It is good to see the big boys of IT playing nicely when it comes to security. Only two months ago, Cisco and Microsoft were battling it out for the hearts and minds of the industry with competing security architectures.
Their standards, Microsoft's Network Access Protection (NAP) and Cisco's Network Admission Control (NAC) were trumpeted as being the cure for the problem of endpoint security. Now the two have engaged in a game of "show me yours and I'll show you mine."
Cisco is sharing parts of NAC with Microsoft. In return, it will lift the veil on its own technology, said to be in the late stages of development. The eventual goal now seems to be interoperability between NAC and NAP. There will also be work on driving and implementing industry standards in access control and network admissions.
There is also work under way by the Trusted Computing Group (TCG) on the "Trusted Network Initiative." Microsoft is a member of the TCG, while Cisco is not. There seems no lack of choice when it comes to standards and to most people, they are confusing.
Some experts in the industry believe NAC and NAP are not about creating standards, but clever marketing. Miles Clement, project manager at the Information Security Forum, says the latest pronouncements from Cisco and Microsoft will be used as tactical plays by organizations in the absence of any other strategy (or until something better comes along to supplant these efforts). Otherwise, the difficulties of deploying such technology could mean that the majority of companies will muddle along as before.
"These will be costly to implement and people might well ignore them," says Clement. "The level of complexity might put people off." Complex or not, the idea of "secure the endpoint" comes not from big vendors, but from people on the ground pressing for new solutions for changing environments.
This latest collaboration is symptomatic of the increasing need for organizations to secure not only the perimeter, but areas beyond it.
User groups such as the Jericho forum are foretelling the end of the traditional network perimeter and the scaling back of security to an inner core of servers, and making sure anything that accesses this inner core has the right credentials as far as patches and anti-virus updates are concerned.
The problem is getting worse as companies open up their networks, not only to business partners, but also to third-party contractors and temporary staff. Also of consideration is what happens when mobile users come back from business trips and connect a laptop to the corporate network.
The laptop has probably been exposed to viruses and worms while connected to other corporate networks or wireless hotspots, so the need for some form of control is necessary. Is the task too great for the corporation?
Clement says that most firms believe that they are not able to enforce policy and control their networks the way they think they should. He adds, "The view currently held is it is difficult to maintain perimeters in the way we used to ten years ago."
The world was a different place, with most networks existing as isolated islands and fewer networks having WAN links via leased lines. As there were fewer links, there were fewer points of entry into the network. For the most part, viruses entered the network via floppy disks. Endpoint security was all about scanning floppies for viruses and trying to disinfect them.
Third parties, such as contractors and temporary workers, are now the most worrying threat to corporate networks. Clement says contractors and temporary workers "punch holes in the network" when they are connected to one network and then try to connect to their own corporate network.
"Before they connect to a network, you need to make sure policy is being enforced on their devices," says Clement. "The reality is you can't enforce policy on these third parties."
With third-party devices seemingly beyond the control of the network administrator, how does one control the uncontrollable? The trend within organizations is that people are starting not to trust any endpoint device that is not controlled by the organization.
Those organizations trying to get to grips with this task are defining different levels of trust for different types of users. Also, security has to be built into every point in the network and not just at the interface between the LAN and the outside world.
Previously, everyone on the inside of the network was assumed to have the same level of trust. These domains were protected from one another by internal firewalls and perimeter security. Trust within these domains could be defined by geography or job function.
The new thinking is to add secure access control and authorization directly around core servers and network infrastructure. This is also thought to give servers a defense against trust-based network threats within the infrastructure.
While this new thinking is gaining ground, and by all accounts is coming from the ground up in forms such as the user-led Jericho forum, many companies have a usable infrastructure in place that is unlikely to be ripped out completely and built from scratch. Some companies, such as Aventail, are touting SSL VPN as one solution that can be put in place for access control within the organization.
"The firewall is like the ticket office in an airport," says Chris Witeck, senior product manager for Aventail. "An SSL VPN is more like an X-ray machine. It can check everything."
The argument is that SSL VPNs already provide secure access to internal resources from untrusted devices from the internet. It is not a great leap of the imagination to do exactly the same thing, but provide secure access within a deperimeterized infrastructure.
This means internal and external access can be treated in the same way. Companies such as Check Point argue that a consistent approach has to be taken when enforcing policies. This does not mean that this is a "one-size-fits-all" enforcement. Rather it is a series of logical steps that can be taken to ensure uniform security that protects all infrastructure regardless of whether access is from inside or outside the company.
"Increasingly, servers and desktops within the organization are considered to be endpoints too and these have to be managed," says Dr. Dorit Dor, vice-president of products at Check Point Software Technologies.
Dorit maintains that the management of all endpoints has to be consistent for it to work throughout the enterprise. This means the administrator can control both internal and external access in the same way. At the same time, the administrator can tailor different policies for different entities.
"Remote-access products will have different enforcement practices to those used internally," says Dor. "For partners, these would be tailored differently."
She adds there would be a point when there would be a trade-off as companies would support partner systems less than they would their own users to make the system work efficiently.
Check Point has its own endpoint security initiative called Total Access Protection. This appears to be similar in vein to Cisco and Microsoft's efforts, but to have been around longer.
Dor adds that since Check Point created the term "stateful inspection" and the rest of the IT security industry took the term and used it to describe their products, she thinks the term "cooperative enforcement" will be co-opted by other companies in order to describe how organizations secure the endpoint.
The term outlines how an organization uses its technology to ensure that any endpoint accessing its resources does so only when specific criteria has been met.
These criteria could be up-to-date patches for operating systems or current anti-virus signatures. Dor believes the future of endpoint security belongs to this strain of technology.
"NAC and NAP are just marketing. They'll (Cisco and Microsoft) have a system that resembles cooperative enforcement," says Dor. She adds that something will evolve from cooperative enforcement and that it will itself become a standard much in the same way as stateful inspection has done.
But whether it is Cisco, Microsoft, Check Point or Trusted Network Initiative, some analysts have warned organizations that it will be best to carry on as usual until the big players actually follow sentiment with substance.
"This particular sort of security service requires cooperation between network components and the OS, so there would be a tremendous benefit if these two giants actually do cooperate to deliver compatible solutions," says Jay Heiser, VP, director of research at Gartner. "So far, Microsoft and Cisco have given no evidence, such as roadmaps or schedules, that they are actually going to cooperate in this area."
Heiser adds that there is no benefit to the wider community when companies compete on standards. In the meantime, we are stuck in a situation where PC security is dependent on keeping devices up to date.
Heiser says the most expedient solution for laptops seems to be an automated system that ensures up-to-date compliance before giving them the opportunity to harm the enterprise.
"This burgeoning security functionality is too important to be controlled by any single vendor," states Heiser.
It would seem that patching and endpoint security are becoming inextricably linked to each other. Although Clement says the industry originally believed the two were separate, "but now realize they are totally entwined."
There is a shift away from the "scan, block and quarantine" approach to endpoint security to a method where there is an enforcement of approved secure configurations on endpoint devices.
This would mean the endpoint would have to be patched up before being allowed anywhere near the corporate network.
While this would work for the road warriors and their laptops, it is not so clear cut when a road warrior might have to access resources via a public terminal. That public terminal may have certain security policies enforced by the owner that could conflict with the security policies set by the enterprise.
So there will have to be a middle way, where some devices will be allowed to access resources once they have jumped the requisite hoops, while other devices will either have limited or no access to corporate data.
Who will prevail in this battle? The big two in this arena have worked out for themselves that it is better to work together than work against each other, although some believe there is a lack of hard evidence to support this.
There are other companies that are promoting their own way of doing things. Analysts and experts are urging companies to think about endpoint security strategically.
Probably the best solution would be to follow what is happening and take the best ideas that come out of the field and apply them to the situation. This is more about following basic security principles than having complicated admission controls or policies.
Security professionals need to have systems in place that will circumvent the need for users to be educated enough to patch their devices and make sure their anti-virus signatures are current.
Vendors will also need to work harder to ensure that endpoint security works across a range of systems and not just a favored few operating systems and network devices.
