In-Depth

Case Study: Containing Endpoint Infections

How can organizations better contain virus outbreaks and defend against destructive or mass-mailing worms?

• By Mathew Schwartz
• 07/19/2005

How can organizations better contain virus outbreaks and defend against destructive or mass-mailing worms?

That was the question National Instruments, an Austin, Texas-based manufacturer of testing software and hardware asked. The company had already deployed enterprise-wide antivirus and patch management software, but it wanted a way to contain those still-inevitable endpoint infections.

“We have the same problem that a lot of enterprises have. We’re struggling with the many viruses and worms, and so figuring out how to combat them,” says Brett Childress, the director of IT infrastructure for National Instruments.

To better tackle viruses and worms, the company first created a better-layered defense by standardizing on one antivirus software package, with IT centrally administering antivirus policies. Then it began using Microsoft’s Systems Management Server (SMS) to handle patch management for Windows machines.

Even so, that wasn’t enough. “The reality is, there are always those machines that manage to fall behind,” says Childress. “So you never really get proactively 100 percent coverage.” That means continued outbreaks, since “you still occasionally get the user that opens the attachment they shouldn’t have, or clicks the link they shouldn’t have, and it introduces something into our environment that obviously causes infections.” That one infection can quickly spread to all other vulnerable PCs. “All of a sudden you have 30 machines that a technician has to visit,” he says, which wastes both end-user and technician time.

In 2004, National Instruments began investigating new kinds of endpoint security. It evaluated a previous version of Cisco’s Network Access Control, but decided to keep looking, because of both the product’s expense and the requirement to install a software agent on all monitored computers. Childress didn’t want to use software agents, because of the hassle of then having to manage them for the company’s range of operating systems: Windows XP, Windows 2000, Solaris, Linux, Macintosh, and especially internationally, Windows 95 and 98.

Then National Instruments became aware of another Austin-based company, Mirage Networks, which makes a network access control appliance called CounterPoint. “They came in with a really cost-effective solution that made it more of a no-brainer; an easy sale,” says Childress. In July 2004, National Instruments decided to adopt the technology.

After completing previously scheduled LAN upgrades, National Instruments installed eight Mirage appliances in “audit mode” in October 2004 to cover the 6,000 endpoints in its Austin headquarters. Audit mode means "we were able to see, if these boxes were in ‘attack mode,’ what they’d be doing to various endpoints on our network. That gave us a chance to fine-tune them."

After four to six weeks of fine tuning, and adjusting internal company processes for dealing with infected machines, the company moved some of the appliances into attack mode. In January 2005, it moved the rest.

Overall, “it was one of the easiest deployments I’ve experienced in IT,” Childress observes. The appliances also “don’t sit in-line in your network, so you don’t have to worry about them introducing performance impacts on your network.” If a box fails, it won’t take down the network.

Cloaking Misbehaving Endpoints

How does CounterPoint work? When the appliance decides a machine is exhibiting suspect behavior, it takes it off the network. “In Mirage-speak, it cloaks the device,” says Childress. Essentially, the appliance steps in and changes the ARP tables in any infected or attacking machines and prohibits any network-based communication to or from them. National Instruments then has its CounterPoint appliances e-mail the help desk queue, so a technician can be dispatched to fix the endpoint.

As mentioned, initial fine-tuning is necessary so the appliances don’t block allowed activities, and tweaks are sometimes necessary. “We had a situation where our R&D staff runs a distributed compilation software package,” he says. “It uses multiple machines to do the compilation of software, and Mirage saw some of that activity and would occasionally think that was a machine touching too many other machines, and would take those machines off the network.” To work around that, once his IT staff identified the problem, they were able to create specific exceptions for the compilation software and the ports it uses.

National Instruments also verified that the appliances weren’t producing false positives. “What we saw when Mirage was removing an endpoint from the network, we were having technicians going out and looking at those machines, and in fact they were infected per the antivirus software showing it, or they were obviously not up to patch levels. So we were able to stop propagation at that endpoint,” he says. In some cases, the appliances also blocked zero-day attacks—attacks not yet identified by antivirus companies, but for which a virus signature later became available.

Securing Wide Area Networks

Recently, National Instruments began rolling out one Mirage appliance at each of its offices in Tokyo, Shanghai, Seoul, Hungary, Munich, Milan, and Dublin. It expects to finish deployment by the end of 2005.

While that rollout doesn’t cover the entire corporate network—National Instruments has branches in almost 40 countries—the deployment targets hubs or hotspots. For example, one recurring problem is when a worm zaps a branch’s bandwidth. “Wide area networks tend to be expensive, so you tend to size them appropriately to keep your costs down,” notes Childress. “When one or two machines get infected and adversely affect a wide area network link, you’re adversely affecting the entire branch.”

Overall, when it comes to the Mirage appliances, Childress says they’ve performed to spec, and also require little ongoing maintenance. “Luckily, we can say we made the right decision—we’re seeing solid return on our investment,” he says. “And I’m sleeping better at night.”

Related Articles:

A New Endpoint Security Standard
http://www.esj.com/Security/article.aspx?EditorialsID=1388

Q&A: Endpoint Security for Unknown Devices
http://www.esj.com/Security/article.aspx?EditorialsID=1315