Introduction
In today’s connected world,
the corporate network perimeter defence is no longer just the
corporate firewall stopping requests from the Internet going into
the corporate network. Today’s organizations want to enable a
wide range of different users real-time remote access to resources
on the corporate network. Very similar to when organizations
enabled Internet connectivity for internal users, this new shift to
anywhere/anytime access introduces new security requirements. The
main challenge is to enforce security on devices and networks that
are not under corporate control, such as partner and customer
devices, handheld terminals, wireless networks used by road
warriors, and so on. The shift means that the corporate boundaries
no longer are at the firewall or the edge of the network – the
boundaries are now at the end-point.
Introducing PortWise End-Point Security
PortWise includes features for client protection and client
integrity that enables your organization to secure the end points
outside your firewall boundaries. End-Point Integrity is focused on
assessing the security, health and status of your end points.
End-Point Protection is focused on applying protection on the end
points so they can not be used by Trojans and other malicious
software to get access to the corporate network.
End Point Integrity (EPI)
EPI is an
assessment technology that allows your PortWise system to determine
to which level an end-point device can be trusted, based on your
end-point security policy. By defining different policies, an
organization can provide different levels of access depending on
which level of trust you put on a particular device. By examining
the status of the end-point device in terms of anti-virus software,
personal firewall configuration, Microsoft Windows domain
information, OS and path level, the device can be assigned a
security profile. There is no limit on the number of profiles that
can be defined, in this example however we have defined three types
of end-points:
• Trusted Corporate Device
• Trusted Non Corporate Device
• Non Trusted Device
NOTE: PortWise supports virtually any type of End-Point Integrity
check. An assessment plug-in framework allows an organization to
tailor the client assessment according to its requirements.
Based on the results of the assessment, users get different levels
of access as defined in the access control policy. For instance, a
user using a Non
Trusted device will get access only to a limited set of web
applications and a user using a Trusted Corporate Device will get
full access to all applications.
Unauthorized access to internal networks is often done by modifying
known applications to include a Trojan horse or other malicious
software. When an infected application executes, it will utilize
the secure VPN
connection to access data and resources inside the corporate
network. As the application uses known ports and protocols, it may
be difficult to remedy this threat in the corporate firewalls. With
PortWise Application Control, each client application requesting
access through PortWise is examined to ensure it has not been
tempered with. Only approved and un-modified applications get
access to the internal network.
PortWise can do pre- and post assessments of the end-point and also
perform re-assessments during the session to ensure that the
end-points security status does not change after the initial
assessments.
NOTE: The access decision is made at the policy service and never
at the end-point. The end-point is not aware of which data is
collected during the scan to determine the security status.
The following data can be collected from the device:
• File Collector - Collects information about files, folders and
directories.
• Registry Collector - Collects registry information.
• Network Collector - Collects information about the device
network settings (i.e. IP-address, used TCP/UPD ports, MAC Address,
Subnet mask, Default gateway, DNS and DHCP).
• Process Collector - Collects information about processes that
are running on the device.
• OS Collector - Collects Operating System specific information
(On Windows i.e. Windows Domain, Windows Version and Windows Patch
Level).
• Windows Security Center Status – Queries the Windows Security
Center for status on personal firewall settings, anti-virus, and
Windows Update status.
End-Point Protection (EPP)
PortWise EPP is used to enforce protection of the user’s device.
During a normal user session, data can be stored on the end-point
device for a number of reasons: Performance improvements, user
initiated file downloads, browser history, cookies and URL caching.
After the user terminates the session, this information may be left
on the end-point device. Depending on what type of device is used,
it might not be appropriate to leave this kind of data behind as it
can be used by other people to gain unauthorized access. To
accommodate this potential security threat, PortWise utilizes
different technologies, including:
• HTTP directives
• PortWise Application Intelligence
• PortWise Abolishment
• PortWise Personal Firewall
By using HTTP directives, PortWise can instruct the client’s web
browser not to cache information on the device. Also, PortWise has
the ability to block cookies from an internal application to be
stored on the device.
In some cases, applications require that cookies are available on
the device and this can be allowed by the PortWise administrator
for specific cookies. Furthermore, PortWise has the ability to
control which MIME types a browser may cache, with settings such as
allow text/html, but disallow application/pdf and
application/vnd.ms-excel.
PortWise Application Intelligence offers application controls, such
as the possibility to allow or disallow the use of attachments in
Microsoft Outlook Web Access, depending on the access control
policy.
PortWise Abolishment, monitors all downloaded files and other types
of session related data that is stored on the end-point device
during a session. Upon session completion, all downloaded files,
URL history, cache, and temporary files will be removed from the
device.
PortWise Personal Firewall is part of the PortWise Access Client
and enables a comprehensive protection of the end-point. The
PortWise Personal Firewall is a fully configurable on-demand
personal firewall that is launched from the PortWise access server
and does not require any client software to be installed on the
device. During the PortWise session, the client device may be
configured in the following ways:
• Route all traffic through the PortWise Access Point.
• Only route traffic with an internal destination and stop any
traffic on other network interfaces (Basically means that a user
can only be connected to resources published by PortWise. For
example a user would be able to connect to PortWise, but not browse
the Internet at the same time.)
• Only route traffic with an internal destination through the
PortWise Access Point and route other traffic through additional
interfaces.
Symantec Sygate Secure Desktop is a 3rd party application that
offers a virtual encrypted workspace. Once the session is completed
the virtual workspace is destroyed and with it any traces. For more
information see www.sygate.com
Symantec Confidence Online is another 3rd party application that
delivers a new form of end-point protection against Trojans, worms
and malicious spyware. For more information see
www.wholesecurity.com
Platform Support
PortWise End-Point Integrity and Protection is delivered using
ActiveX and/or Java and supports Micorosoft Windows
platforms.
