In-Depth

Q&A: The State of Endpoint Security

Organizations can derive the benefits of endpoint-security standards without the standards

• By Mathew Schwartz
• 08/09/2005

In the world of endpoint security, it's a wait-and-see game. So far, Cisco has begun implementing parts of its Network Access Control (NAC). Microsoft has brought in numerous partners for its Network Access Protect (NAP), which will also work with NAC. But so far NAC is a Cisco-hardware-only approach, and NAP won’t appear until at least 2007, when Microsoft releases a server version of Longhorn.

In the interim, a variety of endpoint-security software and technology is available which can deliver at least some of the functionality proposed by final versions of both NAC and NAP. Security Strategies spoke with Mitchell Ashley, chief technology officer of Louisville, Colo.-based StillSecure, to learn more.

Many things seem to be called endpoint security these days. What’s your take?

There’s classic endpoint security, which means enterprise-managed endpoint devices for antivirus and firewalls. Then there’s next-generation endpoint security, which means compliance-testing devices when they come onto the network, and, of course, quarantining those until we’ve realized they’re compliant. Then, of course, also fixing or remediating them.

That’s why “what does endpoint security mean” is confusing. You’ve had antivirus security for a long time, but Blaster and Slammer showed how susceptible enterprises are to attacks from inside the firewall.

What types of endpoint-security products are on the market now?

Generally, endpoint-security solutions fall into two camps: network-based or device-based. The network view is about protecting the network from unsafe devices. … and at StillSecure we’re really taking the network view and making sure any asset that connects to the network, whether managed or unmanaged by the enterprise, meets certain security standards. The device-centric view is more about locking down the device and protecting it from compromise, especially when it’s mobile.

Can you give examples of both types of approaches?

Cisco NAC is very much a network-centric approach, where the objective is testing all devices and determining their security status before we allow them full access into the network. The Cisco agent is a lightweight agent and relies on other third-party security solutions to provide the status of the device itself. … StillSecure’s Safe Access product is also network-centric, because it will test managed devices as well as [unknown devices].

Device-centric examples fall more into the camp of the personal firewalls … and scanning for antivirus settings. Now there are also other agent-based or device-centric approaches that use host intrusion-prevention software. Then there are also agents which are more lightweight, [akin to] security posture agents. They don’t actually protect the device itself, but detect if the device meets security requirements.

So security-posture agents complement other endpoint-security devices?

Yes, and they’re solving different problems. The network-centric view is really worried about any device, whether it’s managed by the enterprise or not. [Meanwhile,] the device-centric view is really worried about protecting a [particular] device, and as an added benefit, communicating its status.

Of course, since there are these different options, this compounds the learning curve of understanding what’s the right approach for each enterprise. Some organizations are only worried about corporate managed assets. Many more organizations are more worried about unmanaged devices—VPNs, contractors, employees’ home use of computers. Part of the cost of ownership of any endpoint-security solution is, what does it take to deploy and manage on an ongoing basis, and that’s where true agentless approaches, are beneficial, as opposed to true ActiveX approaches.

What qualifies as agentless?

One of the [confusing] points about endpoint security is that many technologies label themselves as agentless or clientless, [yet] what they’re actually [doing] is introducing an ActiveX client to the browser, when the device comes onto the network.

How do the truly agentless options differ?

Different solutions are gelling around certain approaches. One is to act as a gateway into the network, where in order for any traffic to enter into the network, the device must be compliant with security policies. Another is using DHCP and quarantining devices when they request an IP address, until a point in time when they’re compliant with the network.

Another is with 802.1x, which is a wireless specification which is now being applied to Ethernet, and it’s being combined with Radius and VLANs (virtual LANs) to quarantine a device when a user initially authenticates to a network.

Is setting up an 802.1x-compliant network a slog?

You do have to have an 802.1x authentication mechanism in your network. … What StillSecure offers is providing endpoint security into that process, so that a device checks itself.

How do organizations select an approach?

The first question to ask is are you only concerned about enterprise-managed devices or all devices connecting to your network? That will direct you down a certain path. For example, you wouldn’t select an agent-based approach if you were worried about contractors, employees working at home, and so on.

Is uptake on agent-based approaches big?

Most often customers are interested in the least disruptive approach to their end users, which for Cisco users could be Cisco, or for those with [multiple networking equipment vendors], DHCP or gateway-based.

Related Articles:

Case Study: Containing Endpoint Infections
http://www.esj.com/Security/article.aspx?EditorialsID=1453

Q&A: Endpoint Security for Unknown Devices
http://www.esj.com/Security/article.aspx?EditorialsID=1315