Endpoint Security: 6 Questions To Ask Before You Buy

Policy definition. You should be able to set and maintain a variety of security policies for different user populations, locations and machine populations, and be able to easily modify them.

Detection. No matter whether your users are in your local headquarters or connect to your enterprise network from a remote location, your system should be able to detect them. This includes using agents or agent-less operations on each client.

Health assessment. Your ultimate system should be able to scan the endpoint and determine compliance with your policies. Ideally, the scans should take place prior to any network access, but your system should also allow other checks to occur after login too.

Enforcement. Your policies determine what network resources should be protected, included switches, VPNs, servers, and so forth. You should be able to quarantine resources or refuse network access entirely, depending on policies.

Remediation. If clients don't pass muster, what happens? The ideal system should kick off anti-virus signature updates, or apply patches to the OS, or other measures. Remember, the goal here is to have everyone eventually connect securely to your network. This is probably the area that where most IT managers would like to see implemented first, yet is where most solutions are weakest. The problem is that remediation is tricky, and depends on a lot of individual pieces of software and hardware to work properly.

There are three overall architectural approaches that are being worked on currently: Microsoft's Network Access Protection (NAP), Cisco's Network Admission Control (NAC), and the Trusted Computing Group's Trusted Network Connect (TNC).

Cisco's NAC is the closest of the three to being actually implemented. It does so by controlling access to the network layer through implementing modules in its switches and routers for both Windows and Linux clients. You'll need to mix and match several vendors to cover the five elements mentioned above, because Cisco doesn't supply everything. Its architecture is strong on enforcement and detection and short on remediation.

TNC starts out with the notion of authentication of particular network clients using open standards such as Radius and 802.1x so they are not tied to any particular vendor's product lines or client operating system. They are focused on delivering interoperable solutions, so it is no surprise that their strength is in policy definition and weakest in health assessment.

NAP has yet to really be implemented in any Microsoft product, with the first instance being Longhorn server that is expected to arrive later this year. The architecture is strong on remediation and weakest in enforcement, which is a nice compliment to the other two. Initially it will only support Windows XP and Vista clients, leaving the rest of the landscape to others.

Recommendation: Not every endpoint security solution can effectively deliver all five aspects, and most are strong in one or two areas such as health assessment or enforcement, and weak in others. Examine the literature carefully, and determine your initial focus.

2) What is your existing security and network infrastructure?

The next step is in understanding what your existing security portfolio is and where the endpoint solution will fit in with what you have. Depending on when you purchased your firewalls, intrusion prevention appliances, and authentication servers, you may not want to swap any of this gear out or to buy an endpoint product that duplicates what you already have.

Some of the products (such as Vernier) come with their own intrusion detection and prevention systems or virtual private network gateways that are part and parcel to the endpoint security solution, while others (such as Lockdown Networks) work with existing IPS, IDS and VPN products. While this is great news if you are in the market for any of these products, realize that your endpoint security will only cover machines that remote users are running and not scan any local network users' machines. To cover both local and remote users, you will need to implement something along the lines of 802.1x authentication.

Cisco's NAC assumes that all of your Cisco products are running at the most recent versions: if not, then consider going elsewhere unless you want to spend the money to upgrade everything. If you have a significant investment in network switches and routers from non-Cisco vendors, then products that support the other two architectures will make more sense.

Recommendations:

If you don't have a VPN and are looking in that direction, then Juniper and F5 (and to a lesser extent, Cisco and Aventail) provide SSL VPNs with fairly solid endpoint health scanning features. For those of you that have enterprise IPsec VPNs, you are in a better place to implement an endpoint security solution, provided that you are able to run those secure IPsec protocols on all of your local machines too. Most of the endpoint products support this approach, however cumbersome and unattractive it sounds at first.

If you already have a workable VPN and don't want to change it now, then consider a product solution that comes with its own 802.1x authentication services, such as Symantec or Infoexpress. You'll need to strengthen your authentication to handle the endpoint health assessment tools mentioned below.

If you need to upgrade your switches, both Nevis and Consentry offer their own 48-port switches with integrated endpoint security features.

3) What on your network are you really protecting?

Next, you need to decide where on the network you intend to place the appliance, and what part of your enterprise computing resources you want to protect. Obviously, the more parts of your network that you want to protect, the more expensive the project becomes. Some appliances should be placed directly behind the corporate firewall, covering the entire network. Others are better positioned behind the distribution switch layer, or in front of critical servers, or deployed to protect particular subnets or departmental networks.

The TNC architecture seems the most flexible of the three for widest deployment and protection scenarios. NAP is designed to protect Microsoft servers, and NAC is designed for Cisco network switches and routers.

Some devices (such as Vernier, Consentry, and Nevis Networks) operate in-line, meaning that any network resources located behind them will be protected and only healthy network clients can pass through and gain access to these resources. Others (such as Mirage, Forescout, and AEP Networks) operate out of band and are typically connected via a network span port, watching over all of the network traffic on that particular subnet, and insert themselves into the network stream once a user has successfully authenticated themselves through an Active Directory or VPN login. Part of understanding where to place these devices is in understanding the relative throughput that each device will be able to handle passing through it. Some solutions are more limited and can't handle the higher throughputs of larger networks.

Recommendations:

For larger-sized networks with higher throughput requirements, consider Juniper's endpoint solutions cover a wide range in throughput from 75 Mbps to 30 GBps.

Unsure of in-line or out of band? StillSecure and Symantec offer products that can work with both methods.

4) Do you manage all of your desktops?

The next issue is how you will manage and deploy the protection software on your desktops. If you have a higher percentage of guest workers (say more than ten percent), have partners or contractors that own their own computers, or have remote workers that don't come into your headquarters' office, then you won't be able to reach out and touch those PCs easily. If you push out software updates and have a tight control over your desktop PCs, then you can more readily install software agents to do the health assessment and remediation. .

There are three basic types of agents that potentially can be used by each appliance:

A "thick" agent that is permanently installed executable file on each endpoint PC,

An on-demand agent that doesn't persist beyond the period of time that a PC is connected to your network, typically delivered by a browser session or part of the network login process, and

An agentless solution that doesn't place any software on the endpoint, but operates with something that already exists on the PC.

The problem is that the software agents that root out the dirty work are very specific in terms of browser version and operating system, and some require initial administrator rights to be installed on the endpoint. While most products support Firefox and IE browser versions, there are some exceptions, particular as you move away from Windows OSs.

Microsoft's NAP is weakest in this area, particularly if you are still running versions of Windows prior to XP. Microsoft has promised agents for Windows XP SP2 and for Vista to support its Network Access Protection system. If you have older versions of Windows then you'll have to find third party agent suppliers. Both NAC and TNC have been designed for a wider support of Windows, Mac, and Linux endpoint operating system clients.

Some vendors offer multiple agents but with different capabilities and OS support. For example, Nevis Networks offers an Active X control for Windows that will perform its health assessments. For non-Windows clients, Nevis can only do minimal identity controls using an agentless connection.
Recommendations:

If you need Mac OS support for thick agents, look at solutions from AEP, Infoexpress and Lockdown Networks. Symantec's on-demand agent runs on Mac OS and Linux, but their thick agents only work on Windows 2000 and XP. Symantec and Consentry have promised them for later this year.

Lockdown and Mirage Networks take things a step further: both companies place each endpoint on its own private VLAN, thereby ensuring that risky devices remain isolated from others.

For completely agentless approaches, look at Forescout and Vernier.

5) Do you have non-PC endpoints to manage?

Part of figuring out the agent landscape is in knowing what else is on your network and what you need to manage. Thick agents can't manage non-PC devices that are on the corporate network and that run their own operating systems, such as print servers, network cameras, PDAs and the like. Most of these devices have IP addresses and run their own operating systems, but can't be easily controlled by the endpoint appliance.

The most appropriate architecture to handle non-PC endpoints is the TNC approach, which will embrace the widest selection of gear. NAC will implement support for non-PC endpoints at the network layer, while with Microsoft's NAP you'll need to specify policies to handle these devices.

Most of the vendors offer the ability to white-list or pre-authenticate their MAC or IP address, so that they can still connect to the network and do their jobs. However, white listing these devices is just a temporary solution, as some of these devices can become compromised and pose harm for your network if infected. Forescout and Mirage Networks can both detect when traffic patterns from these specialized devices change and can quarantine the device.

Recommendation: You probably have many more non-PC endpoints on your network than you realize, and they probably can't be easily isolated to a single VLAN or network segment. Do a careful site survey and determine how these endpoints will interact with any proposed solution.

6) Where will you create and enforce your security policies?

As you can tell, any endpoint solution touches on a wide swatch of your computing portfolio: clients, servers, network switch and connection infrastructure, and network-based applications. To bring this all together, you will need to make a decision where the central repository of your endpoint policies will be and how they will be managed, changed, and enforced throughout your network. This could be the same physical place that houses your central user and authentication data, or it could be a completely new security appliance.

TNC is leaning towards using 802.1x authentication protocols as its repository " although this is an optional part of their architecture and not a requirement. NAC is more focused on enforcement than NAP, at least at present.

Recommendations:

A natural place to start is to make use of Microsoft's Active Directory for such a policy repository, and indeed, Microsoft's NAP is designed for such a purpose, with the eventual addition of Longhorn Server and a few other products that are coming later this year. But transforming your own AD implementation may be difficult or impossible, depending on how you have set things up.

Another solution is to make use of a third-party vendor such as Lockdown, Trusted Network Technologies or Consentry for such a task, but that may take time to learn how to deploy these solutions and configure them properly.

Another alternative is to make use of your anti-virus vendor's central management appliance and build overall endpoint policies on top of these devices: again, this may not be possible depending on how you have configured them to interact with other network components.

Summary

As you can see, endpoint security has lots of facets and flaws, and is still very much a work in progress. But answering these questions can help you focus on the most appropriate solutions and narrow down to a reasonable number of vendors to do a final selection process. You also might want to approach things in phases: beginning with securing all remote users first through a VPN and then moving inside the perimeter to handle the local headquarters users.