VPN Analysis From AlgoSec Gives Policy Insight

"I think customers typically turn a blind eye until they're forced to look," said Joseph Dell, president and CEO of Lightwave Security, an Atlanta-based solution provider. "That's not the way to do it."

Dell said visibility and insight into the policies and rules running on the VPN have become necessary, not only to ensure customers' networks are secure, but also as an assessment service he can offer clients.

On Tuesday, Reston, Va.-based vendor AlgoSec unveiled the latest look in its network security arsenal, the VPN Analyzer. According to AlgoSec co-founder and CTO Avishai Wool, VPN Analyzer gives insight into VPN policies, ultimately improving overall security and efficiency. VPN Analyzer works with firewalls from major vendors like Cisco Systems, Check Point and Juniper Networks to enhance firewall operations and security risk management in a firewall VPN infrastructure.

The VPN Analyzer enhances AlgoSec's existing Firewall Analyzer suite, which was designed to automate some of the complexity involved in firewall, router and VPN administration. The VPN and firewall analysis software works across all platforms from Cisco, Check Point and Juniper, Wool said.

VPN Analyzer improves management of remote users and VPN site-to-site connections and helps users view risky VPN rules relative to industry standards. It also helps remove security vulnerabilities from the VPN configuration and can clean up that configuration to improve performance. Using the analyzer, users and VARs can offer real-time monitoring and track changes in VPN configuration and meet VPN compliance requirements in PCI DSS, SOX and other regulations, Wool said.

Wool added that the inclusion of VPN policy analysis was a natural extension of AlgoSec's existing firewall tools.

"As with firewall policy, VPN policy configuration is based on rules, contains definitions of objects and has time-dependent characteristics," Wool said. "Enterprises that rely on a VPN gateway may find that over time, VPN definitions become large, complex and hard to manage. Adding users while creating and changing VPN rules increases the complexity of the policy and could inject risk and hurt performance."

VPN Analyzer lets users and VARs view rules from the firewall policy that relate to the VPN; view a list of VPN user groups and the rules associated with each group; view VPN users, their authentication method, the groups they belong to, the expiration date and encryption characteristics; and view all VPN communities linked to firewalls, their encryption characteristics and the rules associated with them. Wool added that users can also view all users whose credentials have expired and can no longer log in; user groups that are not associated with any rules; and users who are not associated with any rules.

The application sets up off-line, easing deployment and uses a Web-based user interface that gives visibility into hidden risks in VPN and firewall policy.

Dell said he can generate reports that assess exactly what's going on VPNs and firewalls, adding that firewalls from many top vendors, like those supported by VPN Analyzer, have weak reporting tools built in.

"I can simplify my assessment services and reduce them from three to five days to a couple of hours," Dell said. "That's been beneficial and profitable so far. Everyone has firewalls, so every can relate to having to make them better. It's very easy to wrap professional services around it."

Wool said the goal of VPN Analyzer is "figuring out what you have" in order to clean up rules and policies and assess potential risks. He sees three potential inroads for solution providers: VARs can sell the software; consultants can use it for assessments; and MSPs can add VPN Analyzer as a service.