In today's increasingly mobile and BYOD workforce, ensuring employees use secure devices when connecting to corporate networks is more critical than ever. Device posture information can help you identify and mitigate security risks in your business by ensuring that devices are updated with security patches, have antivirus software installed, and are not jailbroken or rooted. Device posture is a way to assess a device's security before it is allowed to connect to a network. This can be done by checking for things like up-to-date antivirus software, firewall settings, and encryption. By integrating device posture information into a VPN, businesses can ensure that only devices that meet certain security standards are allowed to access the network. This can help protect the network from unauthorized access and malware infections.
What is device posture information?
Device posture information is data that describes the security state of a device. This information can tell users:
- Which version of the operating system is currently running.
- Whether antivirus software is in place.
- The status of critical security patches.
- Any incidence of jailbreaking or rooting.
Benefits of using device posture
Device posture information is essential for several reasons. First, it can help to identify and mitigate security risks. For example, if a device is not up to date with security patches, it may be susceptible to known vulnerabilities. Second, device posture information can help to enforce compliance with security policies. For example, if an organization requires that all devices have antivirus software installed, device posture information can be used to verify that all users and devices are in compliance with this requirement.
There are several benefits to integrating device posture information into a VPN. One advantage is that it can help protect the network from unauthorized access and malware infections. Another benefit is that it can help ensure only devices that meet specific security standards can access the network. Device information can also be used to spot anomalies, enriching any behavioral analysis that is being carried out. For example, suppose a pattern is established that a user always uses a laptop to access a specific application. In that case, an additional identity check can be triggered when the same user tries to access that application with a mobile device.
Three ways to integrate device posture
The integration possibilities would depend on the capabilities of your VPN solution. Three options are presented here, along with some detail on how to make these options work with our Access Server VPN solution.
Option 1: Delegate device posture policy management to an Identity Provider
One method to account for a safe device posture before allowing a VPN connection is to let the Identity Provider (IdP) handle it as part of the authentication process. Once policies are implemented at the IdP, you can be assured that the device is in good health when user authentication with the IdP passes. Major Identity as a Service (IDaaS) providers now support policies that consider device posture. IDaaS solutions can ingest device security posture information from third-party endpoint management systems, or they can have their own agents that must be deployed on devices to collect this information.
Delegating device posture policy enforcement to the IdP could be the easiest solution as long as your VPN solution can use the IdP for authentication. Access Server, our self-hosted software VPN solution, works with all modern IDaaS by supporting identity federation using SAML 2.0.
The benefit of this option is that you can configure policies in a central place, and that applies not only to the initial VPN connection but also to instances when the user needs to authenticate to use different applications.
Option 2: Use API with an external device posture information system
Suppose your VPN solution provides a programming hook to run your code after authentication. In that case, you can consider retrieving the device posture information from an external endpoint management system or other security solution and then base the final authentication decision on that information. Almost all popular endpoint management systems provide programmatic integration using REST API.
Access Server provides a post-authentication programming interface that can be used to run Python scripts to control the outcome of the authentication prior to the VPN connection. This script is triggered after user authentication and, therefore, can make the API request for device posture information after the user identity is authenticated and the device identification information is received.
Option 3: Develop your authentication logic with device information provided during the connection
OpenVPN protocol-compatible clients can push device information to the VPN server. This information can be used to develop an authentication logic that permits the VPN connection when specific criteria are met.
Some of the applicable data that can be used to make the determination based on device and client information are conveyed in the following variables as per the man page:
- IV_VER=<version> -- the client OpenVPN version.
- IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win] -- the client OS platform.
- IV_GUI_VER=<gui_id> <version> -- the UI version of a UI if one is running, for example, "de.blinkt.openvpn 0.5.47" for the Android app.
- IV_HWADDR=<mac address> -- the MAC address of the client's default gateway.
- IV_PLAT_VER=x.y - the version of the operating system, e.g. 6.1 for Windows 7.
- UV_<name>=<value> -- client environment variables whose names start with "UV_".
Using the information present in these variables and a programming hook available from your VPN solution, you can implement policies such as:
- Restricting VPN access only to devices with a specific OS or specific version of the OS.
- Restricting VPN access only to authorized devices based on the device’s hardware address.
- Not allowing mobile devices to connect.
Access Server post-auth hook provides access to this device information, and you can develop the appropriate post-auth logic by writing a simple Python script. An example of using a post-auth script to enforce device identity policy is available here.
When Access Server is used with our free Connect Client application installed on devices, it provides additional functionality. OpenVPN Connect for Windows and macOS supports checking specific programs’ existence and reporting their version numbers to the server. This can be used to check the presence and version of antivirus software or other applications as your security policy requires.
Integrating device posture information into a VPN can be a valuable way to protect your network from unauthorized access and malware infections. By collecting device information and acting on it, you can identify and mitigate security risks and enforce compliance with security policies. Access Server provides a post-auth programming hook that allows for the development of a custom authentication logic based on the information received from the client on the connecting device or for communicating with external systems that can aid in device posture decision-making.
Get Started Today
Ready to take your business to the next level with Access Server? Work from anywhere and from any device with confidence. Create an account today for two free connections and the secure network connectivity your business needs.