#3: Force client health checking for all hosts connecting from anonymous access WAP segments
VPN client connections from hosts on the anonymous access wireless DMZ segment provides a quick and dirty way to allow authorised users access to corporate resources from the untrusted network segment. Although this solves the immediate problem of allowing authorised users "just in time" access to corporate resources from an unmanaged client, it exposes us to problems related to the unmanaged client computer itself. The unmanaged client has a high probability of harboring viruses, worms, and Trojans that can put the corporate production network at risk.
One way to handle this problem is to use a VPN client hygiene solution, which will analyse the software environment on the VPN client and compare it with your corporate security requirements. A number of VPN server solutions provide this capability, including ISA Server 2004’s VPN Quarantine controls. Most VPN client hygiene solutions also enable to you provide remediation services so that VPN clients that do not meet corporate security requirements can automatically update themselves to a state where they meet security requirements.
For the rest of the story, check out: http://insight.zdnet.co.uk/0,39020415,39276190,00.htm
Thomas W Shinder, M.D.
MVP — ISA Firewalls