Case Study: Polysius Takes Layered Approach to Endpoint Security

The term “endpoint security” includes new types of technology, which makes sense when Polysius’ manager of IT details the myriad, evolving threats to his corporate network, and the company's defenses.

How do you define “endpoint security”? Lately the phrase may seem like so much marketing buzz, given the increasing number of vendors purporting to offer it, and the increasing number of technologies included in the definition.

When James Krochmal, manager of IT at cement equipment design firm Polysius Corp. in Atlanta, talks about protecting his network endpoints, he details multiple technologies at work, from anti-spyware and anti-virus to spam blockers and enforced lists of trusted Web sites. In other words, his definition of endpoint security is as broad as the technology he needs to protect his endpoints.

What, then, is a good working definition? According to Jim Slaby, an analyst at Yankee Group in Boston, the endpoint security rubric includes technologies that may overlap: desktop antivirus, personal firewalls, host-intrusion prevention, anti-spyware, application and configuration control, VPN clients, and endpoint-management agents. In other words, he says, “security at the remote endpoint has evolved rapidly from its original focus on antivirus protection.”

Part of that change in focus is because attackers increasingly aim for mobile devices. “Enterprise network attackers are complementing external penetration techniques with new tactics that try to lodge malware on the laptops of trusted users working outside the security perimeter,” notes Slaby.

Rogue Endpoint Threat Accelerates

If the problem appears to be accelerating lately, it's because there are so many more PCs these days. The growth in endpoints means more “worms, viruses, authentication, and other malicious security problems,” according to Slaby. Furthermore, the less control or oversight IT has over machines, the greater the risk. “Rogue endpoints—consultants and others whose endpoints you don’t have control over—are of particular concern, given their accessibility to LAN devices once connected.”

Rogue endpoints aren’t just a local-network problem, at least at Polysius. “We belong to a very large company with a global network,” says Krochmal. Polysius Corp. is the North American arm of Polysius AG in Germany, which is owned by ThyssenKrupp Technologies Group. So while Polysius only has about 75 employees, that size doesn’t reflect the network threats it faces.

Polysius employees use a wide area network (WAN) to headquarters to get their e-mail and browse the Internet and extranets. Remote sales people in particular log on via an IPsec or SSL VPN. “We use IPsec for corporate-owned equipment, job sites, that sort of stuff, and we use SSL for everybody else—employees at home, or on the road where they can’t use IPsec, because say they’re at a client site that doesn’t allow them to tunnel over the firewall,” says Krochmal. To secure those sessions, Polysius uses two redundant Check Point VPN-1 firewalls.

Being part of a global WAN brings its own threats, and to secure the WAN connection, Polysius employs an intrusion prevention system (IPS) from Check Point called Intraspect. “That was not driven by any corporate mandate as much as we had experienced some attacks back in the days of Sasser,” he notes. The attacks traveled over the corporate WAN, “over what should have been a trusted connection.”

Overall the IPS has done two things, he says. “It stopped things at the door, and also gave us specific visibility for remediation.” In other words, IT can now point to infected machines, even if they aren’t located in North America. That information brings political capital: showing other IT managers which of their machines are infected tends to get them fixed quickly. “Without having the specifics, it’s hard to get someone’s attention.”

Krochmal says Intraspect has performed as advertised. “It’s actually worked very well, I haven’t seen any issues, it was appropriately sized for our connection, and it’s done what it said it was going to do.” Furthermore, managing it, he says, requires “a minimum of effort.”

Beyond the IPS, Polysius employs a layered approach to endpoint security. For example, the company uses a filtering tool, SurfControl, to restrict the sites users can visit, and what they can do. “In addition to the categories within SurfControl, I have a list of a few hundred permitted sites, where you use the Internet Explorer settings for trusted or untrusted sites.” To maintain that list, “I have a pretty sophisticated log-in script, that when they log in, it checks to see what the current version is they have on their machine, based on my release, and will install or uninstall based on that.” Untrusted sites equal restricted options—no downloading, for starters.

Polysius also uses “several different varieties of antivirus running on several servers, including our Exchange servers,” says Krochmal, including anti-spyware capabilities built into the latest version of Symantec AntiVirus Enterprise Edition. First, however, a BlueCat Networks Meridius Security Gateway, which sits in the DMZ, quarantines spam. “For a company of 75 people, we’re getting a million e-mails per month, and 98 percent of them are junk. So putting in a separate appliance outside the network was the way to go there.” Remaining e-mail then goes through a second spam filter, GFI MailEssentials. Only then is e-mail allowed to hit the Exchange server.

Beyond Detection

For the future, Krochmal wants to go beyond detection and quarantine misbehaving PCs until they’re remediated. “That’s still somewhat of a vulnerability. We have certainly the monitoring aspect of Intraspect as it looks back into our network, as it sees the traffic back there, so I’d be able to tell which stations are trying to do activity that wasn’t appropriate, but I don’t have anything that currently suppresses that,” he notes.

Already, Polysius has begun evaluating quarantining technology, starting with Check Point’s Connectra endpoint security product, “but it turned out I didn’t want to make that big of an investment right now,” he says.

Still, he likes the type of capabilities it would provide. For example, while the SSL VPN, which runs on Nokia boxes, now authenticates via Radius, “Connectra would allow us to go a step further, in conjunction with an endpoint security package, to actually allow it to scan an endpoint computer before allowing it on the network, so it checks for spyware, antivirus versions, and so on.”

While such technology hasn’t so far been in his budget, he foresees vetting PCs before they can establish SSL VPN connections. “I think that’s where we want to be, because we have more and more people doing VPN connections to us, and it’s a scary thing.”

Related Articles:

Q&A: The State of Endpoint Security
http://esj.com/Security/article.aspx?EditorialsID=1472

Case Study: Containing Endpoint Infections
http://www.esj.com/Security/article.aspx?EditorialsID=1453

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.