Providing secure remote access to the corporate network is the Holy Grail for many organisations. Although remote access is necessary for many employees to do their jobs, the security implications are enormous and must be adequately addressed. VPN solutions are one of the more popular methods used to provide remote access, but enforcing security on the end-user's system has been problematic. We tested a complete VPN solution - combining the Cisco 3000 VPN Concentrator series and Zone Labs' Integrity personal firewall - which addresses this problem.
To protect client systems and the security of the corporate network, Cisco includes the Zone Alarm firewall engine in its client software. Additionally, the Concentrator works seamlessly with Zone Alarm's Integrity personal firewall to ensure that remote access clients are properly configured before they are connected to the corporate network. The Cisco and Zone Labs combination impressed us enough to earn our Deploy rating.
The Cisco VPN 3000 Concentrator series is one of the more versatile and flexible remote access gateways we have seen. For starters, these devices (we tested models 3005 and 3060) support numerous operating systems on the client side, including Linux, Mac, and Solaris. We find this especially useful as more organisations are looking at Linux for the desktop.
On the server side, the Concentrator supports a wide variety of configurations. Tunnels can be created using IPsec, L2TP (Layer 2 Tunnelling Protocol), PPTP (Point-to-Point Tunnelling Protocol), and L2TP over IPsec. Supported authentication methods include RADIUS (Remote Authentication Dial-In User Service), SecurID, Windows domain, and internal database.
For dealing with NAT (Network Address Translation) devices in the VPN path, the Concentrator supports the standard UDP (User Datagram Protocol) encapsulation. The Concentrator also has added support for encapsulating traffic through a TCP port, which helps overcome problems created by some PAT (Port Address Translation) devices that do not properly handle the UDP encapsulated packets.
Installation is simple, and management can be performed through a Web browser or command-line interface. The administration program is not very intuitive, but is easy to use when you learn where all the configuration options are located.
Configuring VPN tunnels is straightforward. Cisco uses groups to ease the administrative burden. You start by configuring a base group, which becomes the default template for everything else. Additional groups can inherit properties of the base group and can include unique features of their own. For example, even if the base group does not allow split tunnelling, another group of users in the organisation could be configured to use it. All groups have a password, which can be seen as the standard IPsec pre-shared key. Users also have to authenticate themselves, whether by password or token.
To protect the VPN gateway, Cisco provides the ability to configure filters on incoming traffic. These filters can control tunnelling protocols, routing protocols, and administrative connections for both groups and individual users.
The Concentrator also includes fairly detailed monitoring. Administrators can quickly tell how many open connections have been established, how many administrative connections have been established, and by what means (Web, Telnet, etc) connections were established. A live event log allows administrators to monitor activity in real time. When we were monitoring this log, someone was running an IIS attack script against the gateway!
One of the big issues with supporting personal firewalls and antivirus software is end-users disabling or misconfiguring these services. Using the Cisco Concentrator and Zone Alarm Integrity together, administrators can easily require any user attempting to connect to the VPN gateway to be running a properly configured Integrity client and up-to-date antivirus definitions. If these requirements are not satisfied, the VPN tunnel is not established.
Various messages can be configured to notify the end-user why the tunnel was not established, and links provided to the appropriate downloads. For example, improperly configured remote users could be referred to a URL where they can download and install the Integrity client or update their antivirus signatures. Furthermore, configuring the Concentrator and Integrity to work together is very simple: just provide the Concentrator with the IP address of the Integrity server and vice versa.
The Integrity server installs on a Windows 2000 Server and requires either an Oracle database or SQL 2000 Server as its data repository. Integrity agents, which run only on Windows systems, report to the Integrity server, providing administrators with a centralised logging point for security alerts and information. Administration is Web-based, and we found it very easy to understand and use in our testing.
Policies are easy to configure, using the standard low, medium, and high security zones as seen in the Zone Alarm products. Administrators can control access to the network by application, and they can specify the default action for new applications, whether to allow or disallow network access. Initial policies should be deployed using the built-in Discover mode, which reports all the applications being used on the network. This can help administrators create various policies for user groups and further control corporate security.
Users are imported into Integrity from the Windows domain. Our only real complaint about the product is that a system on the corporate network but not logged in to the Windows domain will not properly authenticate to the Integrity server. Authentication is user-based, not machine-based, so users can log in to any machine on the corporate network and their security policies will travel around with them. This leaves some problems for users who bring laptops from home into work then log in using cached credentials from their home network. An Integrity agent can run on this system and a security policy can be enforced, but the policy will not be updated, and logs will not be sent to the Integrity server.
Combining the Cisco VPN 3000 Concentrator and Zone Alarm's Integrity personal firewall, organisations can deploy a remote access solution that fully protects corporate network assets. Data is encrypted when travelling over the Internet, two-factor authentication can be used to ensure users are valid, and end-user systems are properly protected to help prevent spreading worms and malicious attacks through the organisation from a VPN endpoint.