VPNs: How Private Are They?

CyberGatekeeper Remote Policy Enforcer keeps your users in compliance and your network secure.

• By James Carrion
• November 01, 2002

InfoExpress, Inc. has introduced an interesting product to help plug this security hole: CyberGatekeeper Remote Policy Enforcer. Let’s examine how it works.

The CyberGatekeeper solution is a combo hardware/software package that consists of a hardware server, policy manager software and agent software. The CyberGatekeeper server evaluated was a 1U rack-mountable computer running Red Hat Linux on a Celeron processor. You don’t have to be a Linux expert to set up the server, as it simply boots directly into a DOS-type menu system where you can manually configure options or have the built-in wizards walk you through the configuration.

The multi-homed server is designed to sit between your corporate VPN server and the corporate network. All incoming VPN connections are routed through the server where their configurations are audited for policy compliance and, accordingly, are granted or denied access to the network. The outside interface uses a virtual IP address so it’s possible to have multiple CyberGatekeeper servers on the same segment for load-balancing purposes. The agent can only be installed on Windows operating systems.

When a remote computer establishes an inbound VPN connection, the agent collects information about the computer, including the operating system, vendor-specific anti-virus program, vendor-specific personal firewall program, as well as a slew of other security-related audits. This information is passed on to the CyberGatekeeper server where it’s compared against predefined policies (see the figure). If the audit fails, the remote computer is denied access. You can configure a custom message that’s passed onto the client to indicate why the failure occurred, and the user can then make the appropriate changes to bring his or her computer into compliance.

You can define comprehensive policies that require a minimum configuration in order for a remote computer to access the corporate network. (Click image to view larger version.)

I created a sample policy that required that the remote computer run Windows XP. When I made the VPN connection, the computer passed the audit, as it was running Windows XP. When I changed the policy to require a BlackIce Defender personal firewall, the audit failed and access was denied because I was using the built-in XP firewall. You can define multiple criteria for the policy based on required or desired minimum configurations. You can also audit the registry for specific values (for example, making sure the RUN ONCE value is blank, as many viruses and Trojans will modify this registry entry).

CyberGatekeeper is an innovative solution that can protect these entry points through audited compliance with corporate security policies. It’s easy to configure even for the non-Linux expert and doesn’t require that your remote employees be techies. When it comes to securing the corporate network, CyberGatekeeper offers a viable solution for keeping VPNs private.