Network Access Control in the Channel

Brian Gladstein, director of product marketing for Bit9, in Cambridge, Mass., joined David Strom, chief correspondent of Ziff Davis Enterprise Channel Insider, for a recent Channel Chat podcast. A transcript of that interview follows.

David Strom: Today were going to talk about locking down your endpoint applications. And coincidentally, thats something that your company actually has as a security offering. And, first of all, it seems like theres a zillion different Network Access Control, or NAC vendors, out there. Every day theres a new company thats created just to do a NAC deployment. So, how do you guys differentiate yourself in this crowded marketplace?

Brian Gladstein: NAC or Network Access Control, is about providing policy within the enterprise network, so when a new computer comes on, the enterprise network can make sure its up to date. Its got the right antivirus, its got the right patches, all that stuff. So its really about protecting that network and anything thats accessing it. The way we would position against Network Access Control is were really an application access control, or an application control solution. And what that means is were defining and executing and enforcing policy for the software and devices that are actually allowed to run on that endpoint. So its not what those applications can access, its whether they can run at all. So if you think about a corporation as being able to define what the applications that they use everyday are - and we have a ton of features and capabilities and innovations weve made to help do that - anything outside of that realm isnt allowed to run. So that includes malware, unauthorized software, you know, file-sharing systems, et cetera. And it also helps you control data that may be leaving the organization though USB keys, so that helps you with delete prevention as well.

Strom: So isnt it getting harder, though, to tell what an application is? Its not just an executable file in the traditional Windows.exe format. Theres Java script, theres all sorts of browser-based things that are running around in there, IM-based applications. Just thinking about the universe, its quite more complicated these days.

Gladstein: Yeah, its true. I mean, let me give you a data point. iTunes has-- actually one of the previous versions of iTunes - had 600 individual executable MDL files associated with it. I think the current version has upwards of 900. I dont have the exact number, but that gives you a sense of how complex these applications are, right? So, there are a couple ways that weve gone about this challenge because this is the number one challenge. If youre trying to control what the good software is, just being able to get your arms around it, thats a big problem. And that was what immediately we were faced with. So, let me describe what those are. The first one is being able to track how the operating system executes that software. Weve got a really sophisticated mechanism that can take those 600 files for iTunes and roll it up into one. And then the other aspect thats really interesting is being able to look at software in your environment, as a business process. So when you deploy some things through a software deployment system, like SMS or one of the other systems out there, you already know that its trusted if youve done all the testing to do that. And we integrate with those systems, and we can unpack the way that those applications are packaged together within those systems, to make the way that you understand the good applications focused on the way to get introduced into the environment.

Strom: So dont you need to have some layers of agents to screen this and keep track of whats going on, on each machine?

Gladstein: You know, just like any antivirus or any system like that, there is an agent that exists on the desktop. One of the things thats kind of nice about Bit9 is in some of our situations - Ill point to one of our customers whos a telecom down in the southeastern United States. Theyve actually been able to remove some antispyware agents. So the performance of the PC is actually improved because Bit9 does not scan the system the way that a lot of other products do. So the performance is improved because you can remove some of these agents. But the agent does this thing that gives us the visibility into whats going on, on the operating system, and lets us enforce that policy.

Strom: So youve got that key to particular OS versions. For example, you dont have a Macintosh agent, right?

Gladstein: Right. Were focused on Windows. Its such a large part of the environment. But, theres nothing inherent in the technology that would prevent us from going to another operating system, when that made sense, in the future.

Next Page: Endpoint protection as business process.