The Shape of Endpoint Security to Come
Will 2006 be the year of endpoint security? A number of network-access-control approaches are finally coming to fruition.
Will this be the year of endpoint security?
“There is a lot of talk in the security market about ‘network access control,’” notes Jeff Wilson, principal analyst at Infonetics Research, and for good reason: current networks are full of security holes. Network Access Control (NAC) seeks to fix that by hardening the endpoint—not coincidentally the locus of viruses, worms, Trojan horses, and other favored methods for targeting corporate information and computers.
In short, if companies can better protect their endpoints, they can better defend against many prevalent attacks. That’s why “NAC is really the holy grail of network security,” Wilson says. Even so, getting it right will be “no simple feat, as it will impact all types of products, from client software to security appliances to network infrastructure to the back end.”
To be effective, endpoint security will require a range of new types of software and hardware, including endpoint-security appliances and improved network-infrastructure equipment. Accordingly, Infonetics forecasts the overall NAC enforcement market will grow to $3.9 billion by 2008, up from just $323 million last year, a 1101 percent increase.
NAC Standards and Shortcomings
Just what is NAC? Confusingly, people often refer to NAC in general terms or point to Network Access Control from Cisco, a still-in-development standard which relies on latest-generation Cisco hardware (such as Catalyst switches and Aeronet wireless products).
Regardless of approach, an idealized look at network access control might conclude it involves any device (such as a PC or PDA) that is first examined for compliance with security policies (including patch levels and antivirus signatures). If the machine is out of compliance—whether when first requesting access or at any point thereafter when still connected—the device gets shunted into a network quarantine and is only given enough access to receive pushed patches (or other necessary updates), to block attackers from exploiting vulnerabilities on the machine, or to block existing exploits from propagating. Once the machine is in compliance, it’s readmitted to the network.
That’s a simplified, holistic, best-case approach to endpoint security, and to achieve that, Cisco’s NAC is just one of several actual endpoint-security standards that have been proposed. The others include Microsoft’s Network Access Protection (NAP) as well as the Trusted Computing Group’s Trusted Computing Module (TCM) and Trusted Network Connect (TNC) standards.
Still, none of the currently suggested standards is complete. Whether all of these standards will usefully come to bear on enterprise security is also questionable. Microsoft’s NAP, for example, garners criticism for seeming less like a standard and more like a laundry list for products—some seemingly tangentially involved in endpoint security—which many security vendors would like to eventually make interoperate.
Inversely, experts chide Cisco’s NAC because it only supports a network with Cisco hardware. That is unrealistic for most enterprises, simply because of the near impossibility of deploying a latest-generation, NAC-compliant Cisco infrastructure anytime in the near future, given the projected cost of so much new gear.
Furthermore while the network fabric is a useful place to control access—especially if connections can just be blocked outright—such an approach probably won’t be the final say in endpoint security. “Switches are great points of enforcement, but the operating system running on them and tools available for them haven’t really let people take advantage of switches, security-wise,” notes Brett Helsel, CEO and president of Lockdown.
Finally, TNC alone also won’t solve the endpoint security problem, since it presupposes laptops requesting network access already have a TCM—a chip—installed. While many laptops now ship with a TCM, there will always be network-capable machines in the enterprise without such chips. Without that module, TNC alone can’t help an organization know if a PC requesting network resources is friendly.
Eventually, of course, not only NAC and NAP, but also TNC, could work together; it may be a necessity for any one to be relevant. Even so, a variety of products have already reached the market offering different facets of NAC, including quarantining and pushing patches. Thus, any standards may be reverse engineered rather than baked in.
Network Access Control: Beyond the Endpoint
Companies considering adopting endpoint security must remember that NAC isn’t just about endpoints. “We talk about endpoint security, but we forget that there are two needs: the end the laptop is on, but also the infrastructure,” notes Grant Asplund, president and CEO of MetaInfo. “Unless you build a solution that includes both of them, you don’t have a solution.”
Another oft-heard criticism—at least between vendors-- is that some security technologies, which may have fared poorly in the market, are being rebranded as “endpoint security.” “The particular challenge the industry has now in NAC is that most of the solutions being deployed now as NAC are not really NAC. They’ve been created by people with existing products who are trying to piggyback into the market,” says Helsel.
Of course, at some point the problem is a question of semantics, since “endpoint security” means so many things to so many vendors. Indeed, if 2006 is the year of endpoint security, endpoint security is unhelpfully also the year’s buzzword, as a dizzying number of approaches attests. For example, as Mitchell Ashley, chief technology officer and vice president of customer experience at StillSecure, notes, there are multiple methods (often used together) for testing endpoints before allowing access, including using a software agent already installed on the PC, pushing a software agent (via ActiveX), or taking an agentless approach. For enforcing NAC policies, approaches include 802.1x, RADIUS, Cisco’s NAC architecture, in-line scanning (packet-based threat detection), and DHCP.
Furthermore, endpoint security isn’t just about quarantining computers on the network until their antivirus signatures and patches are brought up to date. Already, some organizations are looking to tailor who gets access and how much each user receives. For example, Helsel notes that one Lockdown customer—a well-known university he can’t name—rolled out endpoint security technology over the recent holidays, “because they’re all worried about the impact of the Xbox 360 on their networks—for some reason it’s not other gaming platforms—and want to shunt all of the Xboxes into an Xbox-only VLAN.”
Such network functionality requires more-recent equipment. Even if organizations don’t adopt Cisco’s NAC, they do expect to budget an upgrade, to make at least some of their network infrastructure more endpoint-security friendly. For example, switches new enough to be VLAN-compatible makes quarantining much easier when used with many endpoint security products, since out-of-compliance machines can be shunted into their own VLAN, where they can’t access anything besides a NAC server.
A variety of appliances already give companies endpoint-security capabilities without having to enact major upgrades. For example, a quarantine with restricted network access is a good place to start, especially if it can push needed updates—new antivirus upgrades, operating system security upgrades, spyware eradication, or the like—and cause users to perform the necessary repairs themselves. This saves IT from having to dispatch a technician, and lets users get up and running more quickly, saving productivity all around.
In fact, could endpoint security end up (at least in some part) as self-service security for end users? The potential for support-desk poetic justice (user, heal thyself) aside, that may just become how users perceive endpoint security. Still, given the profusion of standards, frameworks, and point products, not to mention a market poised for rapid expansion and consolidation, the precise final shape of NAC remains anyone’s guess.
Beyond Malware, SOX, and Data Breaches: The 2006 Security Forecast
Case Study: Polysius Takes Layered Approach to Endpoint Security
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.