In-Depth

Q&A: Securing Your Endpoints

Endpoints pose security risks to an enterprise, but identifying those endpoints can be IT's biggest challenge.

• By James E. Powell
• 10/28/2008

As IT gets threats to its existing infrastructure under control, it must focus on securing endpoints -- protecting everything connected to its network, such as mobile devices and even printers. One big problem for IT: identifying the endpoints it has.

We discussed the dangers posted by endpoints, why devices aren't "known," and what IT can do about the problem, with Steve Pettit, president of Great Bay Software.

Enterprise Strategies: What are the dangers endpoints pose to the security of an enterprise, and how have these dangers changed in, say, the last 3-5 years?

Steve Pettit: Three to five years ago, the risk of rogue or unmanaged endpoints was centered on network availability. At that time, the worms and viruses that were seen were traveling over networks in obvious and destructive ways and looking to proliferate for the purpose of bringing PCs and networks to their knees.

Today the risk associated with unknown endpoints is focused on the protection of corporate information and as an impediment to achieving the unification of business process and corporate security. However, the concerns around network availability are still valid.

Why can't these devices be "known" to the network or security administrator? What's getting in the way of discovery?

It isn't that they are completely unknown, but rather that the level to which they are managed may not be suitable for some of the current initiatives in IT. The challenges to managing these assets are on multiple front and include the fact that the mobility of many of these endpoints is more profound than believed, the fact that endpoints are added by numerous departments in the enterprise without consultation or coordination between departments, and the fact that the administration of these endpoints is frequently performed by multiple departments in an independent way.

As an example, VOIP systems, facilities monitoring, WLAN, and physical security are all discreet functions within independent departments, each with its own set of network attached devices and management systems. This is but a small sample of devices that exist in the enterprise that will not actively participate in the NAC or authentication system, but require network access.

How big is this problem? What percent of devices can't be authenticated?

It depends somewhat on the vertical market and the deployment of different IT services, but the numbers that we've seen are fairly constant at 50 percent of network attached devices being non-authenticating hosts. In VOIP enabled network we see approximately 66 percent of endpoint being non-authenticating.

In an earlier conversation you and I had, you mentioned printers as one of the types of devices that pose a threat, but printers are output-only devices and can't be infected with a Trojan or other vulnerability. What threat do printers pose?

To date, printers have not been a threat in terms of being a large target for worms, botnets, and malware, but there are IT security issues related to these devices and others that merit consideration. For example, if you deploy network-based authentication leveraging a CA for machine authentication and AD for user authentication, you've made a lot of progress in securing access to the network. The awkward realization, though, is that anyone possessing the MAC address of a printer in that network will receive network connectivity without any challenge from the authentication system -- which certainly negates some of the value of the project.

In addition, specifically addressing printers, it's worth noting that printers are a frequent destination for some of the most critical corporate information in the form of print jobs, so if you wanted to gather information from within a network, why bother with the servers and PCs (which are well secured) when you can simply man-in-the-middle print jobs?

Are there particular devices that pose a bigger threat to an enterprise than others?

To reiterate an earlier point, it isn't that certain devices are a greater risk, but rather that securing network access for all enterprise owned assets is a meaningful goal. You could create all sorts of interesting scenarios where certain devices are more or less of a threat, such as disabling air conditioning systems, locking everyone out of the building by disabling the door access systems, or knocking out the phone system. The reality is that the goal for most customers is protecting corporate information and system uptime and less about securing against far-fetched attack scenarios.

How has IT been handling this problem?

Well, we've seen a number of projects stalled explicitly because of this issue, although my visibility is probably skewed by the fact that Great Bay is frequently engaged by potential customers who have discovered the issue and sought us out to solve it. In other cases, customers have gone to alternate methods of controlling network access; sometimes manual, some using proprietary systems, and some making trade-offs with reduced goals relative to the original set of objectives.

What does Great Bay offer to address these endpoint problems?

The Beacon system really addresses the two most critical items in this problem space; endpoint discovery and identity monitoring. These two functions provide the IT administrator with a working real-time view of everything connected to the network with supporting contextual information like location, address, identity, and behavioral attributes. This is the information that is required to address numerous compliance related activities, to provide a foundation for deploying network-based authentication or NAC, and for monitoring the behavior of the endpoints for continuous verification of the endpoints identity.

This is a different problem space than asset management or vulnerability assessment tools both in term of technology and results and the proof is that most enterprise networks have these tools already in place, but the market acceptance for Great Bay's Beacon continues to increase.