Network Access Control in the Channel

By eweek  |  Posted 2007-11-12

Network Access Control in the Channel

David Strom: Today were going to talk about locking down your endpoint applications. And coincidentally, thats something that your company actually has as a security offering. And, first of all, it seems like theres a zillion different Network Access Control, or NAC vendors, out there. Every day theres a new company thats created just to do a NAC deployment. So, how do you guys differentiate yourself in this crowded marketplace?

Brian Gladstein: NAC or Network Access Control, is about providing policy within the enterprise network, so when a new computer comes on, the enterprise network can make sure its up to date. Its got the right antivirus, its got the right patches, all that stuff. So its really about protecting that network and anything thats accessing it. The way we would position against Network Access Control is were really an application access control, or an application control solution. And what that means is were defining and executing and enforcing policy for the software and devices that are actually allowed to run on that endpoint. So its not what those applications can access, its whether they can run at all. So if you think about a corporation as being able to define what the applications that they use everyday are - and we have a ton of features and capabilities and innovations weve made to help do that - anything outside of that realm isnt allowed to run. So that includes malware, unauthorized software, you know, file-sharing systems, et cetera. And it also helps you control data that may be leaving the organization though USB keys, so that helps you with delete prevention as well.

Strom: So isnt it getting harder, though, to tell what an application is? Its not just an executable file in the traditional Windows.exe format. Theres Java script, theres all sorts of browser-based things that are running around in there, IM-based applications. Just thinking about the universe, its quite more complicated these days.

Gladstein: Yeah, its true. I mean, let me give you a data point. iTunes has-- actually one of the previous versions of iTunes - had 600 individual executable MDL files associated with it. I think the current version has upwards of 900. I dont have the exact number, but that gives you a sense of how complex these applications are, right? So, there are a couple ways that weve gone about this challenge because this is the number one challenge. If youre trying to control what the good software is, just being able to get your arms around it, thats a big problem. And that was what immediately we were faced with. So, let me describe what those are. The first one is being able to track how the operating system executes that software. Weve got a really sophisticated mechanism that can take those 600 files for iTunes and roll it up into one. And then the other aspect thats really interesting is being able to look at software in your environment, as a business process. So when you deploy some things through a software deployment system, like SMS or one of the other systems out there, you already know that its trusted if youve done all the testing to do that. And we integrate with those systems, and we can unpack the way that those applications are packaged together within those systems, to make the way that you understand the good applications focused on the way to get introduced into the environment.

Strom: So dont you need to have some layers of agents to screen this and keep track of whats going on, on each machine?

Gladstein: You know, just like any antivirus or any system like that, there is an agent that exists on the desktop. One of the things thats kind of nice about Bit9 is in some of our situations - Ill point to one of our customers whos a telecom down in the southeastern United States. Theyve actually been able to remove some antispyware agents. So the performance of the PC is actually improved because Bit9 does not scan the system the way that a lot of other products do. So the performance is improved because you can remove some of these agents. But the agent does this thing that gives us the visibility into whats going on, on the operating system, and lets us enforce that policy.

Strom: So youve got that key to particular OS versions. For example, you dont have a Macintosh agent, right?

Gladstein: Right. Were focused on Windows. Its such a large part of the environment. But, theres nothing inherent in the technology that would prevent us from going to another operating system, when that made sense, in the future.


Next Page: Endpoint protection as business process.

Endpoint protection as business


Strom: How far back of versions of Windows do you cover?

Gladstein: We go back to Windows 2000, so 2000, XP and upcoming, Vista.

Strom: And I assume that these agents work in conjunction with some kind of appliance that is installed on the headend of the network that they talk to.

Gladstein: Yeah. Theres a central server that you install. We treat it as an appliance on a CD, so, you know, you can put that, you get your server, you stick the CD in. It does a very quick install. Installation is really easy, which is good. But thats the system by which you manage all the policies and all the automation capabilities I discussed earlier for how software gets introduced into the environment.

Strom: So, lets talk a little bit about what your channel program is, and why VARs and system integrators would be interested in deploying this kind of solution.

Gladstein: We have a pretty standard channel program, consisting of standard resellers, OEMs and licensing. We also work with system integrators, so General Dynamics is one of our customers. We worked with CSC there. And I think whats really interesting about that is that lockdown, locking down and the software on an endpoint PC and moving to that type of environment is really a business process. Its change in the way the business functions. And a lot of thats being driven by compliance. And when youre talking about those types of projects, youre talking about not just system integrators but also QSVs for PCI compliance and other types of trusted advisers who come in and help manage that change and implement those new processes.

Strom: So how many people do you have in your channel program right now?

Gladstein: You know, its growing all the time. Weve got a number of channel partners in the United States. Were always looking and expanding. Were actively recruiting in Europe right now and expanding out there, too. And were supporting a few over in Asia-Pac.

Strom: And are you looking for any specific skill sets or product focus for new recruits?

Gladstein: What we find works best is a channel partner who has experience doing security and desktop management, particularly around policy on the desktop. So, youve got to be familiar with Windows, with the types of management tools that are used at the desktop, dealing with those customers that manage desktops. And, you know, really someone whos a trusted adviser to those groups, who can introduce new technologies and help facilitate them. We find that our channel partners who meet those criteria are having a lot of success helping IT departments and desktop departments rethink the way that they manage the desktops and create an environment thats a lot more secure and a lot easier.

Strom: So by desktop management, youre talking about companies like LANDesk and SMS from Microsoft and Altiris, things like that, that actually can push out policies and programs to everyone and keep track of what everybodys doing?

Gladstein: Yeah. Companies like that. And I would also include the BMC Remedy and those types of applications on the inbound support side. Channel partners who have experience implementing those types of systems would be good, as well.

Strom: So do you have particular hooks into their programs and interfaces to work with those products?

Gladstein: Yeah, we do. In fact, therere actually some very standard hooks that we use to interface. So what that means is we have a pretty broad set of integration components. So, you know, most of the, in fact all of them that weve tested so far and that weve deployed at customers, weve been able to integrate with. So, all the, you know, the SMSs, the Altirises, the ZENworks, those types of applications, weve been able to integrate with very, very easily, actually.

Strom: So is there anybody else thats looking at the application sensitivity like you guys are doing right now?

Gladstein: Yeah, you know, the market is really interesting, because I think you see this coming from not just the desktop management side, like I talked about, you also see security firms and even the operating system itself trying to do this. So, if you look at Vista itself, one of the major upgrades, one of the major components that was added was this user account control, which was part of the security infrastructure inside of Vista. And, you know, a lot of companies are hesitant, whether they want to deploy that or not, because there hasnt been the greatest set of storage ...


Next Page: Level of Control over Applications.

Level of Control over


Strom: Its a pain in the neck, lets face it.

Gladstein: Yeah. Thats about it, but weve heard the same thing. And if youre a company, you want to have that benefit, but you want to be able to control it, centrally, without having the end-user have any knowledge of whats going on. And so if you think about that, thats what weve done. And you see the security industry, you know, theyre trying to do something similar. When they realized that just finding the bad stuff, the malicious stuff, thats not good enough. Companies want to be able to stop Skype in an area where Skype shouldnt be running. Or to be able to stop file sharing in an area that contains sensitive information, right. So they want to have this level of control over the applications, beyond what a third party states is malicious. So you can see it really coming from a lot of areas.

Strom: So what happens if I bring my laptop into a corporation thats got your gear on it, but I dont have anything on it. Im just running willy-nilly, and I probably have 17 different pieces of malware on it. How do you stop me from messing things up, or can you?

Gladstein: Well, I mean, there are two ways to look at it. The first one is, if that enterprise has network access control, then that can be built into part of the policy, so that, when that machine went on the network, it would be brought in line with the network access control policies. But, I think more interesting, is, you know, that malware is going to try and do stuff. Its going to try and spread inside the enterprise. So you can even think of it when, you know, a user whos part of the organization goes offsite and sits in a coffee shop and connects to a public WiFi they could get something, and they could come back in, and all the enterprise security that youve put around your network perimeter, goes away, right? That desktop is really now - or that laptop, is the new perimeter. So, what Bit9 does is it says if that piece of malware is trying to jump, in any way, and put a payload thats executable on another system, thatll just be prevented from running. So, you could actually see with Bit9 that, you know, one computer [thats] now been brought inside the environment is trying to spread a particular file. The file wont run anywhere, so it wont be able to actually do any damage. But Bit9 will alert you that its happened and will be able to report that its happened and tell you where its happened, and help you identify what the problem is without exposing you to unnecessary risks.

Strom: So how often does that happen with your customers networks? Every day?

Gladstein: You mean, people bringing bad stuff inside?

Strom: Yeah. Lets say deploy your solution, they find out how promiscuous and how badly infected their end-users laptops are.

Gladstein: Yeah. Certainly they discover things that they prefer not to share with anybody. Thats, I think, the best way to put it.

Strom: Well, its a sad testimonial to the state of the Internet, unfortunately. I mean this is why we need this stuff.

Gladstein: You know, its really difficult for our customers because when you look at the compliance now, and just all the pressure that theyre under from regulations and from industry compliance and all this stuff, most customers who manage desktop environments, they dont want to ask the question, "whats out there," because theyre worried about the responses that may come back, and then they have to do something. So, you know, its the curse of knowledge in some ways, but youve got to do it these days. You have to be able to prove that you can see the software thats out there and have controls around it, and be able to stop bad things from happening.


Rocket Fuel