How to curb those dispersed users

It's not always fun at the YMCA, especially when someone has introduced a network worm into the system. Not long ago, an employee at the YMCA of Columbia-Willamette in the US accidentally unleashed a worm on the association's network when he took home a laptop that had been in storage. It didn't have the latest patches and anti-virus signatures, so when he connected it to his cable modem at home, it became infected. And when he plugged it back into the network, the worm spread through the organisation.

That incident, which sent the YMCA technicians scurrying to repair the infected machines, plus the hazards posed by insecure clients, showed just how easily security could be breached. With employees accessing the network remotely via VPNs, connecting from their home PCs, or sometimes using personal laptops, the technicians were kept busy.

So they decided to try out technology from StillSecure to check whether PCs have the latest patches, virus definitions and are worm- and virus-free before they are permitted network access.

"We were always worried about potential viruses and worms being brought in from the outside," says Even Quach, an IT technician at the Portland, Ore.-based YMCA.

Quach even had to make home visits to those who were allowed to connect from home via VPNs to make sure their PCs were clean. "The problem is how to ensure these computers are up-to-date all the time? I don't have control over their home environments." he says.

Like the YMCA, many organisations are looking to protect themselves from threats introduced by individual PCs, and other endpoint devices, at the same time as opening up their networks to partners, contractors and suppliers. The task is made harder by an increasingly mobile workforce and the growth of wireless access, which opens up the network to a host of new dangers.

"The phenomenon of the disappearing perimeter has forced us to refocus a lot of our security protections on the individual endpoint systems," says Phil Schacter, an analyst at research and advisory services firm Burton Group.

Much of this is due to new ways of working, as Scott Olson, senior vice-president of marketing at Whole Security, explains: "Employees are now demanding anywhere, anytime access ."

The network has become boundary-less, he adds. It is defined as where employees are, rather than where the company's buildings are, making traditional network security less effective because it is focused on keeping attacks out of a hardened perimeter, while assets are moving outside that perimeter.

There are several solutions for locking down endpoints, including anti-virus protection, personal firewalls, intrusion prevention, and patch management systems. But an emerging technology that has generated growing interest is the kind of policy-enforcement system used at the YMCA. Before allowing a device to connect to the network, it checks the client's security, such as the level of its anti-virus protection, patch status, and whether it has a personal firewall.

Several companies provide this kind of solution, ranging from small startups to security stalwarts Check Point and Symantec. Networking giant Cisco got into the act last year with its Network Admission Control programme and Microsoft is incorporating "health-checkup" technology into its software.

Matthew Kovar, analyst at research and consulting firm Yankee Group, predicts that 95 percent of corporations will deploy some endpoint security strategies within the next five years.

If the first wave of security was all about protecting the perimeter, the second wave of investment is focusing on endpoint security, according to Bill Scull, Sygate Technologies senior vice-president of marketing.

"It was a simpler time. If you protected the inside from the outside, you could do a credible job," he says. "Now, that's not enough. It's not that you should take that away, but by itself it doesn't fully protect networks from breach."

A big reason for that, he continues, is the shift away from private dial-up networks, which are not easily hacked into, across to VPNs.

Add wireless access to VPN connectivity, plus opening the network to partners, and the perimeter has become a veritable Swiss cheese, notes Adrian Vanzyl, CEO of Seclarity, a startup that makes hardware-based endpoint security products. And with all that anywhere-anytime access, the threats for organisations have multiplied.

Indeed, Fred Felman, vice-president of marketing at ZoneLabs, a division of Check Point Software Technologies, warns: "It's pretty phenomenal how much risk organisations are taking on with the expansion of access."

There are two primary concerns for large enterprises: the fast-spreading, fast-mutating worms that devastate users as well as IT productivity; and the targeted information threat attacks that try to pick off specific pieces of information or intellectual assets.

The total risk profile has "gone through the roof," declares Dennis Brouwer, senior vice-president of business development at Endforce.

"You've gone from just having someone look at your data to having a rogue application on your network that can bring the entire enterprise down for an hour, a day or even a week."

For instance, he says, the Blaster worm, which tore through corporate networks a year ago, was something of a wake-up call for many companies in terms of endpoint security. He reports hearing "some real horror stories."

At the YMCA, however, enforcing security policies at the endpoint not only prevents virus outbreaks, explains Quach, but also makes sure that systems do not have spyware that can leak any confidential information, or bandwidth-hogging peer-to-peer applications.

"We have tons of childcare centres, and the information we store on each child is amazing. We have to do everything we possibly can to secure that data," he says.

Organisations are turning to technology that enforces security policies at the client level because they cannot rely on end users to maintain anti-virus software, patch management systems and personal firewalls, states Endforce's Brouwer. Without an enforcement framework, he believes, there is nothing "to ensure the software you buy and distribute is used properly and kept up to date," he says.

Enforced compliance removes the human element from all of this. "It means that administrators don't have to guess whether the endpoint is actually patched and up-to-date," says Stacey Lum, president of network security specialist InfoExpress.

Cleaning up in-house

Companies also realise that they need to enforce policies on clients connecting within the LAN, not just remotely.

"The weekend warrior unplugs his laptop, takes it home, and might or might not come back to the enterprise LAN over the weekend. On Monday morning, after being on the internet for up to 48 hours, he comes back to work, walks past the firewall and plugs it into the LAN," says Brouwer. "At that point, you have the same requirement to do active endpoint enforcement as you would for remote users."

Solutions that ensure client integrity use different techniques to inspect systems. Some, like WholeSecurity, inspect remote systems via a downloaded Active X control, while others use client-side agents. StillSecure's Safe Access is agentless and tests devices through a common gateway.

Despite the differences, there are common features that companies should look for in endpoint protection, say security executives. For instance, when a system detects that a user's machine doesn't have the proper security, it needs to help users get their system patched or otherwise secure.

"The end game is not to block people from network access, but to make sure they're secure when they do access it, otherwise the company would pay a productivity hit," says Sygate's Scull.

Moreover, a system needs to point users to a place where they can come into compliance without having to call the help desk.

Manageability is also crucial for endpoint security. ZoneLabs' Felman says that it is important, with thousands of endpoints, to have a management platform that is easy to operate. "After all, if you can't manage it, you're not going to use it," he points out.

Compatibility is yet another essential feature. It is important to make sure that whatever solution is selected will embrace the VPN vendors, the switches that are in place and make best use of the security investment already made.

Users are likely to face a range of options. One powerful contender is Cisco Systems, with its Network Admission Control (NAC) programme. But as Endforce's Denis Brouwer explains, NAC is fundamentally a Cisco solution, and while companies tend to heterogeneous security infrastructures, the fact that Cisco – with its market dominance – has entered the endpoint security arena indicates just how important a technology it is.

David King, director of business development in Cisco's VPN and security business unit, says the vendor developed NAC to give customers a way to deal with virulent, fast-spreading worms and viruses. "It was clear that historical ways of dealing with the problem weren't working," he recalls.

NAC enables Cisco routers and other equipment to block or restrict network access to devices that lack anti-virus updates or operating system patches via the Cisco Trust Agent, which sits on endpoint systems, collects data from security clients and relays it to the network. NAC, which became available in June, is a cooperative effort with Network Associates, Symantec, Trend Micro and, more recently, IBM.

While Cisco develops NAC, Microsoft has its own endpoint security plans, which include shipping Windows Server 2003 Service Pack 1 with VPN-based client inspection. In July, the company announced Network Access Protection Technology, describing it as an "extensible standards-based technology," which will be available in an update of Windows Server 2003, codenamed R2, next year. The technology determines whether a client is compliant with security policies before it is allowed network access, isolates non-compliant systems and can update them. So far, more than 25 companies, including McAfee, Symantec and Trend Micro, support the technology.

Meanwhile, the Trusted Computing Group – an open industry standards body – is developing the Trusted Network Connect specification for multi-vendor networks. Due for release later this year, the specification will provide a common architecture for solutions that enforce endpoint security. Vendors involved in this include Extreme Networks, Juniper Networks, InfoExpress, and Sygate.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.