Is there a way to prevent VPN connections based on certain security related criteria, such as presence of a virusscanner and virus definitions?
In our case, we have a Windows Server 2008 acting as a domain controller and RRAS server. We also have ESET NOD32 Business running on every client, with the installs being pushed by the server.
What you're asking about is the crux of many "network access protection" (NAP) products. Personally, I don't think that efforts like NAP really do anything useful, aside from "keeping honest computers honest".
Fundamentally, you're relying on the trustworthiness of the client computer to "act truthful" about what your NAP server computer asks it. There's no way for your server can "prove" that a remote computer is running a given program. You're really just taking the "good word" of that remote computer. That's the fatal flaw in the idea behind NAP-- trust is misplaced.
In terms of keeping your network secure, I'd argue that the principle of least privilege is the most important guiding principle. Be cognizent of and monitor "choke points" and attack vectors, keep OS's and applications updated, install only necessary software all computers (servers, clients, etc), and keep up with security bulletins.
NAP doesn't help if a machine gets a rootkit on it that can "convince" the local antivirus, etc, that it's not infected. I think there's more to be gained by minimizing attack surface and detecting attacks based on monitoring traffic and behavior.
In terms of VPN users, I'd be using a VPN that limited inbound protocols from clients to a known "allowed set"-- RPC-over-HTTP for Outlook clients (though you can do that w/o a VPN just as easily), RDP to get to fixed desktop computers or Terminal Server machines, WebDAV to get a file shares exported over HTTP, etc. Giving VPN clients unfettered layer 3 access to the network is certainly exposing a broad attack surface.
I'd consider using a VPN techology based in part on client devices authentication if you're going to allow more unfettered layer 3 access (and even if you're not, if you're concerned about unauthorized devices connecting to the VPN). Assuming your users don't have "Administrator" rights on their client computers and can't otherwise pry the certificate off of the device and install it on an arbitrary device, using something like L2TP/IPsec and computer-based authentication would go a long way toward preventing unauthorized devices from connecting to the VPN.
This may not be the best, but rather the most complex way to do something that may be somewhat simple.
If you're VPN is being handled by a w2008 server, You can do a WMI query
strComputer = OnConnectEvent(APPROPRIATE VPN INFO)
Set oWMI = GetObject( _
"winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")
Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")
For Each objItem in colItems
With objItem
WScript.Echo .companyName
WScript.Echo .onAccessScanningEnabled
WScript.Echo .pathToSignedProductExe
WScript.Echo .productState
WScript.Echo .productUptoDate
WScript.Echo .versionNumber
End With
And then you can compare appropriately
Threat Management Gateway together with MS Forefront and the Stirling Wave should provide you with this sort of functionality. It sounded very exciting but I've only heard this mentioned briefly in a seminar on Microsoft Technologies so I couldn't give any further advice.
Symantec Endpoint Protection can also detect patch levels of client machines and whether antivirus is up to date. But it runs on the client and is used to protect the clients rather than the servers - if Endpoint Protection isn't installed on a client then you can't do anything to it.
