Inevitably, the process of discovery leads to the creation of information. And at PNNL, much of that unearthed information is sensitive - the laboratory is home to numerous research projects related to national security.
It is not surprising, then, that Todd Krahenbuhl has been concerned about PNNLÕs situational awareness in regard to endpoint security for some time now. The network security engineer for PNNL is responsible for building and securing the laboratory's IT infrastructure.
Starting in 2004, Krahenbuhl and his team began looking at tools that would help the laboratory enforce endpoint security policies.
"We were looking to protect some of our more sensitive hosts, as well as protecting laptops [out] on business travel, and giving them added protection when theyÕre away from the laboratory," he says. "In doing so, we were really looking for a product that could define different policies depending on what network you were on and other characteristics of your host's system."
The problem, Krahenbuhl says, was that in such a free-flowing scientific environment he had to contend with locking down an extremely heterogeneous network of endpoints.
"Being a multidisciplinary laboratory and having scientists in all different fields, we have people running everything under the sun," he says. "We have Windows, we have Linux, we have different flavors of UNIX, we have Macintosh. Additionally, after reviewing applications from a security standpoint, people are allowed to run whatever they need to use [on these systems] to best get their job done."
While on the hunt for the right endpoint solution, Krahenbuhl made an effort to talk to other security practitioners for advice, but quickly found that his situation was fairly unique.
"Speaking with CISOs at the RSA Conference, some of them had an easier time deploying an endpoint solution no matter who it came from because their desktops were far more uniform than ours," he says.
Vendor pick gets acquired
During a trial held in 2004, Krahenbuhl said that he wasn't looking for perfection, just for the product that would give him the fewest problems, and for the vendor that he knew would be most responsive to PNNL's concerns.
"We were looking for a solution that had the best interaction with everything that we were running," he says. "All security software by nature is prone to issues, but we were really looking for software with the least amount of interaction issues."
Based on its selection criteria, PNNL chose to go with Sygate, which was subsequently picked up by Symantec. The acquisition put a little bit of a hiccup in PNNL's deployment schedule. Before moving forward in 2005, it chose to wait until Symantec released a new version of Network Access Control based on Sygate endpoint technology.
But since then, Krahenbuhl has been able to gain better control over how both managed and unmanaged machines connect to the network. HeÕs also been able to rein in what these systems do when off the PNNL network.
"Those endpoints might have critical data on them that might leave the PNNL network," says Brian Foster, senior director of product management for Symantec's network access control group. "So endpoint compliance isnÕt just about making sure that when they access the PNNL network they are compliant, but also when they access the internet at Starbucks."
When PNNL initially chose Sygate, it was with the understanding that the company would be working on future versions, with support for Linux and Macintosh systems as well as other platforms. Though Symantec hasn't provided Macintosh support with the current version of Symantec Network Access Control used by PNNL, Foster says the company has been active in seeking the laboratoryÕs feedback on how to include better support for a heterogeneous environment in future versions.
"We have support for Macintosh in older versions of the product," Foster says. "We continue to work with Todd and the PNNL team; they give us lots of great feedback and Todd participates in customer councils with us where twice a year we bring our important customers in to meet with engineers to see what they would like next from us."
Krahenbuhl says that he is eager to help the Symantec process because it plays into PNNLÕs eventual goal to have all of their systems managed by the same endpoint security system.
"Symantec beta tested a Mac agent - we were a part of the test group - so our goal is to have a single, centrally managed endpoint security solution across our Linux, Mac and Windows desktops and laptops," he says. "It's still in progress. I know theyÕre working on it."
In the meantime, PNNL has rolled out to 5,500 of its Windows machines. Deployment, Krahenbuhl says, began with a three-month pilot program to work out the kinks that he and his team may not have anticipated.
"The main lesson learned was that for large heterogeneous environments, having a good understanding of what systems and software are running is key," he says. "We had a pilot program and brought in some of the players, but involving more people earlier would have been better."