Learn about the most common security mistakes companies make when deploying and managing VPN and endpoint security solutions. Positive Networks, a leader in hosted, managed remote access and endpoint security solutions, has gained invaluable experience implementing thousands of VPNs. As a result, the company's engineers have had the chance to see, and therefore fix, common mistakes made by IT administrators when installing remote access solutions. The goal of this information is to help companies avoid costly errors and offer a hassle-free solution for companies requiring VPN technology.

Is your Virtual Private Network (VPN) the weakest link in your network security? This question is usually met with some hesitation, often times because the answer is unknown. Network Security is currently a major concern of IT departments these days. A study by KPMG recently confirmed that virus incidents are the most common problem on corporate networks, followed by worms. Some organizations think a VPN is a secure network, but let's not forget that worms and viruses can travel across an encrypted SSL or IPSec VPN, directly onto a network, unless something is in place to stop them. Therefore, complete end-to-end security is not a guarantee.

System patches, antivirus software, anti-spyware software, firewalls, additional data encryption between user application and server application, and administrator vigilance are many of the things needed to keep your network secure. A recent VPN vulnerability reported by the National Infrastructure Security Coordination Center was due to a simple mistake that administrators were making when choosing one out of 100 options in configuring IPSec. Basically, a relatively obscure configuration setting needed a particular setup for high encryption like 3DES or AES. If it wasn't properly fixed, VPN traffic was left completely vulnerable to interception and decryption. Because network security is a complex and constantly changing issue, this whitepaper will identify the five most common security mistakes, all of which apply to any type of VPN deployment: in-house or outsourced, IPSec appliance or web-based SSL VPN. The goal is to provide information that may be able to help your company avoid costly errors in the future. Positive Networks, a leader in hosted, managed remote access and endpoint security solutions, has gained invaluable experience implementing thousands of VPNs. As a result, the company's engineers have had the chance to see, and therefore fix, common mistakes made by IT administrators when installing remote access solutions.

Security Mistake #1: Skipping Real-time Endpoint Security Monitoring

The first security mistake for most companies is skipping the real-time endpoint security monitoring, or deeming it as too costly. Most Virtual Private Networks are just that; a virtual, secure private communication channel that transports data from point A to point B, or typically from an end-user to a corporate network. Unfortunately, if point A is a computer with a virus or an improperly configured firewall, then a hole has been created in the company's network. In essence, remote access is given to everything on that endpoint (the user's PC), not just to the person sitting at the keyboard.

The problem, then, is most VPN clients, especially those that are web-based, don't do any kind of security check. Those that do, often only perform an initial, limited test when the end-user is first connected. This test normally checks for confirmation that firewall or anti-virus software is installed. What happens if a user is connected to the VPN and the virus scanner is suddenly disabled? What happens if a virus is detected, or the firewall has a problem? Are these problems detected with a traditional VPN appliance? Is the end-user then disconnected from the VPN service? Who does the user call if they need help resolving the problem? How is verification documented that the problem was fully resolved? Positive Networks addresses each of the discussed issues with a unique VPN service. Below is a recent case study to illustrate an example of how Positive Networks solved this mistake.

Case Study

A good example in resolving endpoint security monitoring is the case of the National Weather Service. They were looking for a solution that would allow fire departments to access critical weather information at headquarters. In this case, the problem was not an issue of trust toward non-employees, but that they couldn't guarantee the security of the connecting computers and didn't want to give open access to their entire network. They were certainly concerned about real-time virus monitoring. In addition, the National Weather Service didn't have a solution to manage individual firewall rules with guaranteed filtering, so limited access for fire department workers went to specific ports on certain groups of servers.

Not only is a complete PC security test needed, but also one that ensures the virus scanner is installed, and actually running properly. The real-time anti-virus monitoring is something that is unique to Positive Networks and the PositivePRO service. If the user doesn't have a virus scanner, the PositivePRO service distributes it to end-users free, via a live download. IT managers also need a firewall that lacks a user interface, and that is monitored in real-time and configured with the rules the administrator specifies. For example, ZoneAlarm shouldn't be left for the user to improperly configure. PositivePRO is a solution that is centrally managed and pushes policies to end users, which is much more desirable.

A system that guides the user through fixing the problem is also required. Other key points to consider when evaluating end-point security monitoring are:

• Is the end-user disconnected, or are they allowed to remain connected to the VPN while the problem is corrected?
• In the event that the user can't figure out how to clean the virus or update their definitions, can they call someone at 10PM in the evening who can guide them through the steps?
• Do administrators have full reporting of security violations?
• Are reports verifying that the user was in the quarantine and provide a full audit trail that documents when and how compliance was verified?

Positive Networks' VPN service has had real-time antivirus and firewall monitoring for four years, the first in the industry. This speaks loudly to the company's commitment to security. Another area that Positive Networks takes the lead is in the management of anti-spyware and Windows Critical Updates for VPN users. Before a user can log onto their company network, they must pass a rigorous scan for all rules set by the administrator. If a problem occurs while they are logged in, the PositivePRO service temporarily disconnects the user from the company network, keeping it safe, while a remote access specialist walks them through how to fix the problem and get reconnected to their company network.