Tuesday, June 26, 2007

Do SSL VPN checks measure up to the rigors of NAC?

Network World

Network Access Control




Network World's Network Access Control Newsletter, 06/26/07

Do SSL VPN checks measure up to the rigors of NAC?

By Tim Greene

Many SSL VPN vendors assess the security of endpoints as part of their network-admission routine, but that doesn’t mean these assessments are equivalent to NAC.

The purpose of SSL VPN endpoint checking and NAC are similar - to evaluate the security posture of the device and impose an access policy based on that evaluation.

Most SSL VPN vendors that do this use downloadable software agents to do the work, supplemented by a permanent SSL VPN client for managed machines that need network-layer VPN access.

Get Everyone from the CEO to the MySpace Generation to Support Your Security Plans.

September 10-11, 2007 | The Fairmont Chicago
How do you get everyone from the boardroom to the mailroom to comply with your security initiatives? Come collaborate with peers on critical business topics like this at The Security Standard-the only business summit for senior security executives. For the latest in planning and management strategies. Click here for more details. Click here for more details

These agents gather data about the configuration of the device and forward it to a policy server that decides whether the device state warrants access, and if so, to what.

This roughly fits the description of NAC, but here are a few features that are key to NAC that can help distinguish whether SSL VPN checks measure up to the rigors of NAC.

* How is endpoint-check data sent? With NAC, methods range from 802.1x to piggybacking on other authentication schemes or using a captive portal that requires allowing the scan. SSL VPN vendors often lack the richness of options.

* Can the endpoint check gather data from third party clients? NAC vendors actively seek alliances with other software vendors, such as patch-management purveyors, as a means for gathering key information about configuration and security posture.

* How many operating systems does the integrity checker support? This varies from vendor to vendor, but some have a wide range of support including agents for smart phones.

SSL VPN integrity checks may offer sufficient protection even if they don’t include all the elements that NAC does. In fact, the SSL admission control may be appropriate for remote access purposes. It all depends on the needs of the individual customer.

Since NAC is generally applied to LAN-connected devices, not remote access devices, NAC and SSL VPN integrity checks are separate. But it is valuable to compare and contrast what they do in order to devise flexible overall admission policies.


  What do you think?
Post a comment on this newsletter

TODAY'S MOST-READ STORIES:

1. Microsoft, IBM feel heat from Google Apps
2. FAA plan looks to clean up the skies
3. Why time stands still on the iPhone
4. Lawyers show how to side-step immigration law
5. Gartner to IT: Avoid Apple's iPhone
6. Linux version of Microsoft browser plug-in
7. Level3 completes Internet2 100G net
8. Spam outbreak hits 5 billion messages
9. California gets Microsoft to change Vista
10. Verizon CEO whistling past the iPhone?

MOST-DOWNLOADED PODCAST:
Twisted Pair: We're not camping for our iPhone


Contact the author:

Tim Greene is a senior editor at Network World, covering network access control, virtual private networking gear, remote access, WAN acceleration and aspects of VoIP technology. You can reach him at tgreene@nww.com.



ARCHIVE

Archive of the Network Access Control Newsletter.


BONUS FEATURE

IT PRODUCT RESEARCH AT YOUR FINGERTIPS

Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.


PRINT SUBSCRIPTIONS AVAILABLE
You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: networking.world@gmail.com. Please use this address when modifying your subscription.


Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

No comments: