Security Enforcement, The Cooperative Way

Imagine all of your network and security devices working as a unit to enforce security policy. That's the vision of "cooperative policy enforcement," an emerging concept being promoted by Aventail.

Aventail late this summer or early fall will add SOAP-based interfaces to its SSL VPN gateways that will support cooperative policy enforcement among its products and other networking and security tools, Dark Reading has learned.

While network admission control (NAC) is emerging and there are many different policy enforcement tools available, there still isn't a common, coordinated structure for enforcing policy across all devices. Chris Hopen, CTO of Aventail, says the key is having a broader policy that aggregates the traditionally separate policies of firewalls, routers, switches, VPN gateways, and NAC boxes.

CheckPoint Software already offers a similar approach with its Integrity NAC products. It integrates policy elements of NACs and gateways, for instance, using IEEE 802.1x standards, says Rich Weiss, director of endpoint marketing for CheckPoint. "Any NAC approach has to work in different environments, whether it's Aventail, CheckPoint, etc."

Some industry analysts consider cooperative policy a natural progression. "Cooperative policy has to happen. It’s not even a question of if, but of when. You have many network assets as an organization -- firewalls, routers, switches, VPN gateways -- and each of those should be able to enforce policy, not just any one," says Robert Whiteley, senior analyst for enterprise networking at Forrester Research. "Most NAC products make you choose one of those" to do enforcement, he says.

But cooperative policy is a concept that ensures that not just one vendor "owns" policy, Whitely says. "There's more of a federated model, and all infrastructure knows in real-time to execute that policy."

Hopen says the idea is to use existing standard interfaces -- XML and OASIS SOAP standards -- through which devices share their policy information. He concedes this won't be an overnight transition: "This is just beginning to build momentum, and we have some time and some market validation which needs to occur before people will invest in creating a common set of SOAP interfaces for various policy devices."

But security analysts say Aventail -- one of the few pure VPN vendors left, with most having been swallowed up by the big security players -- may be turning to cooperative policy enforcement more as a way to keep its gateway products and market position from becoming marginalized in the NAC age. "VPN vendors have a lot lose if they don't adapt to this model. A lot of advanced security functions in SSL VPNs may get turned off if you have a more robust NAC sitting directly behind it," Whiteley says.

And policy enforcement is currently nowhere near meltdown, says Alan Shimmel, chief strategy officer for NAC vendor StillSecure. The argument for a cooperative policy model, then, may be a bit premature.

Shimmel says the real policy headache may be more of a people problem. "When you have multiple products with multiple enforcement [policies], you can coordinate them -- assuming you have the same group of people setting up these policies," he says. "But often, the SSL VPN is handled by one group and the internal LAN access by another, and they may not communicate nor have the same goals. So it may be more of a social problem than a technology problem."

Meanwhile, VPN gateways, NAC devices, and other policy-driven devices are all doing their own thing today. That may not be such a bad thing for SSL VPN and NAC systems, though, according to Shimmel. "The SSL VPN is authenticating people and devices, but not doing posture-checking -- it's relying on the NAC to do that behind it." And a user or device must get the green light from the NAC before it hits the VPN gateway, he says.

Aventail's Hopen argues that cooperative policy enforcement is both a security and an operational efficiency issue. "Those who have to manually correlate security data to VPN users" from firewalls and IPSes, for instance, consider this a labor-saving approach, he says.

With cooperative policy enforcement, the policy servers on each security device can share security problems they find and take action to fix them, he says. When an IPS sitting behind the VPN gateway detects a problem, for instance, it can work with the gateway to pinpoint the source: "So when the IPS raises an event and says here's malicious traffic, that device can then make a SOAP call back to us, query us, and say 'what user is responsible for injecting this traffic into the network?'"

Then the offending user could automatically be blocked from the network or certain service. "This is beyond reporting and more about taking action," he says. "Today devices do not allow any visibility into their policy decisions, let alone providing a mechanism for allowing another network device to control or dictate changes to the policy behavior."

— Kelly Jackson Higgins, Senior Editor, Dark Reading