Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Controlling the endpoint


Is it Cisco or Microsoft, the two 800-pound gorillas of the enterprise networking marketplace? Is it the Trusted Computing Group ( and its 80 or so partners? Or is it one of a handful of other third-party vendors, including a few start-ups, that are pitching software- and appliance-based versions of what are also known as network-quarantine products?

Only time and market dynamics will tell, of course, says Robert Whiteley, a security analyst at Forrester Research, who believes we should have a better idea of how the network-quarantine market will shake out by the end of this year. Whiteley, who has covered the NAM space for about two years, says 2006 will be a very big year for deployment of NAM-type products.

"We've asked major enterprises three or four times across multiple surveys and we get about the same adoption rate each time," he adds. "Roughly a third to 40 percent of large networks have deployed it in some fashion or intend to deploy it this year."

Exactly what type of product they eventually will wind up deploying remains to be seen. Currently, there are any number of choices available, including stand-alone devices, such as ConSentry Network's LANShield, Mirage Network's NAC appliance, and Cisco's integrated Network Admission Control (NAC) solution.

But, in the rapidly evolving world of IT security, having such a wealth of options isn't anything new. However, combine the array of options with the fact that only one of the major solutions and a scant few of the point products are available now, and the market picture is unpredictable at best.

A wall doesn't help

After companies have used firewalls and intrusion protection/detection devices to build the biggest, tallest wall around their networks, and workers' PCs are still being victimized by security threats -- viruses, spyware, port scans -- what's the next line of defense? As Forrester's Whiteley points out, more and more enterprises are beginning to turn to products that give them the ability to either automatically update or quarantine an infected or unpatched PC.

The emerging network-quarantine products will allow IT administrators to enforce security policies on every client device that tries to connect to their networks, whether it connects via a wireless, wired or virtual private network (VPN) link. In operation, the quarantine solution scans the device against the enterprise's security policies, which can cover anything from ensuring the system is current on operating system (OS) patches to updating anti-virus definitions when it first tries to connect.

If the device's configuration is found lacking or it contains malware, it is either directed to download the appropriate patch or anti-virus signature, or is quarantined and kept off the network entirely.

When enterprises implement network quarantine, they have two basic choices: server- and port-based architectures.

As the name implies, the server-based system works in conjunction with server and desktop operating systems. The obvious leader in this camp is Microsoft's Network Access Protection (NAC) solution, which will be a part of Vista and the Longhorn server when these are released later this year or in early 2007. The server-based system quarantines by restricting IP addresses to prevent user access, typically using the Dynamic Host Control Protocol (DHCP) or by sending quarantine commands to a switch via a command-line script or the simple network management protocol (SNMP).

Two types of port-based systems have emerged: those that run on purpose-built appliances, such as those from ConSentry and Mirage, and those incorporated into an Ethernet switch, such as the system from Cisco. The appliance-based product can be built in three ways. Two use an in-band approach -- one relying on an authentication gateway that controls user access, the second on a hybrid gateway that mixes user authentication with LAN switching. Then there's an out-of-band gateway that issues commands to LAN switches using the Extensible Markup Language (XML), command-line scripts or SNMP.

The switch version is the most comprehensive of the choices and can handle the complicated network topology found in large enterprises. In this method, the switch provides the point of authentication enforcement, quarantining client devices using VLANs and media-access control (MAC) addresses.

Each of the approaches has its downside. Using appliances, for instance, requires placing a box on each network segment to be monitored. That can be an expensive solution considering they cost on average about $20,000, notes Whiteley.

With the switch method, enterprises must upgrade their switches to support several new technologies, including the 802.1X policy-enforcement standard -- another cost-prohibitive and/or politically charged move in many IT organizations. And the server version can't quarantine infected or non-compliant users to specific subnets or VLANs.

As a result, most enterprises will likely rely on a combination of the two basic methods, Whiteley explains. Initially, analysts expect them to use server-based products in business units and departmental situations, gradually migrating LAN and remote-access users to port-based solutions.

In any case, such a deployment is a 12- to 18-month process, according to Whiteley.

A varied mix

Exactly which products companies will use remains to be seen. Microsoft and Cisco, along with the Trusted Computing Group and a few of the other usual players in this space (read: McAfee and Symantec), are certain to be among the select few.

As noted, Cisco and Microsoft have both announced quarantine initiatives. But, a third, non-proprietary effort called the Trusted Network Connect is also in the works. This effort is led by the Trusted Computing Group, a consortium of technology vendors that develops open standards for trusted computing and networking devices.

All three share a similar architecture: each requires a client-side component, a policy engine/administrative server, and an interface that allows each to work in conjunction with third-party endpoint security systems, such as anti-virus applications or patch-management solutions.

Cisco, of course, wants to control the network environment, while Microsoft is gunning for the server and desktop portion of the NAM market.

Cisco's NAC will come in two forms -- an embedded version called its NAC Framework and a dedicated device. Both are "in the early stages," admits Russell Rice, director of product marketing in the company's security technology group. Still, with a few pilot projects in the works, "we'd like to think we're leading the pack," he says.

Microsoft also has "customer deployments today in selected beta sites," says Mike Schutz, a group product manager in the company's networking and securities unit. Its NAP, as noted, is integrated directly into desktop Vista and server Longhorn products.

Steve Hanna, a consulting engineer at Juniper Networks, and co-chairman of the TNC subgroup within the TCG, says, "We are already well into deployment, with a couple of customers using the specifications, while the standards work continues." The TCG "is continuing to add to the standard," he says, but that hasn't stopped vendors from developing products that conform to the current TNC revision.

The TCG lists nearly 130 partners. Cisco and Microsoft each say they have more than 60 working within their initiatives. These include the likes of Symantec, McAfee, Check Point Software and Funk Software.

Meanwhile, McAfee announced its Policy Enforcer 1.0 at the annual RSA Conference earlier this year in San Jose, Calif. Policy Enforcer is a NAC offering that uses several of the company's existing products, according to Eric Winsborrow, the company's vice president of product marketing.

Jim Carr is an Aptos, Calif.-based freelance business and technology writer. Contact him at [email protected].

QUE SERA: And the winner is...

None of the three network-access management products in development have much in the way of mindshare among enterprise users yet, says Joel Conover, the principal analyst for enterprise infrastructure at research firm Current Analysis.

According to a recent survey of enterprise IT personnel by Current Analysis, 40, 32 and 31 percent had heard about but were not familiar with Microsoft's NAP, Cisco's NAC, and the Trusted Computing Group's TNC, respectively, he says.

That clearly points out that "people don't identify with any particular one in terms of having confidence that that vendor is the technology leader," Conover says.

Conover and Forrester Research security analyst Robert Whiteley have differing views on how this unholy trinity will shake out in the long-term.

Whiteley believes Cisco and Microsoft will make good on public announcements to make their initiatives interoperable. The two solutions operate at different points within the enterprise network -- at the server, or Active Directory, level for Microsoft's NAP, and at the switch or router layer for Cisco's NAC.

Conover says Microsoft is more apt to align itself with the TNC effort. He believes Microsoft will be unwilling "to give up control of the desktop agent" required in the modular architecture each has developed. Microsoft has said it will support the Trusted Platform Module (TPM), the client component championed by the TNG.

Whiteley, however, believes the vendor consortium's plan will "get lost in gridlock, and Microsoft and Cisco will fight it out." -- Jim Carr

DEPLOY OR NOT: A NAC for your needs

Network access control can be a powerful tool, but it does run the risk of being too powerful, potentially causing network disruptions that can prove to make this cure worse than the disease. According to Mike Rothman, president and principal analyst for Security Incite, it is critical to watch your steps carefully when choosing a NAC solution and rolling it out. In a recent ForeScout webinar entitled "Deploying Network Access Control without Disruptions," Rothman went through the paces in regard to NAC deployment.

His NAC deployment philosophy is to promote evolution rather than revolution when implementing these solutions.

Rather than rebuilding your network to accommodate NAC, it should be the other way around, he said. In order to do this, he suggested going through a process of introspection before choosing a vendor and deploying NAC. During this process, he said to consider the following factors.

Decide what you are trying to protect, and who you are trying to protect things from.

Ask yourself where you want to deploy NAC. Do you want to place it inline or out of band? Do you want to secure all of your access points, or just your conference rooms and lobbies?

How do you want to enforce your policies? This means deciding on what level of policy granularity you want to impose, figuring out how much access to give to your quarantine network, and determining whether you want immediate remediation.

How are you going to integrate with the existing network? Factor in what tools you already have in terms of endpoint security, IDS/IPS and vulnerability management.

Before deployment, you must do an infrastructure assessment. Figure out how much of an investment you have to make to get infrastructure up to snuff to work with the NAC solution before signing on the dotted line.

-- Ericka Chickowski

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.