Work-at-homers and road warriors often violate enterprise security policies, either knowingly or not. At many companies, punitive actions such as firing the employee just aren't in the cards. To the relief of many network managers, though, software vendors are producing tools that can detect - and even prevent - security infractions from afar.
In one of the most common types of policy abuse, remote users break the rules by either uninstalling or disabling standard security applications such as antivirus programs and personal firewalls. Other violations include using forbidden software applications and failing to install antivirus updates and patches.
Emerging remedies from software vendors fall into several different categories. Some vendors, such as Configuresoft, provide tools for configuration change management. Others, such as InfoExpress, have come out with centrally administered remote access firewalls. Meanwhile, software makers like CheckPoint and SafeNet are building personal firewall technology directly into their VPN clients.
Many infractions by remote users are probably unintentional. "Most people don't want to violate policies. They just don't know what the policies are," says Axel Haentjens of Equant.
Remote users become unwitting victims by letting colleagues borrow their laptops, or by sharing their home PCs with family members. "Teenaged children can do a lot of software damage," notes Bob Hansmann, enterprise product manager for Trend Micro.
In other situations, though, violators seem to be more directly to blame. Buried by e-mails from just about everywhere, many corporate employees ignore messages from their corporate IT departments.
"People are intrinsically lazy. They're inundated, anyway. They don't want to be bothered to update their antiviral software to the latest definitions," says Nortel VP Marie Hattar.
Some employees avoid taking time out to call the company help desk when software starts acting up, preferring to try to get rid of pesky or balky applications on their own.
"Security applications can be intrusive. Maintenance is required, as well. A fairly large percentage of end users will run into problems with software, and a certain percentage of those people will just uninstall or disable it," says Stacey Lum, CEO of InfoExpress.
Some companies have responded with "social engineering" approaches, stipulating that employees can be terminated for violating security policies, for instance.
Realistically, though, you can't always assume that a company will take punitive action for minor policy violations, especially if the perpetrator is a high ranking executive.
"A CEO isn't about to say to a company VP, 'Your sales were great this year. You did a million dollars this quarter alone. But because you didn't update your antivirus definitions last week, I'm afraid you're going to have to take a salary cut,'" says Lum.
"It can be much more effective to use technologies which ensure that remote clients comply with policies," according to Nortel's Hattar.
With that goal in mind, a number of VPN specialists have been including personal firewall technology with their client software.
SafeNet, for example, has integrated its SoftRemote client software with Zone Alarm's personal firewall. Using SoftRemote, an administrator can require ZoneAlarm to be enabled before letting a user establish a VPN session.
Some VPN vendors, including SafeNet, are also permitting administrators to create custom installations of the VPN client, with security policies already enabled for distribution to end users. According to Chris Welles, development manager, SoftRemote runs on older Windows 95/98/NT PCs, as well as Windows 2000 and XT systems.
Many customers aren't using VPNs yet, though. To that end, InfoExpress is selling a remote access firewall called CyberGatekeeper, which works with either dial-up or VPN connections.
According to Lum, CyberGatekeeper checks for applications such as antivirus software and personal firewalls before granting a user access to the corporate network. Perpetrators get a message from InfoExpress telling them that a needed application isn't running. If users disable security applications after VPN log in, CyberGatekeeper will boot them off the network.
With a configuration change manager called Enterprise Configuration Manager (ECM), Configuresoft takes a different approach to end user misdeeds. According to Randy Streu, VP of product management, Configuresoft has worked closely with Microsoft to make sure ECM adds to, rather than duplicates, capabilities already present in Windows OS.
Major features of ECM include enterprise views of Windows 2000/NT/XP configuration data; change management; security auditing; and automated deployment of security patches.
"(Microsoft's) SMS is a better tool for deploying actual applications, for instance. We focus instead on remote installation of patches and updates," Streu acknowledges.
ECM uses agent-based technology to collect configuration data on up to 10,000 managed devices. Whether the managed device is a server, a desktop PC, or a laptop, administrators can be alerted when key configuration settings have changed.
"You can set up e-mail or pager alerts, for example, for any events you specify. ECM will then bring you into its change log, where you can get detailed information about the events," says Tony DeVoto, NT systems administrator at Volvo, and an ECM user for the past year-and-a-half. In the future, DeVoto also plans to try out RippleTech's LogCaster, another systems management tool capable of change management.
For their part, ECM users can opt to be alerted whenever new shares are created, or whenever there's been a revocation of user rights, for instance.
In November of 2001, Configuresoft released an add-on called Security Update Manager (SUM), which integrates Configuresoft's own configuration database with Microsoft's XML-based patch management database.
Another ECM add-on, Windows 9x Migration Planner, is designed to help resolve configuration issues between Windows 2000 and earlier Windows products.
"With Security Update Manager, you can ask, for example, 'Which of my 1,700 machines are vulnerable to that particular virus?' You'll get an answer back in 60 seconds about recommended patches," says Streu. Administrators can then use Configuresoft's software for centralized deployment of patches to desktops and servers.
"Up to this point, a lot of end users haven't even been listening to what IT says. Companies have been rewarding these employees, in effect, by letting them get away with this behavior. Now, though, administrators can start to use technology to turn the tables," sums up Lum.