Setting up endpoint security on an existing SSL VPN architecture is somewhat complex. We'll show you how it is
done on two of the leading products: F5 Networks Inc.'s Firepass and Juniper Networks Inc.'s SA-6000 SP. Both use Web-based administrative consoles, and there are various places to configure the endpoint routines within these consoles.
On the Firepass, first we will demonstrate how to set up the various endpoint security policies, and then we will implement them for particular groups of users. On the administrative console, upon going into the Users section, you'll see that Endpoint Security is the third category of menus on the upper left-hand menu bar.
Here you'll see a screen that lists all the various endpoint inspection routines that are available, such as checking for an installed firewall or particular antivirus signature. Moving down the left-hand navigation bar menu options, you see pre-login sequence and post-login actions as your next series of choices, and these control what is done at these times.
If you click on pre-login sequence, you will see a screen listing the particular sequences that you have already specified.
If you click on one of these sequences, you will be brought to F5's visual policy editor, a Visio-like flowcharting program with which you can drag and drop actions and choices for the software to perform.
The last couple of choices on the left-hand nav bar are protected configurations and protected resources. The former will bring up a screen similar to the one below, showing the security policies that have been implemented before a user can access particular resources.
Once these policies are created, click on the bottom of the left-hand navigation bar into the Network Access section, and then choose the Policy Checker menu tab on the top.
At the bottom of this screen is a bar that reads, "Endpoint Protection Required for this Resource Group." There is a pull-down box of various choices, such as restricted login or time-dependent login. This is where you specify overall policies for particular users or groups; when you do, you will see a screen similar to the one below.
Juniper's endpoint routines are slightly different. On its management interface, there is a separate endpoint security section as with Firepass, and there are two basic configuration sequences for host checking and for its cache cleaner.
You can perform the checks on each endpoint every 10 minutes by default, or change this value as you wish. Creating a new host checking policy will bring you to a screen where you can add particular rules.
Rules must be specified for Windows, Macintosh and Linux endpoints separately. You'll see a drop-down box on this screen to set up the individual rules, such as checking for personal firewalls installed on each device, where you'll come to a screen such as the one shown below.
About the author:
David Strom is one of the leading experts on network and Internet technologies and has written extensively on the topic for nearly 20 years. He has held several editorial management positions for both print and online properties, most recently as Editor-in-Chief for Tom's Hardware. In 1990, Strom created Network Computing magazine and was the first Editor-in-Chief establishing the magazine's networked laboratories. He is the author of two books: Internet Messaging (Prentice Hall 1998) which he co-authored with Marshall T. Rose and Home Networking Survival Guide (McGrawHill/Osbourne; 2001). Strom is a frequent speaker, panel moderator and instructor and has appeared on Fox TV News Network, NPR's Science Friday radio program, ABC TV's World News Tonight and CBS-TV's Up to the Minute.