SSL gear makers prep mgmt., security updates

Now that Secure Sockets Layer (SSL) remote access is gaining acceptance among business networking executives, vendors of the gear are in the thick of adding peripheral features to make management simpler and to beef up security.

This week, three of the vendors – Aventail Corp., F5 Networks Inc. and Netilla Networks Inc. – are announcing capabilities that range from ensuring the integrity of remote machines to cleaning up caches on remote machines when a remote session ends.

Aventail is issuing version 7.0 of its ASAP software that runs on the company’s EX 1500 gateway appliances, adding a feature that lets customers tie two of the devices together. If one fails, the other takes over, rebuilding lost sessions – in most cases without any action required by the end user, Aventail says.

This feature is accompanied by a new hardware platform for the appliance that includes a third Ethernet port for cabling one EX 1500 to another. Aventail will add a new port to old boxes as part of maintenance contracts. A new box starts at US$1,400, and when customers buy two for redundancy, the second one is 40 per cent off, Aventail says.

This feature will be implemented by Adaptis Health, a health care provider in Seattle that has been using Aventail equipment for nine months to give clinics access to a medical application and give employees access to the company intranet.

With the new back-up capability, Adaptis will phase out use of a Point-to-Point Tunneling Protocol (PPTP) virtual private network (VPN) that uses Microsoft Corp. clients and servers in favour of the Aventail gear. While the PPTP VPN has never crashed, it represents a possible point of failure. “We’ve been lucky,” says Michael Fahey, director of information services for Adaptis.

Aventail’s management platform now provides an authentication feature to create what it calls authentication “realms,” policies defining how users are authenticated to the EX 1500. One realm might be defined as using a Secure ID token in combination with a RADIUS server, for instance, and that policy can be applied to users or user groups. Once a realm has been defined it can be assigned to users via a pull-down list.

The platform also has a user interface for customizing the page users see when they have logged in to the Aventail appliance. Factors such as color, logo and text can be altered quickly via the new interface.

Aventail is supplying management tools to simplify configuration of its appliance to handle Outlook Web Access and Lotus iNotes. The tool provides default settings for the applications based on the settings customers predominantly choose. This reduces configuration time for many users, Aventail says. It says it has plans for similar templates for other applications.

Meanwhile, F5 SSL gear can now check whether remote computers are running appropriate security software before allowing them to access corporate servers, following the lead of other SSL remote access vendors.

With version 4.0 of its FirePass Controller software, the company enables checking that personal firewalls and antivirus software are operating on computers that attempt to connect over the Internet to corporate networks via FirePass appliances. The software also guards against inappropriate processes on the remote machines.

The gear does this by recognizing a company-issued laptop by a certificate issued to the machine and then probing to see whether, for example, the machine has a personal firewall operating. If the remote machine lacks such a certificate, it can be granted more restricted access.

If a remote machine lacks such a certificate, FirePass Controller can purge caches or temporary files stored on it during the secure session. This is to prevent subsequent users from accessing sensitive data if the machine is publicly accessible, such as an Internet kiosk machine.

These features are important to Marquette General Health, a health care provider in Marquette, Mich., that uses the F5 FirePass equipment. Marquette bought the gear from Uroam, which was later bought by F5. With its current version, Marquette has no way to tell whether remote users have firewalls or antivirus software on their machines without asking them, says Greg Gagnon, of the Marquette IT staff.

FirePass also supports cache cleanup, which wipes out caches and temporary files created during sessions so if the sessions originated from public machines, subsequent users cannot access them. This is important with remote access to health information in light of restrictions set down by the U.S. federal Health Insurance Portability and Accountability Act (HIPAA). “We don’t want any residue left on these machines,” he says.

The software will also enable authentication via Active Directory, making it unnecessary to create a separate directory just for FirePass, he says.

Netilla is teaming up with Sygate Technologies Inc., WholeSecurity Inc. and Zone Labs Inc. to integrate their firewall and antivirus software with Netilla Security Platform. The platform will be able to tell whether remote machines are running the software and go one step further to determine whether it is the correct version and whether it is configured properly.

Other vendors have already incorporated some of these features. For instance, Neoteris’ Host Checker Agent 2.0 checks for software compliance and monitors the executable processes running on a target machine to ensure they are not malicious. The agent can shut down a session if it detects something out of the ordinary.

Neoteris, which is being bought by NetScreen, also has Cache Cleaner Agent, which cleans out temporary files and cookies stored on a browser.

To help prevent this type of security breach, Whale’s e-Gap Remote Access Advanced Edition offers a feature called Attachment Wiper that purges any documents that may have been downloaded during a session with an e-Gap appliance. That includes cookies, completions of forms that may include data such as credit-card numbers and the history of the session.

Aventail has already announced the ability to identify and deny access to machines that are not trusted, and to check whether trusted machines are properly configured before allowing them access. So, for example, if antivirus signatures are not up to date, machines can be denied.