Thank you for your input. Yes, I agree there are a number of tools that provide some of this functionality but what I need is enforcement at the perimeter. Many of the ISS features are nice and the SUS server and HFNETCheck are also great tools. However, I believe that we all need the ability to make decisions at the perimeter. Before you allow in client x, the device should meet certain criterion including security patch levels, DAT files, no sniffer or quake installed perhaps, etc. This is the technology that I'm referring to as being in its infancy. The Microsoft solution appears to do exactly what I want - if a device doesn't meet certain requirements, then it isn't allowed in, but quarantined into a network where the user has the ability to get the software they need to get compliant. Implementing a Microsoft VPN solution scares the heck out of me though. I hear Cisco is working with McAfee and Symantec on an API related to admission control so hopefully we'll see more ! products. -Derek -----Original Message----- From: owner-crime@private [mailto:owner-crime@private]On Behalf Of Andrew Plato Sent: Thursday, March 04, 2004 6:23 PM To: Buelna, Derek; crime@private Subject: RE: CRIME Remote User System Validation I wouldn't say this type of thing is in its infancy. There are quite a few tools that can provide the types of things you want to accomplish. What doesn't exist, yet, is a single tool that can do all of those things. Some of those features are included in RealSecure Desktop Protector. Anti-Virus DAT files can be checked. If they are older than a specific date, the user is prompted to update them and/or the firewall can block access to the corporate network. Little tricky to implement however. You can also do application level controls as well. All apps on the machine are hashed and any changes prompt the user. You can control all this centrally through Site Protector. Patch levels can be easily assessed via MS tools. MS patches can be deployed via their SUS server. However its functionality is somewhat limited. Might want to look at Hf CheckNet or Patchlink for larger, more robust patch-deployment. You can easily audit patch levels with their baseline analyzer. There are other assessment tools that can accomplish the same thing. Eeye's Retina scanner can do some of that, and its fast as hell. You might also want to look into Sygate's desktop solution. They have some unique features to their desktop firewall that can do some in-line filtering. Their product is a little cumbersome, however. But, I have a few clients who like it. SSL VPNS are generally not going to reach to far into the OS. The whole idea behind an SSL VPN is that it has a very lightweight front end. What the SSL VPNS are doing is controlling access to specific applications via protocols. There are quite a few options in this space. Ideally, you might want to put together a comprehensive desktop control / security program. ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security -----Original Message----- From: owner-crime@private [mailto:owner-crime@private] On Behalf Of Buelna, Derek Sent: March 04, 2004 5:21 PM To: crime@private Subject: CRIME Remote User System Validation I would like start a discussion in reference to the validation of remote users anti-virus DAT files, patch levels, installed software and so on. My understanding is that the technology associated with doing this type of thing is in it's infancy. Cisco is working on their admission control, Microsoft has their Quarantine server along with 2003 IAS, Zone Labs has a product and I've heard some talk of SSL based VPNs implementing some of this functionality but none of these really meet my needs. I suppose the Zone Labs product would work if it didn't constantly crash machines! The Quarantine thing pretty looks good except many of us are concerned with the security of an MS VPN solution and we've got non-Windows machines that need to connect. I assume that a bolt-on solution would be much more attractive for most of us. Your opinions, thoughts, advice, etc. would be very much appreciated! Derek A. Buelna, CISSP, CCIE Information Security XEROX Office Group > Any ideas or opinions expressed above do not necessarily reflect those of my employer. >
This archive was generated by hypermail 2b30 : Fri Mar 05 2004 - 11:13:17 PST