The next step for secure virtual networks is application awareness -- where a network recognizes what sort of device is connecting to it and changes its behavior in response -- according to exhibitors at this week's Infosec show in London.
Virtual private networks (VPNs) allow people to gain access to a company's secure network from outside through a Web browser by using a certification process on the company's server -- either Citrix or ActiveX controls or Java middlemen programs.
However, some clients are less trustworthy than others and even with the SSL encryption protocol, information can escape -- for example by being cached locally, says Daniel Steiner, the president and co-founder of one of the companies offering a more secure alternative, Whale Communications Inc.
Whale is selling VPN software that it says allows application access to be tailored according to the device that is trying to access the network. "The difficulty is that if you don't provide application-aware security you have difficulty allowing access from non-trusted locations and users," he explains. "Many customers will not allow cybercafe access from Citrix because you can print locally. Similarly, you don't want file uploads from public PCs to your corporate email.
"You need to understand the application's behavior to do fine-grade security, then the security officer can allow partial access more often. We have a built-in application firewall with filtering rules for each application -- popular ones are built in and we provide a toolkit to build rules for others."
The SSL VPN uses an ActiveX control to check the local environment. If there is up-to-date anti-virus software in place, for example, it can permit email attachments. It also cleans up after itself, wiping attachments and clearing caches. Steiner adds that the application-based rules can allow the same SSL platform to provide controlled access for business partners, at the same time as full access for employees.
Also working on application awareness is PortWise AB, which this week added device security control to its SSL VPN platform. This scans every remote client for vulnerabilities and can grant varying levels of service depending on what it finds.
"Security has not always kept pace with remote access," says Kaushik Thakkar, PortWise's co-founder and strategic development director. "End users have been able to log on, but it was not possible to know if the device was safe or if information had been left on it after a session."
SSL VPNs are increasingly popular as they are more flexible than client-based VPN technology such as IPsec, says Whale's Steiner. Indeed, they recently spawned a certification process. However neither Whale not PortWise have signed up to the process as yet.
"A year ago, many suppliers had no SSL remote access, but it's spread very fast," Steiner notes. "The number one thing is return on investment -- it is very rare to find technology that returns its investment so fast."