VPN Haus

Read an interesting article on InfoWorld earlier this week about the iPhone falsely reporting VPN policies and encryption support.  While the iPhone has been updated and fixed, miscommunication with Exchange VPN servers brings up a larger question—should the server do more than just query the device client and should the enterprise VPN take on a NAC function through a device ‘pat down’?

Allowing for a full ‘pat-down’ before allowing a VPN connection, the NCP Secure Enterprise Management System looks at the actual individual device rather than a standard set of queries.  NCPs ‘pat down’ checks and makes certain that security software is up-to-date, the right form of encryption is being used, firewall settings are enabled, and the machine is compliant to pre-set network policy enforcement parameters.  By running this pat-down, the administrator will be reassured its employees’ devices are compliant, and those who aren’t are alerted to take the necessary steps to reach compliance.  Without an endpoint device ‘pat-down’ enterprise remote access can be compromised, just as the InfoWorld article illustrates.

For more information on this issue, check out a recent article published in Processor or visit http://www.ncp-e.com/en/solutions.html.

NCP’s CEO Peter Soell recently sat down for an interview about the company, technology, and trends in the endpoint security industry… here are some highlights:

How have the requirements and competition in the remote access market changed over the past years?
Remote access has always been about universal, highly secure access on central databases and resources. It doesn’t matter if the teleworker is at home, en route by train or car, in a hotel or with a customer, in a company branch or at a hotspot etc.

Two VPN technologies are available these days for the required security: IPSec (Internet Protocol Security) and SSL (Secure Socket Layer).
I really do not want to enter the marketing lead debate about “SSL versus IPSec”.

Specialists and experts agree: Both SSL as well as IPSec VPNs have their validity. IPSec was and still is renowned for being the most secure process for external company communication in unsecured public networks and is therefore a constant when it comes to connecting employees to the central data network.

SSL tunnelling technology is used in all other cases where it is either not possible or not desired to install a VPN Client onto the terminal.
And of course there are suppliers for both: IPSec solutions and SSL solutions.
NCP, as a supplier of universal VPN solutions, is one of the few manufacturers worldwide who supports both IPSec as well as SSL as tunnelling protocol.

4.    What should IT decision makers look out for when planning and designing a virtual private network?
The starting point for an implementation of a VPN is the reorganization of business and decision making processes as well as the associated decentralization of work processes. It is important from a technical point of view to integrate the mobile and stationary teleworking station as full members into the corporate network. A further important requirement for a VPN is the implementation and enforcement of an enterprise-wide security policy.

An investment decision must not exclusively be guided by the current requirements. It has to be ensured that the VPN solution is also future proof due to the ever faster technological developments, for example regarding transmitting and security technology but also with regards to new operating systems. This includes flexibility, modularity and scalability. New technologies have to be implemented promptly. This is, amongst others, an important argument for VPN software based on standard operating systems.

By the way, NCP offers a checklist for this topic, which can be downloaded free of charge from our website.

What is the precise contribution of a NCP “secure communications solution” for the economical operation of a VPN?
NCP “secure communications” offers, as a pure software solution, all the advantages for the demand-oriented upgrade of a VPN and is also always “state-of-the-art” with regards to the current market requirements.

There are many opinions and theories regarding “efficiency of a VPN investment”. This can be qualified if you not only look at the security aspects but also the “internal qualities” of a VPN solution. I think especially of the aspects like “easy to use” and “single point of administration”. It is about keeping costs for communication as low as possible by coordinated features of all VPN components, drastically reducing the costs for training, instructions as well as support and to protect already made IT investment.

When we say “easy-to-use”, then we mean an intuitive user interface both for the end user as well as the administrators. A “one-click-solution” is ideal for connection establishment as well as management.

The efficiency is decisively influenced by the central VPN management. Integrated automatisms for rollout, software updates, license administration, and data transfer from existing systems, an efficient change and security management as well as easy monitoring, guarantee the necessary network transparency and low operating costs. All features combined also have an effect on a fast return on investment.
The integrated budget manager in the VPN client, the consequent implementation of protocol and interface standards for a high degree of compatibility with external systems as well as the virtualization of central server components are further cost-relevant characteristics of the NCP solution.

The NCP secure communication solution helps companies to fully utilize the economic potential which is expected from an implementation of a Virtual Private Network into the company’s communication.

Had an opportunity to speak today with Rene Poot at NCP, about how endpoint security “pat-downs” work, using NCP’s Secure Enterprise client, gateway, and management system. This is slightly different from the process employed by other vendors, and quite different from the way an SSL VPN operates…

First, a network administrator creates a policy that stipulates which criteria the connecting must comply with before being permitted a VPN connection. The criteria may include:

• Which operating system versions are being used?
• Which service packs, patches, hot-fixes, etc. are installed?
• Which anti-virus scanner is installed? When was it last run, and what were the results?

This “pat-down” is done during the VPN connection negotiations, and is applied to the connection thereafter. If a machine complies to policy, it is allowed a “full connection” (as specified by the admin); if the connecting client does not comply, the VPN gateway will allow a connection to bes established, however the traffic will be “shunted” off to another section of the network, which will allow the user to pick up what they require (patches, upgrades, etc.) to be able to comply to the set policies.

By running this pat-down, the administrator can still leverage some form of policy enforcement on incoming connections, however, users that comply with policy will enjoy a fully transparent connection to the network’s resources, and users that do not comply will be able to take the necessary steps to reach compliance.

IPsec VPNs generally offer a full fledged ‘LAN emulation’ connection, something a power user will find very nice to use.  However, there are instances where administrators will want to restrict what kind of traffic is permitted through the tunnel, and this can be done using firewall rules (enforced by the Administrator on all the traffic) and the Endpoint Security Enforcement outlined above.   This gives the administrator very fine grained control over what traffic passes through the tunnel into the internal networks.