In-Depth

Untangling Endpoint Security Initiatives

Two Endpoint security initiatives are underway—one from Cisco, the other from Microsoft. We take a closer look at these plus the evolution of endpoint security.

• By Mathew Schwartz
• 01/05/2005

Want to protect the endpoint? Endpoint security initiatives are well underway. Experts predict that two high-profile initiatives—Cisco’s Network Admission Control (NAC) and Microsoft’s Network Access Protection (NAP)—will come to fruition this year.

In the meantime, a number of vendors already offer enterprise endpoint security functionality, albeit largely without cross-vendor integration.

Security Strategies spoke to Fred Felman, vice president of marketing for Zone Labs, a Check Point company, about the industry’s move toward NAC and NAP, and the evolution of endpoint security.

What’s the danger posed by today’s individual PCs and laptops, or endpoints?

First of all, endpoint PC vulnerabilities present a huge amount of risk, and are increasing the risks that large and small organizations are having to face. We know that legitimate users are trying to access networks, but they might actually be infected and contagious, especially … within organizations that allow laptops … [or] home users to tie into the corporate network.

Endpoint security is extremely difficult to manage … [especially because] existing endpoint security solutions are poorly embedded within the network fabric and operating systems. Today, endpoint security, and network, and OS [operating system] security … are all separate solutions.

What about applying host-based intrusion prevention to individual PCs?

Some organizations have had success [with that] on static systems, but they’ve found it hard to manage on PCs.

That’s why network endpoint access initiatives are incredibly important. But it’s very difficult for organizations to implement the different [parts] … You might have a certain switch, router, or VPN solution, or a mix of solutions, and often hardware and software updates are required.

Is keeping all types of devices and software at identical patch levels difficult?

Yes, and that’s why we’re announcing Total Access Protection, a set of solutions [that] allows enterprises to defend all of their network PCs … We have sets of solutions that deal with not only static threats, but also emerging threats.

What do you mean by static versus emerging threats?

One of the things that people are facing with, say, the more signature-oriented solutions (like first- and second-generation IDS solutions, antivirus, and even first-generation IPS) is they tend to be exploit-oriented as opposed to vulnerability focused. So the signature matches the first time an exploit appears, but when it mutates, you have to apply another set of signatures to deal with it. [By contrast] we tend to use a more vulnerability-oriented [approach].

In general, are vendors trying ease reliance on signatures?

A lot of them are trying to do this, with certain amounts of success. For example, Cisco Security Agent: they may say they’re vulnerability-oriented versus exploit-oriented, but talk to the managers using the solutions and you’ll hear a different story.

So as part of this initiative, we have endpoint security and we also have network and application security layers that are applied, and we have a couple of sets of solutions that make up internal perimeter and Web security solutions. And over the last year we’ve begun to announce integration with the Check Point product line … So in terms of perimeter, internal Web solutions, that’s sort of how Check Point frames the different solution sets they have.

What exactly does even a basic endpoint security approach require?

You need to scan, block, and remediate … You need to help people result in a state of grace—or else you get a help desk call.

How do you handle the initial scan of an endpoint before giving it network access?

We have a small [ActiveX] agent that gets delivered to the PC. … It performs the scan rather quickly; it really depends upon how severe the scan is. Is there an antivirus scan [or] a scan for Trojans, which means a memory scan? On most Pentium-class PCs, on a broadband connection, you’re talking less than 25 seconds to scan a PC.

Now if you’re using our secure browser … that takes a little longer, but that allows you to have a secure, virtual session, and that encrypts anything that gets written to disk, [in case] your session is interrupted.

How does the secure browser work?

It’s an ActiveX wrapper around Internet Explorer. … We actually have an enforcement system, and we gate access to the secure systems to that browser … and you don’t get the browser [started] unless you meet the policy.

What’s the interest level in endpoint security from IT managers today?

There’s a high demand for it. They’re getting a lot of customer requests at Gartner in terms of choosing a vendor … We’ve already seen very large adoption [of our endpoint security tools] by some of the very largest customers in the world … At a recent meeting of large customers, seven [of those endpoint security adopters] had over a million seats.

Going forward, what are your plans for integrating with Cisco’s NAC or Microsoft’s NAP?

We actually support more Cisco products than Cisco, through its NAC initiative. … We’re already supporting, for example, the base-enforcement technologies that will be present in the NAP infrastructure, the same APIs and calls that we’re using together to secure [remote] connections. We’ll also use those same protocols to protect [Microsoft] Server 2003, once it finally starts supporting NAP … and, in fact, anywhere [Microsoft is] dealing with the NAP initiative. At the moment it’s Server 2003, and Windows XP and Windows 2000. All the supported platforms that can support NAP, we’ll absolutely support that.

We’re going to be including intrusion prevention at the endpoint in our product line, and we’ll be using the patented, stateless inspection [already present in other Check Point products].

When do you envision Microsoft releasing its own NAP-related tools?

I’m going to guess somewhere in the next six months. The one thing going in the direction of them supporting this more quickly is it is based on technology that’s already [out there]. The thing that’s going against them is they have a partnership with Cisco and they’re slow-moving. I can speak from experience; we know they are slow.

In any case, there are security solutions, and standards solutions that are available now. [For example] the Microsoft 802.1x supplement is available now on 2000 and XP platforms, so organizations can use solutions like Check Point’s Integrity to use these things [now].

How difficult will it be to upgrade when NAP features appear?

It should be transparent. Right now, it’s probably more difficult for an organization to make its Microsoft [implementations] compliant with the 802.1x API and feature sets from Cisco and others. I think this will drive them to think about the ease with which you can manage [it all], and I think what people will get is some administrative relief between Microsoft and Cisco environments from [NAC and NAP].

Still, from what I’ve seen, there’s nothing revolutionary here. If you look at the NAC initiative, big whoop. … Why would you put another security [component] on your PC, using NAC to do that, when you could get full-service security from us or probably a couple of other vendors, without having to add that layer? I’m not sure what the tangible benefit will be. My guess is it will be some sort of administrative relief, but in the meantime … at least you have a security value proposition that you can gain from any number of security vendors.

Related Articles

Endpoint Security Grows But Interoperability Questions Remain
http://www.esj.com/Security/article.aspx?EditorialsID=1153

Locking Down Endpoints to Prevent Virus Resurgence
http://www.esj.com/security/article.asp?EditorialsID=1061