Secure Remote Access Technical Solution Guide v1.0
______________________________________________________________________________________________________
17
Required operating system type, version and service pack level: Checking for baseline
client operating system type, version, and service pack level assures compatibility and
prevents older, potentially vulnerable systems from connecting. You can also check for
specific patches when known vulnerabilities have been addressed by software patches.
If you are using third-party software compliance and software management tools, you
can check that they are installed and active.
If any of the compliance checks fail, based on the user role and risk factors you can:
disconnect the user immediately
provide limited access to a restricted set of applications
provide access to a remediation portal to correct security software and operating system
compliance issues
You can deploy TunnelGuard for SSL-VPN users through a clientless agent that runs in the
browser during network connection. IPsec users require the TunnelGuard agent installed on the
client PC in addition to the VPN Client software.
Design recommendation: All remote access users must be running the minimal set of host
security software and operating system patches. Antivirus and personal firewall software are a
must. Use TunnelGuard to enforce remote system endpoint compliance prior to network
admission.
4.2.1.4 Audit and accounting
Use network-based logging of user and administrative actions to:
Provide an authoritative audit trail of administrative access and all configuration changes
Provide a record of all successful and failed user access attempts
Provide a record of all sessions, including start/stop times
Provide a record of all access attempts that violate access controls; for example,
attempts to access applications or network resources that a user is not authorized to
access
4.2.1.4.1 Logs
The primary network-based logging mechanism is syslog. In general, all authentication requests
and resulting actions should be logged to a network-based syslog server. For troubleshooting
purposes, the VPN Gateway supports a traffic log facility that can log all web-based access to
URLs and file shares. The traffic log logs all access requests, not just access violations. This
facility can generate a large amount of log information and reduce system capacity, so use it only
as needed or when strict access logging is required.
See Appendix C of the VPN Gateway User’s Guide for a complete list of supported syslog
messages.
For more information on syslog and traffic log, see the “Syslog and Traffic Log” Technical Tip at
the Nortel customer support portal (www.nortel.com/cs
) in the VPN Gateway 3050 documentation
area.
4.2.1.4.2 Accounting
The supported accounting mechanism is RADIUS accounting. Start and stop records are
recorded for each user session.
(92 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales