Blocking Insecure Network Clients
You can have the finest perimeter security around, but if someone connects an insecure client inside your network, you've got a big problem. The Cisco Network Admission Control Program could help, and it's not the only system for qualifying clients beforeOne of the problems I hear about all the time, from analysts and vendors alike, is that of rogue mobile clients. Youve got perimeter defenses on your corporate network worthy of the Maginot Line, but mobile users can still travel, connect to the Internet on the road, pick up a germ on their notebook and release it when they log back in at the office. There are many products and good practices to prevent this, but one of the trends I see developing is that of qualifying clients to connect to the network. When attempting to connect, the client is first queried for whether it meets any of a number of security parameters: Is it running a recent version of antivirus software? Are the definitions up to date? A firewall? Are critical Windows patches applied?
Ive seen this approach taken by a number of vendors, usually with a proprietary approach. The Symantec Series 300 small business security appliances can be set to enforce use of most Symantec antivirus clients. Another appliance vendor Ive been talking with has similar support for McAfees clients in beta.