers together in one zone keeps all the unwanted elements of the Internet out. With this feature enabled, users will not always be prompted when they request a connection with the remote VPN gateway. To Zone Alarm, the remote VPN gateway in the Local Zone is a trusted system and easily makes the connection.
On the downside, SoftRemote does not offer remote policy management. Once the client is configured and distributed to end-users, the administrator has no control over the VPN policy configuration. End-users are able to change the VPN policy, disable the firewall, or create new VPN policies for other networks, and the company and the VPN's administrator won't ever know.
SoftRemote makes great strides in providing the tools to help a company better secure remote-access VPN connections and still provides the best VPN client on the market. But its lack of centralized client administration is troublesome enough to limit SoftRemote to a Consider rating. Administrators are beginning to demand this feature in their VPN solutions because the number of users and tunnels they manage is growing too quickly to be manageable without it.
Contributing writer Mandy Andress (firstname.lastname@example.org) is president of ArcSec Technologies.
THE BOTTOM LINE: CONSIDER
Business Case: VPNs are becoming the remote-access method of choice because of the cost savings they can provide, but end-user security, especially for those using always-on Internet connections, is too often overlooked. SoftRemote counters this trend with the integration of the Zone Alarm personal firewall, providing remote access and user security in one package.
Technology Case: Although bundling Zone Alarm helps provide increased security on the end-user machine, the lack of centralized management and policy enforcement leaves administrators blind once the VPN client is in the hands of the end-user.
-- Easy to install.
-- Includes personal firewall.
-- No centralized management capabilitiesCost: $79 per seat for 50 usersPlatform(s): Windows 95/98/2000 and Windows NT.
Company: SafeNet Inc., www.safenet-inc.com.