Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:55 AM
Connect Directly

Microsoft Takes Aim at Endpoint

Microsoft says Network Access Protection (NAP), SSL VPN gateway will play nicely together

LAS VEGAS -- Interop -- If you didn't look closely, you may have missed Microsoft's new beta version of its SSL VPN gateway product amid the company's splashy network access control (NAC) announcement here this week. But the software giant says SSL VPN technology is here to stay.

Although NAC is likely to eventually take over many of the security duties SSL VPNs perform today, Microsoft has no intention of letting its SSL VPN technology get overshadowed altogether, officials say. (See Vendors Get Their NAC Together, NAC Vendors in the Hot Seat, and Security Enforcement, The Cooperative Way.)

Microsoft product executives gave Dark Reading a glimpse of just how the two technologies will work together in an interview here.

"Some use their SSL VPN as a NAC" today, says Joel Sloss, senior product manager for ISA Server. Microsoft has already released the technical beta version of its latest SSL VPN product, Intelligent Application Gateway (IAG) 2007 SP1, he notes.

SSL VPNs are the precursors to NAC, Microsoft execs say. "The first place you saw 'NAC' was in remote access gateways," says Mike Schutz, director of product management for Microsoft. "Then threats started literally walking through the door, not just at the gateway."

That's, of course, where NAC comes in. The two will work hand-in-hand, with the SSL VPN gateway throttling down the level of access, Sloss says. "The gateway will dial down the level of access, and NAC/NAP will handle the 'in' or 'out'" policy for a client on the network.

Microsoft envisions the two products as a "single solution" for remote access and NAC policy enforcement. With a combination of the two, "you can manage access... and have application security, and control what the user does" and has access to, he says.

Sloss notes that Whale Communications -- the SSL VPN vendor Microsoft acquired last year and whose product is the basis of IAG -- was originally a Microsoft NAP partner. So integration of the two products won't be a big deal. And IAG -- like Microsoft's NAP -- will be fully integrated with Windows Server 2008, he says.

But some security experts say SSL VPN tools could get marginalized in the NAC age, as more robust NAC boxes sitting behind the SSL VPN gateway will take over some of the security functions of the gateway, such as enforcing compliance of remote clients. Today, SSL VPNs, NAC boxes, and other policy-based devices all work separately, and there can be overlap.

The advantage of running both SSL VPN gateways and NACs, of course, is a system of checks and balances, where the SSL VPN authenticates remote users and devices, and the NAC handles the "posture-checking" of all of the client machines, industry experts say. The NAC would have to clear the client before it hits the VPN gateway, for instance.

In a NAC vendor panel earlier this week, Paul Mayfield, group program manager for Microsoft, said the "ultimate promise of NAC is to provide a policy framework" that unifies NAC, VPN gateways, and wireless security.

Meanwhile, the new beta version of Microsoft's IAG 2007 comes with support for Microsoft Windows Vista, Mobile 5.0, Active Directory Federation Services, Forefront Client. It also comes with a simplified authentication feature, and twice the throughput of previous versions, according to Microsoft. Microsoft also announced a new lineup of OEMs for the product, including Pyramid Computer Gmbh, nAppliance Networks, SurfControl, Mendax Microsystems, and Baosight.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • SurfControl plc Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-19
    Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
    PUBLISHED: 2019-10-19
    templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
    PUBLISHED: 2019-10-18
    In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
    PUBLISHED: 2019-10-18
    In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
    PUBLISHED: 2019-10-18
    HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...