Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:55 AM
Connect Directly

Microsoft Takes Aim at Endpoint

Microsoft says Network Access Protection (NAP), SSL VPN gateway will play nicely together

LAS VEGAS -- Interop -- If you didn't look closely, you may have missed Microsoft's new beta version of its SSL VPN gateway product amid the company's splashy network access control (NAC) announcement here this week. But the software giant says SSL VPN technology is here to stay.

Although NAC is likely to eventually take over many of the security duties SSL VPNs perform today, Microsoft has no intention of letting its SSL VPN technology get overshadowed altogether, officials say. (See Vendors Get Their NAC Together, NAC Vendors in the Hot Seat, and Security Enforcement, The Cooperative Way.)

Microsoft product executives gave Dark Reading a glimpse of just how the two technologies will work together in an interview here.

"Some use their SSL VPN as a NAC" today, says Joel Sloss, senior product manager for ISA Server. Microsoft has already released the technical beta version of its latest SSL VPN product, Intelligent Application Gateway (IAG) 2007 SP1, he notes.

SSL VPNs are the precursors to NAC, Microsoft execs say. "The first place you saw 'NAC' was in remote access gateways," says Mike Schutz, director of product management for Microsoft. "Then threats started literally walking through the door, not just at the gateway."

That's, of course, where NAC comes in. The two will work hand-in-hand, with the SSL VPN gateway throttling down the level of access, Sloss says. "The gateway will dial down the level of access, and NAC/NAP will handle the 'in' or 'out'" policy for a client on the network.

Microsoft envisions the two products as a "single solution" for remote access and NAC policy enforcement. With a combination of the two, "you can manage access... and have application security, and control what the user does" and has access to, he says.

Sloss notes that Whale Communications -- the SSL VPN vendor Microsoft acquired last year and whose product is the basis of IAG -- was originally a Microsoft NAP partner. So integration of the two products won't be a big deal. And IAG -- like Microsoft's NAP -- will be fully integrated with Windows Server 2008, he says.

But some security experts say SSL VPN tools could get marginalized in the NAC age, as more robust NAC boxes sitting behind the SSL VPN gateway will take over some of the security functions of the gateway, such as enforcing compliance of remote clients. Today, SSL VPNs, NAC boxes, and other policy-based devices all work separately, and there can be overlap.

The advantage of running both SSL VPN gateways and NACs, of course, is a system of checks and balances, where the SSL VPN authenticates remote users and devices, and the NAC handles the "posture-checking" of all of the client machines, industry experts say. The NAC would have to clear the client before it hits the VPN gateway, for instance.

In a NAC vendor panel earlier this week, Paul Mayfield, group program manager for Microsoft, said the "ultimate promise of NAC is to provide a policy framework" that unifies NAC, VPN gateways, and wireless security.

Meanwhile, the new beta version of Microsoft's IAG 2007 comes with support for Microsoft Windows Vista, Mobile 5.0, Active Directory Federation Services, Forefront Client. It also comes with a simplified authentication feature, and twice the throughput of previous versions, according to Microsoft. Microsoft also announced a new lineup of OEMs for the product, including Pyramid Computer Gmbh, nAppliance Networks, SurfControl, Mendax Microsystems, and Baosight.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • SurfControl plc Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    Abandoned Apps May Pose Security Risk to Mobile Devices
    Robert Lemos, Contributing Writer,  5/29/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).