Endpoint Compliance

On this page

Endpoint compliance feature

How the administrator configures endpoint control

What the end user/remote client experiences

How other VPN vendors currently try to solve endpoint compliance

Would you let a machine with the MyDoom virus or SoBig worm on your LAN? When a remote access user creates a VPN tunnel into your private network, this is a very real possibility.

Enforcing endpoint compliance for remote access is becoming an escalating point of concern within enterprises. Unlike a LAN environment (in which desktops are controlled), remote users have the ability to define which applications are installed and how access occurs on their machines. This raises security issues as end users employ a wide range of safeguards against viruses and other potential exploits.

Many IT managers would like the ability to configure minimum standards for remote machines connecting to their networks. These standards could encompass a variety of software packages that work in conjunction to ensure a trustworthy level of compliance. The Celestix RAS3000 delivers this capability by temporarily quarantining users before they are granted access to the LAN. After verifying proper configuration on the remote machine, the client can be given normal privileges to network resources.

 

 

 

 

 

 

 

 

 

The endpoint control allows administrators to create
and enforce compliance standards for their local area networks

Celestix RAS3000 endpoint Compliance Feature

With the RAS3000, a network administrator can perform any combination for the following:

  • Define trusted OSes/versions - Ensure that acceptable operating system/service packs are running on the remote client.

  • Require current patches - Verify that the latest patches/hotfixes for the OS/SP are enabled on the remote client.

  • Mandate anti-virus protection - Validate that a current version of anti-virus software ( McAfee, Norton ) is being used. This includes checking the engine version, the virus signature file, and that the primary service is enabled.

  • Establish personal firewall requirements - Ensure that personal firewall software ( McAfee, Norton, Microsoft, Sygate ) is installed and running.

  • Ensure domain association - Verify that the remote machine has previously joined the appropriate domain.

  • Define customized validations - Check that administrator-defined or expected registry entries and services are present.

  • Direct non-compliant users to another location - If any of the required software or updates are missing, end users can be redirected to an endpoint compliance location where the software can be downloaded and installed.

By setting minimum client requirements for remote access and wireless connectivity, administrators can protect network resources from potential breaches. In short, an IT manager can exert the same level of endpoint control over remote clients as machines already on the LAN. The process by which a network administrator can implement endpoint control with the RAS3000 is quite simple.

How the administrator configures endpoint control:

  • Designate a network share for endpoint and copy the endpoint files to this location. Quarantined users will be limited to this share only (which utilizes "read only" permissions).

  • Create a remote access policy on the RAS3000 appliance to reflect the quarantined network share.

  • Modify the XML configuration file (on the share) to set network endpoint requirements.

  • Configure and distribute a connectoid (thin client that configures intrinsic Windows VPN functionality) that will execute the included verification script on the endpoint machine. When initiated, this script uses the XML configuration file from the network share as reference for accepted applications/configurations.


What the end user/remote client experiences:

  • The remote user installs the connectoid and (usually about 500k) then initiates a connection to the private network.

  • The connection is temporarily placed in endpoint.

  • The machine issuing the connection request is checked for endpoint compliance (based on the XML file as defined by the administrator).

  • If the remote machine passes, it is removed from endpoint and normal VPN access is granted. If the remote machine fails, the user is disconnected or redirected to a quarantined location to install any required updates.

How other VPN vendors currently try to solve endpoint compliance:

To date, VPN vendors have typically integrated their proprietary VPN client with a third party vendor's software (anti-virus, personal firewall, etc.). The resulting client combines the VPN client with two or more pieces of additional security software. A myriad of problems can result from this approach:

  • The VPN client is extremely large in size. An administrator may have difficulty distributing the client through normal channels (i.e. email, floppy disk, etc.). An administrator must often configure clients themselves or create and distribute a CD to end users.

    The RAS3000 generates a connectoid that configures the intrinsic Microsoft Windows VPN client. The endpoint compliance script verifies that required security software already exists. These are effectively thin clients that configure or verify existing software and the resulting connectoid file size is minimal.

  • Enterprises are forced to use the third party vendor for remote access verification functions. IT managers often put security software vendors through rigorous testing procedures before deployment. In addition, this may render licensing for currently deployed security software moot.

    RAS3000 administrators can choose from a variety of vendors to support.

  • Upgrades to either the VPN client/security software forces an administrator to initiate the distribution process again.

    With the RAS3000 solution, client redeployment is unnecessary because the Windows OS automatically handles VPN client upgrades. Additional security software can be updated/changed by the end user as long as the administrator allows the new/modified software.

  • End users may already have security software on their remote clients. Introducing new security software often causes conflicts or TCP/IP stack instability.

    There is no addition of security software with the RAS3000 solution and native Windows VPN client integrates well with the Windows TCP/IP stack.

  • Additional per-client licensing fees often apply (in order to cover licensing costs for the 3rd party vendor).

    There are no additional costs incurred with RAS3000 endpoint compliance.

  • The VPN client and the security software each support their own platforms. By combining these components, a more narrow range of client platforms are supported.

    The RAS3000 endpoint compliance supports a wide range of client platforms, including TabletPC, Windows 2000, Windows XP, and Windows 2003.

| Home | About Celestix | Products | Support | Resources | Partners | Contacts | Site Map |

| Legal Notice | Privacy Policy |

©2007. Celestix Networks, Inc. All Rights Reserved.