Work-at-homers and road warriors often violate enterprise security
policies, either knowingly or not. At many companies, punitive actions such
as firing the employee just aren’t in the cards. To the relief of many
network managers, though, software vendors are producing tools that can
detect – and even prevent – security infractions from afar.
In one of the most common types of policy abuse, remote users break the
rules by either uninstalling or disabling standard security applications
such as antivirus programs and personal firewalls. Other violations include
using forbidden software applications and failing to install antivirus
updates and patches.
Emerging remedies from software vendors fall into several different
categories. Some vendors, such as Configuresoft, provide tools for
configuration change management. Others, such as InfoExpress, have come out
with centrally administered remote access firewalls. Meanwhile, software
makers like CheckPoint and SafeNet are building personal firewall
technology directly into their VPN clients.
Many infractions by remote users are probably unintentional. “Most people
don’t want to violate policies. They just don’t know what the policies
are,” says Axel Haentjens of Equant.
Remote users become unwitting victims by letting colleagues borrow their
laptops, or by sharing their home PCs with family members. “Teenaged
children can do a lot of software damage,” notes Bob Hansmann, enterprise
product manager for Trend Micro.
In other situations, though, violators seem to be more directly to blame.
Buried by e-mails from just about everywhere, many corporate employees
ignore messages from their corporate IT departments.
“People are intrinsically lazy. They’re inundated, anyway. They don’t want
to be bothered to update their antiviral software to the latest
definitions,” says Nortel VP Marie Hattar.
Some employees avoid taking time out to call the company help desk when
software starts acting up, preferring to try to get rid of pesky or balky
applications on their own.
“Security applications can be intrusive. Maintenance is required, as well.
A fairly large percentage of end users will run into problems with
software, and a certain percentage of those people will just uninstall or
disable it,” says Stacey Lum, CEO of InfoExpress.
Some companies have responded with “social engineering” approaches,
stipulating that employees can be terminated for violating security
policies, for instance.
Realistically, though, you can’t always assume that a company will take
punitive action for minor policy violations, especially if the perpetrator
is a high ranking executive.
“A CEO isn’t about to say to a company VP, ‘Your sales were great this
year. You did a million dollars this quarter alone. But because you didn’t
update your antivirus definitions last week, I’m afraid you’re going to
have to take a salary cut,'” says Lum.
“It can be much more effective to use technologies which ensure that remote
clients comply with policies,” according to Nortel’s Hattar.
With that goal in mind, a number of VPN specialists have been including
personal firewall technology with their client software.
SafeNet, for example, has integrated its SoftRemote client software with
Zone Alarm’s personal firewall. Using SoftRemote, an administrator can
require ZoneAlarm to be enabled before letting a user establish a VPN
Some VPN vendors, including SafeNet, are also permitting administrators to
create custom installations of the VPN client, with security policies
already enabled for distribution to end users. According to Chris Welles,
development manager, SoftRemote runs on older Windows 95/98/NT PCs, as well
as Windows 2000 and XT systems.
Many customers aren’t using VPNs yet, though. To that end, InfoExpress is
selling a remote access firewall called CyberGatekeeper, which works with
either dial-up or VPN connections.
According to Lum, CyberGatekeeper checks for applications such as antivirus
software and personal firewalls before granting a user access to the
corporate network. Perpetrators get a message from InfoExpress telling them
that a needed application isn’t running. If users disable security
applications after VPN log in, CyberGatekeeper will boot them off the
With a configuration change manager called Enterprise Configuration Manager
(ECM), Configuresoft takes a different approach to end user misdeeds.
According to Randy Streu, VP of product management, Configuresoft has
worked closely with Microsoft to make sure ECM adds to, rather than
duplicates, capabilities already present in Windows OS.
Major features of ECM include enterprise views of Windows 2000/NT/XP
configuration data; change management; security auditing; and automated
deployment of security patches.
“(Microsoft’s) SMS is a better tool for deploying actual applications, for
instance. We focus instead on remote installation of patches and updates,”
ECM uses agent-based technology to collect configuration data on up to
10,000 managed devices. Whether the managed device is a server, a desktop
PC, or a laptop, administrators can be alerted when key configuration
settings have changed.
“You can set up e-mail or pager alerts, for example, for any events you
specify. ECM will then bring you into its change log, where you can get
detailed information about the events,” says Tony DeVoto, NT systems
administrator at Volvo, and an ECM user for the past year-and-a-half. In
the future, DeVoto also plans to try out RippleTech’s LogCaster, another
systems management tool capable of change management.
For their part, ECM users can opt to be alerted whenever new shares are
created, or whenever there’s been a revocation of user rights, for
In November of 2001, Configuresoft released an add-on called Security
Update Manager (SUM), which integrates Configuresoft’s own configuration
database with Microsoft’s XML-based patch management database.
Another ECM add-on, Windows 9x Migration Planner, is designed to help
resolve configuration issues between Windows 2000 and earlier Windows
“With Security Update Manager, you can ask, for example, ‘Which of my 1,700
machines are vulnerable to that particular virus?’ You’ll get an answer
back in 60 seconds about recommended patches,” says Streu. Administrators
can then use Configuresoft’s software for centralized deployment of patches
to desktops and servers.
“Up to this point, a lot of end users haven’t even been listening to what
IT says. Companies have been rewarding these employees, in effect, by
letting them get away with this behavior. Now, though, administrators can
start to use technology to turn the tables,” sums up Lum.