In-Depth

Endpoint Security Grows But Interoperability Questions Remain

Increasingly, PCs must prove they're secure before a user can log onto the network

• By Mathew Schwartz
• 10/13/2004

Even one infected computer can reintroduce a virus or worm into an organization. That’s why a number of organizations are adopting pieces of what’s known as endpoint security. The idea behind the technique: make the computers prove they’re secure before they can log onto the network.

While this might seem like tough love, the productivity benefits of the many increasingly outweigh the delay for a few. Gartner Research analyst Mark Nicolett frames the problem quantitatively: “By the first quarter of 2005, enterprises that don’t enforce security policies during network login will experience 200 percent more network downtime than those that do.”

Numbers like that might drive organizations to trade a little employee productivity for the time to takes to verify a machine is secure. In fact, “enterprise customers are telling us that one of their biggest headaches is ensuring that the notebook computers logging into the corporate network are in a trusted state,” notes Bill Scull, senior vice president of marketing at Sygate.

Recent high-profile virus outbreaks don’t help. “We’ve seen a greater awareness occur in the last six months around endpoint security. I think the germination of that occurred last year with Blaster, because many organizations found how much damage a worm like Blaster could do, even behind the firewall, even if their perimeter defenses were secure,” says Mitchell Ashley, chief technology officer and vice president of engineering at StillSecure. While viruses and worms have driven endpoint-security-product adoption, he says stopping spyware is also an increasing concern.

A Brief History of Endpoint Security

Attempts to enforce end-to-end security first started when companies began trying to enforce antivirus levels before log-on, says Matthew Kovar, vice president of security solutions and services at the Yankee Group.

The crucial endpoint technology is quarantining: restricting a computer to a network DMZ until it passes muster. “Conceptually, think of this as a quarantine network. So you have no or limited access until your device is scrutinized and deemed as compliant, then you have limited access to resources,” says StillSecure’s Ashley. During the quarantine, a PC can be scanned for patch levels, antivirus signature update level, known pests, and more.

Unfortunately, enforcing all these security policies during network logon requires a number of technologies, many of which don’t easily work together yet. Hence, while “endpoint security is becoming the most critical piece of securing a network,” notes Kovar, it’s also “further complicating the already difficult-to-manage network-security process,” especially as it grows far beyond just verifying antivirus software is running.

For the future, both Microsoft and Cisco are promising to coordinate end-to-end network security, which is creating unusual bedfellows. Cisco, for example, lined up McAfee, Symantec, and Trend Micro for its Cisco Network Admission Control (CNAC) program. “I was shocked beyond belief that the CEO of Cisco and the CEOs of the major antivirus and security vendors” agreed to work together, says Kovar, especially since “Cisco is heavily competing against them in several markets.” The driver, he says, was “Cisco realized they needed the antivirus intelligence for their systems, and the customers were pulling them together.” Cisco’s dominance of the networking market could push CNAC success.

Yet Microsoft’s Network Access Protection (NAP) will also be a force to reckon with, as it includes 27 other participants, including: client security vendors (Computer Associates, Internet Security Systems, McAfee, Symantec, Trend Micro), a connectivity service (iPass), endpoint policy management and enforcement vendors (ENDFORCE, Pedestal Software, SecureWave, Sygate, TruSecure), management and patch-management vendors (Altiris, BigFix, BindView, Citrix, HP, LANDesk Software, Shavlik, and Microsoft’s own Systems Management Server 2003), networking vendors (Enterasys, Extreme Networks, Foundry, HP’s ProCurve Networking, Juniper Networks), and systems integrators (Avanade, Capgemini, HP, PricewaterhouseCoopers).

In other words, the future of end-to-end network security looks bright, though unanswered questions still remain. For example, few enterprise networks are homogenous, and no one knows if CNAC and NAP will each require a CNAC- or NAP-only (i.e. Cisco-only or Microsoft-only) network environment, if they’ll “play nice,” or even how they might interoperate.

Interoperability isn’t just a feature; it will be key, says Kovar. To keep needed management of endpoint security technology to a minimum, “companies should settle for nothing less than deeply integrated security solutions,” he warns.

Endpoint Security Products: Cooperation is Key

Some companies already interoperate with other vendors’ tools to allow a more complete endpoint-security regimen to be applied. For example, iPass’s technology already works with technology from Sygate. In effect, iPass keeps an eye on the PC and negotiates connections with Sygate’s Security Agent, which allows only minimum connectivity until it verifies the machine is clean, and Sygate may feed updates to the machine to get it there. For the future, iPass and Sygate say they’ll integrate the technologies further, allowing endpoints to self-quarantine themselves during the policy enforcement process, for example. This will be controlled by iPass’s Policy Orchestrator, which keeps an eye on the PC, plus “the access network, endpoint connectivity state, and endpoint-policy compliance,” then arbitrates how those things get fixed, says Roy Albert, chief technology officer at iPass. He says increasing integration of the two companies’ technology will also reduce management for security administrators.

Another network security policy compliance and enforcement tool is Safe Access version 2, from StillSecure. The appliance uses RPC, a native Windows protocol, to interrogate machines trying to gain network access, yet without needing to install a software agent on them first. Safe Access can verify a number of antivirus and firewall programs are running, and includes an API to work with or verify the presence of other programs as well.

“SafeAccess is all about endpoint security, and it regulates devices that come onto the network. As users authenticate or come onto the LAN, it will test the device,” says Ashley. “It also checks the device to make sure it’s not already compromised, [which] is particularly handy if you have devices that aren’t controlled” by IT, he notes.

When Safe Access finds an out-of-compliance computer, it can deny access, alert an administrator, and also direct a user to a local Web page, perhaps containing instructions on how to clean the machine and try again.

Some users even go a step further. “Some organizations actually place their own fingerprint in the device to know that this is a corporate device they’ve managed. So for example they’ll put registry entries into the registry that are known to them … to see if it’s a foreign device,” says Ashley. Foreign devices can be treated differently, so perhaps subjected to a much more rigorous security test, or only ever granted partial network access.

As endpoint monitoring products mature, security managers will gain the ability to apply more fine-grained quarantining policies. For example, the new version of Safe Access adds easier retesting of already cleaned computers, allows policies to be tied to an individual device’s MAC address, and has the ability to quarantine multiple IP addresses or based on open ports.

Besides removing the threat mobile PCs may be carrying, an endpoint security program can also improve employees’ overall security habits. For example, one Safe Access user is Even Quach, network administrator of the YMCA of Columbia-Willamette in Portland, Ore. The YMCA tests all machines for security policy compliance before granting them full network access. “I can run a report on all machines accessing our network to find out which ones are non-compliant and why. It makes it easy to provide support to people having problems, and users now think twice about what they should and should not do,” he notes.

Related Articles

Locking Down Endpoints to Prevent Virus Resurgence
http://www.esj.com/security/article.asp?EditorialsID=1061

Configuration Management Goes Mobile
http://info.101com.com/default.asp?id=6742