Esnouf.net

You initiate a connection to your VPN server, you provide your login name, password, insert your SmartCard.

The VPN tunnel is encrypted with the most unbreakable algorithm, with a 1 billion-bit key length. and everything is fine in a perfect world.

Unfortunately, your antivirus program is not up to date OR your laptop firewall is not up and running OR you don't have the latest security patches, thus making your laptop computer a very good target for new viruses. And then, while surfing on the internet, you catch a virus ! Do you remember Melissa, Code Red, Blaster, Sasser. ?

Then this virus spreads throughout the company via your VPN connection, generating considerable damage and loss.
But you had the most secure and reliable VPN solution on the market, didn't you ?

Nowadays

Major security risks with VPNs Security holes, viruses, patches, can be the source of your most terrible nightmares. As long as your users are connecting from outside the company, you cannot be sure that they are safe, and will lot be the source of a major attack. So encryption and authentication are not sufficient anymore.

Q : Do I use reliable and strong encryption and authentication technologies ?
A : Of course. All the VPN systems on the market use the same technologies: PPTP, IPSEC, Smartcards, .

Q: Are encryption and authentication sufficient for securing VPN connections?
A : Nowadays, definitely not.

Q : I cannot be attacked through my VPN infrastructure since I bought the best and most secure VPN solution on the market.
A : Guess what: there's a 99% chance you're wrong.

The right answer

The only way to make sure that roaming users will not be the source of major attacks is to check their configuration before they enter the company via VPN. You must check to see that the firewall is enabled, whether they have all the mandatory patches, whether the company's antivirus program is installed with the correct version . To summarize, they must be compliant with the current security policy of your corporation. One that must be adapted frequently to cope with current threats.

The safest approach to protect you entire corporation against security threats from roaming users is to include a quarantine-oriented technology. The idea of quarantine is pretty simple and brilliant.
You connect to your company via VPN. Once you are connected, you are isolated with no access to the corporate network.
You stay isolated while your security configuration is analyzed. If you are compliant with the security policy, you can enter your company (filtered according to your credentials).
If, for any reason, you are potentially unsafe, you will be disconnected and an the Qupdate mechanism will start to make your configuration compliant.

Microsoft's Firewall latest version, ISA 2004, includes such a quarantine technology. Unfortunately, Microsoft supplies only the Quarantine mechanisms and not the analysis, un-quarantine, and computer update mechanisms which are indispensable to reconcile your top two priorities : a totally safe environment with total end-user satisfaction.
Quarantine Security Suite (QSS) does provide all these features.

Once connected by VPN, Microsoft ISA Server 2004 will automatically put your session in Quarantine. The QSS-Client installed on each remote user's workstation will analyze the workstation's configuration.
The QSS-Security Client will then submit this configuration - encrypted - to the QSS-Approval Server to see if the configuration is safe and compliant with the corporate policy.
The QSS-Approval Server is the only component that has the knowledge of the current corporate policy.
The QSS-Approval Server will analyze the remote user's configuration :
If the remote user's configuration is compliant, it will UnQuarantine the VPN session. If not, remote users will be redirected to an update process to fix the problems.