Caution urged on endpoint VPN security

Companies consider it important to check whether or not remote computers meet corporate security profiles before they gain VPN access, but endpoint checking cannot address all the problems the machines might cause.

Because endpoint security can prevent infected machines from spreading malicious code to corporate networks via VPN connections, it has become a standard offering of the most remote-access VPN vendors, including Aventail, Check Point, Cisco, Citrix, F5 Networks, Juniper and Nortel.

But the technology also has inherent shortcomings. It cannot guarantee that a particular computer will be free of infection when it joins the network. For instance, a key area for endpoint software is to check for antivirus software, and it relies on periodic updates of signature libraries to be effective.

It takes a certain amount of time for antivirus vendors to discover viruses, identify signatures for them and update their signature libraries. During that interval, the virus could infect a machine that is running the latest version of corporateprescribed antivirus software. The endpoint check would find the computer in compliance with security requirements and admit it to the network, where it could introduce the virus.

"The problem with endpoint security is that in concept it's a great idea," says Zeus Kerravala, an analyst with the Yankee Group, "but in practice it has problems."


At the recent Black Hat Security Conference, this type of endpoint security was called a shortcoming at a controversial session that poked holes in network access control (NAC) schemes. "It all breaks down to what is being checked, and is the information helpful or not?" says Ofir Arking, CTO of NAC vendor Insightix, who delivered the talk.

Much of the problem lies with how fast businesses can update the client software as new vulnerabilities, exploits and malware are discovered, he says. For example, when a flaw is found in an operating system that leaves it vulnerable to attacks, patches are issued, but in many cases are not installed immediately.

The time it takes to issue the patches and checking whether the patches break other applications on corporate computers delay installing them, Arkin says. The business also has to schedule time to install the patch and roll it out to all of the computers it maintains, further delaying when the operating system is made safe.

The business can update its endpoint-checking software to seek the patch as part of the security check it runs on endpoints. This process can take weeks or months, Arkin says.

Regardless of how quickly virus updates or patches are issued, new attacks cannot be prevented using endpoint checkers, Arkin says.

He points out that beyond the difficulties of keeping remote-machine software up-to-date, endpoint checking doesn't ensure unauthorized users are kept off the network or that sensitive information isn't transferred over VPN links.

Separately from the security concerns, endpoint checking can interfere with user productivity, Yankee Group's Kerravala says. Many endpoint security checkers can divert noncompliant machines to what is known as a remediation site, where the software needed -- including virus signature update, operating system patch or personal firewall -- can be downloaded. It sounds good on paper, but it has a major flaw. "It interrupts the workflow," he says.

He paints the scenario of a salesperson about to enter a meeting who tries to log on to the VPN to download the latest version of a presentation, only to be denied access because the operating system on the computer needs a patch. Even if the endpoint-checking software redirects the machine to a remediation site, the time it takes to download and install the patch is likely to delay seriously the delivery of the presentation.

This can keep VPN administrators from using endpoint checkers, Kerravala says. "The last thing you want to be is the thing that interrupts workflow," he says.

It is possible to issue one-time exemptions so users, such as the salesperson who needs the presentation, can reach the VPN without passing the endpoint check, he notes. But if the problem arises repeatedly and continues to block important work, the exemption can replace the rule. "It becomes the every-time exemption," he says.

Mitigating problems

Education of users to update their computers routinely can mitigate the problem, but enforcement becomes a problem. "Are you going to fire your top sales guy because his virus signatures aren't updated?" Kerravala asks.

Some security vendors check endpoints before allowing remote computers to join VPNs, and if a check determines that the machine cannot pass inspection it may be allowed limited access. Check Point's Integrity software performs this task and can, for example, let a guest computer that cannot be scanned access the Internet but not gain access to any other network resources.

Other vendors say their products keep track of what endpoints are up to and block them if they engage in malicious activity. Promisec, for example, makes software that requires no client software but blocks harmful processes on the network.

Cisco, as part of its Security Agent software, analyzes behavior to protect networks from malicious behavior by endpoints. This type of host intrusion prevention that looks for inappropriate activity rather than appropriate configuration is also offered by ForeScout Technologies, MetaInfo, Privacyware and Sana Security.

VPN protection using endpoint checking is most effective for the machines that are most likely to be trustworthy -- those owned by the corporation, says Joel Snyder, senior partner in technology consulting firm Opus One and a member of Network World's Clear Choice Alliance. That is because those owned devices can readily be equipped with endpointscanning agents.

But VPNs, particularly SSL VPNs, are frequently used to grant access to business partners that are unlikely to allow such scans, the devices that represent the biggest threat. "Endpoint security checks work only when you need them least," Snyder says.

Cisco, Juniper and Microsoft have NAC schemes that incorporate endpoint checking as part of a larger architecture that determines safety of devices and enforces whether they gain access. The downside is that these architectures could take another 18 months until the software and hardware needed to implement them are ready, Kerravala says.

The bottom line is that endpoint security as it exists in VPN products is inadequate to block all the potential threats a remote computer represents to a corporate network. But it does have value, especially if it is a cog in a larger effort to protect the network, Snyder says.

"Endpoint checking won't ultimately be in the VPN box," Snyder predicted earlier this year. "It will be in a NAC box. There will be just a thin layer of endpoint checking in the VPN gateway that punts off to policies that are defined on a different box."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AventailCheck Point Software TechnologiesCiscoEndPointsF5F5 NetworksForeScout TechnologiesGatewayHISInsightixJuniper NetworksMicrosoftNortelOpus OneSana SecurityVIAYankee Group

Show Comments