AlgoSec Targets Security Weaknesses in VPN Configurations

AlgoSec VPN Analyzer allows users to analyze VPN configurations for security weaknesses.

AlgoSec has expanded the capabilities of its firewall analyzer to provide deeper insight into VPN settings to improve security and management.

The technology, called AlgoSec VPN Analyzer, is meant to fill a gap in VPN products by helping users analyze their VPN settings for security weaknesses. It has been added to Version 4.3 of the company's Firewall Analyzer product released earlier this month, and is available with either the Risk or Optimization modules. AlgoSec Firewall Analyzer is built to help users automate aspects of firewall, router and VPN administration across Cisco, Check Point and Juniper products.

"The focus of the Firewall Analyzer's VPN analysis capability is to provide visibility, analyze risk and support cleanup operations of VPN definitions that are on the firewall--both point-to-point and remote-user VPNs," said Avishai Wool, AlgoSec chief technology officer. "The vendors have convenient methods of adding new definitions, or editing existing ones. They do not have good capabilities in reporting and analysis of these definitions. It is quite difficult to find out what access does user Bob have or which users have access through rule 17."

In addition to providing real-time monitoring and the ability to track configuration changes, users can also compare their VPN rules to industry standards and eliminate security vulnerabilities from the VPN configuration.

Wool explained it this way: "We have to remember that a VPN is just an encrypted pipe that usually requires authentication to get into. But once the VPN is established, anything can pass through it. So, for instance, if a VPN is established from a user's home net to the corporation, in principle anything that is running on the home net can potentially enter the corporate net."

Clearing Out the Clutter

By default the AlgoSec Firewall Analyzer looks at the traffic allowed through the VPN based on the rules but does not flag risks for such traffic--essentially whitelisting all traffic traversing a VPN. But for more security-conscious organizations this behavior can be overridden on a risk-by-risk basis, allowing the organization to use the full power of the AFA's knowledge base of risky traffic on VPN traffic, Wool said.

Over time, VPN configurations become full of clutter, he added.

"You can find users whose access has expired, users that do not belong to any user groups, which means that they have no access, user groups that are not connected to any rule so they are just dead wood," he said. "The AFA VPN analysis finds all these floating definitions and highlights them in an easy-to-navigate report that allows quick drill-down too."

The product also allows users to view rules from the firewall policy that relate to the VPN, lists of VPN users and user groups, as well as the rules associated with each group.