Why can’t SSL VPNs include NAC?
When it comes to network protection, popular wisdom has it that Secure Sockets Layer virtual private networks are the best of the current breed.
That’s why it’s alarming that most SSL VPNs can’t really protect the overall enterprise network from all kinds of infected computers.
The current buzzword is Network Access Control or NAC. This is an entirely new branch of enterprise security that tries to finesse the fact that SSL VPNs are really good at authenticating users, but when those users type on infected machines, they have less control and offer a false sense of protection.
NAC is focused on what’s running on the endpoint, not just authenticating users. It’s a great idea, and it would be even better if NAC was built into SSL VPNs to begin with.
While some of the leading vendors such as Aventail (now part of Sonicwall), F5 and Juniper have rudimentary endpoint scanning routines included in their products, other SSL vendors could do a better job of marrying these two technologies.
Still, this isn’t enough to protect the entire corporate network from a virus-laden laptop that walks into the headquarters and doesn’t use the VPN and laptops aren’t the sole issue.
What happens when more users begin to make use of smartphones and other PDAs that can carry malware and be another source of infection?
Leading vendors such as Aventail have Windows smartphone SSL clients, so that enterprise networks aren’t invaded by PDA viruses.
But not every vendor offers this kind of protection yet and some infection vectors aren’t covered, either: What happens when someone tries to compromise a network print server, for example?
Therein lies the dirty secret of endpoint security: If you want complete endpoint protection, you need to upgrade your network infrastructure. If you upgrade your infrastructure, chances are you’ll need to add software to each of your endpoints, too. It’s messy and far from ideal.
And while we’re complaining about VPNs, the most popular VPN client from Cisco can break so many other things on the average desktop that it’s often useless.
Why can’t Cisco write better VPN client software that can get along better with the standard suite of corporate applications?
Comments
Leave a Reply