Before we have a closer look at the interplay of the various components and their roles let us briefly study what has inspired the design of the Barracuda NG Network Access Client endpoint security framework.

The originally very long list of requirements reads as follows in a slightly more condensed fashion:

We want to create an endpoint security solution that is effective and yet still simple enough to be implemented and operated in a cost efficient manner.

We do not wish to require customers to completely change their infrastructures. This means that we do not require 802.1x aware switches and endpoints.

We support guest networking. There must be a simple way to distinguish between visitors and own users. We use a combination of client agent-based and DHCP-based address assignment. A combination of agent-based and DHCP enforcement will likely catch the most prevalent threats to network security.

We assess the client's health prior to its initial connecting to the network. Client system health assessments should also be carried out periodically afterwards to detect changes in the client health state.

Policies, such as applicable firewall rule set or access rights, must be selected according to both, identity and system health state. ID-based exceptions must be possible to cater for real world scenarios. A forced client update of several megabytes across a 2400 baud link is not meaningful when the link is required for important messaging.

Policies can be machine specific. A PC frequently going online with nobody actually being logged in, may already have been compromised. This routine situation must be easily accommodated within the policy framework. This also means we’ve got to find means to identify a machine in a unique fashion.

Policies may differ in different access contexts; this is the archetypal roaming laptop problem. A certain policy will apply to its user when connecting from within the corporate network. A different policy is required for accessing the nearest WLAN hotspot on the airport to build a secure VPN connection. Again, a different policy is required when operating the same equipment inside the user's private home network.

The client software consists of the following subsystems:

Barracuda NG Personal Firewall

Being a centrally managed host firewall, this advanced firewall engine can handle up to four different firewall rule sets at once. Which rule sets are available to the firewall engine and which one of these is currently enforced depends on the policy applicable to user, machine, date, and time.

Barracuda NG Access Monitor

This software is responsible for sending the endpoint health status to the Access Control Service for baselining. Barracuda NG Access Monitors are dynamically downloaded and updated as required, supporting same full and delta updates. They are extremely light as they only occupy 340 KB in memory.

Barracuda NG VPN Client

Provides an integrated VPN client that secures mobile desktops connecting to the corporate LAN through the internet. The VPN client will establish a secure connection to a VPN Service. The Barracuda NG Access Monitor will then communicate through the VPN tunnel with the responsible so-called System Health Validator (SHV). It is worth noticing that in this case the VPN server fully controls the virtual connection.

5 Barracuda NG Network Access Client - Administrator’s Guide

Page 7
Image 7
Barracuda Networks VERSION SP4 manual Client software consists of the following subsystems, Barracuda NG Personal Firewall