Browse Prior Art Database

Method and system to enhance security of Virtual Private Networks

IP.com Disclosure Number: IPCOM000176855D
Original Publication Date: 2008-Nov-25
Included in the Prior Art Database: 2008-Nov-25
Document File: 3 page(s) / 29K

Publishing Venue

IBM

Abstract

This article deals with a method for managing Virtual Private Network connections from a security point of view. According to the proposed idea the system is checked against a runtime security policy that must be satisfied before granting an effective access to the network.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 42% of the total text.

Page 1 of 3

Method and system to enhance security of Virtual Private Networks

Nowadays corporate investments in IT security are becoming critical since protection of sensitive business information against intrusions can be vital to the business survival itself. At the same time, complexity of business and recent labor legislations require setting up technical means - in the form of broadband Virtual Private Networks - to enable remote working.

    Even though such networks are usually kept secure through validation of user credentials, data encryption and certificate handshaking, security holes local to connected clients may compromise data confidentiality, integrity and availability. Think for example of a remote client Operating System password not set: someone not authorized could log in, connect to the Virtual Private Network exploiting credentials stored in the connection form, access the organization intranet and compromise sensitive data.

    This risk can be significantly mitigated if, any time a connection to the Virtual Private Network is initiated, a system scan is automatically performed to check remote client compliance to organization security policy, and connection is granted or refused depending on results of that check.

Connection of remote clients to Virtual Private Networks (from now on VPNs) is performed and managed by VPN clients, which store VPN server information, connection settings and security certificates, and authenticates the client to the VPN server using all this data and the access credentials provided by the user.

    It is an object of the current disclosure to provide a method and system to automatically scan the remote client before attempting VPN connections; check the scan results against a security policy stored locally; actually start the connection request to the VPN server depending on the security policy check results, to be further checked against a connection permission policy.

    The VPN client is a usual VPN remote client. The local security scan is performed by a VPN client plug-in that is able to call the Operating System to get information like, for example, the hard-drive and Operating System and passwords, the screen saver configuration, the network shares, the security install status of security patches; and some key applications to get information such as antivirus presence and update policy and status; firewall presence and configuration; e-mail client password encryption settings etc. Also, the VPN client plug-in can detect all active processes of applications that are not allowed (such as for example p2p or VoIP clients) by approved configuration standards. The user will be later prompted for suspending/hibernating them (if any) to proceed with the connection; and in case of suspension/hibernation, the processes will be waked up again by the VPN client plug-in when the VPN connection is terminated by the VPN client.

    The security policy is usually defined by the...