The host check function checks the security status of the hosts running SCVPN clients, and according to the checked result, the SCVPN server will determine the security level for each host and assign corresponding resource access right based on their security level. It a way to assure the security of SCVPN connection. The checked factors include the operating system, IE version, and the installation of some specific software.
The factors to be checked by the SCVPN server are displayed in the list below:
Factor | Description |
---|---|
Operating system |
|
|
|
Whether the IE version and security level reach the specified requirements | |
Other configurations | Whether the specified processes are running |
Whether the specified services are installed | |
Whether the specified services are running | |
Whether the specified registry key values exist | |
Whether the specified files exist in the system |
Role Based Access Control (RBAC) means that the permission of the user is not determined by his user name, but his role. The resources can be accessed by a user after the login is determined by his corresponding role. So role is the bridge connecting the user and permission.
The SCVPN host check function supports RBAC. And the concepts of primary role and guest role are introduced in the host check procedure. The primary role determines which host check profile (contains the host check contents and the security level) will be applied to the user and what access permission can the user have if he passes the host check. And the guest role determines the access permission for the users who failed in the host check.
The host check procedure is:
The host check function also supports dynamic access permission control. On one side, when the client's security status changes, the server will send a new host check profile to the client to make him re-check; on the other side, the client can perform the security check periodically, e.g., if the AV software is disabled and it is detected by the host check function, the assigned role to the client may changed, and so does the access permission.
Related Topic: