I faced a strange feeling a few days ago… I received a notification from a colleague about a scheduled upgrade of the SSL VPN solution deployed by my company. As I’m a mobile user, I use this SSL VPN daily (and often more than 8 hours a day!). The upgrade covered not only the software but also the security policies in place included a “host check”.
Bundled with the classic user authentication, the goal of the “host checker” feature is to deny or restrict access to resources based on the type of terminal trying to establish the VPN session. Basically, the available checks are:
- Presence of an anti-virus and up-to-date signatures
- Presence and activation of a firewall
- Presence of a specific running process
- Presence of a specific key in the Windows registry
- Being part of a specific Microsoft domain
Practically, it means that a corporate laptop will have more access rights than a public PC running in a cyber-café.
When I tried to connect after the upgrade my access was denied: my host was not compliant with the new policy in place. My laptop is clean, properly managed but the SSL VPN definitively refused to grand me the regular access I needed. I successfully connected to my office resources by another mean and fixed my computer to match the required stuff. No big deal! But in the same time, I started to realize how it can be frustrating for regular users…
As Infosec professionals, our goal is to ensure that the business runs smoothly. Not only by properly protecting the organization assets but also the access to them. It’s the “A” of Availability from the CIA triad – “Confidentiality Integrity and Availability“). Too often, InfoSec Pro forgot the impact of new security measures against the regular users. Guys, even if users are “dumb” and do things which can have a severe impact on our business, from time to time come down off your pedestral!
Try to switch your brain from kernel mode to userland mode and imagine the consequences in case of changes. It’s extremely difficult and, honestly, I’m certainly not the best to try this exercise but it may be constructive from time to time. Don’t misunderstand me, I never said that all security controls must be disabled! But, at least be prepared to face end-users questions and remarks!