Getting a Lock on Endpoints

 
 
By David Strom  |  Posted 2006-07-24
 
 
 

Does the damage that could be caused by a random roaming laptop coming onto your customers networks keep you awake at night? It should, but rather than losing any more sleep, consider the potential for new business in the endpoint security marketplace.

These days, one infected laptop can bring a network to its knees, and a personal firewall and an anti-virus checker are good only if they are consistently used and updated when new exploits are discovered.

There is a lot of hype in providing solutions to locking down endpoints, and almost every security vendor has something to sell. As a VAR, you can sort through the haze and hype to provide solid, calm advice to your clients and pick up some networking business along the way. There isnt a single vendor that offers everything, which makes for a great sweet spot if you can familiarize yourself with the right set of products that will deliver the goods. The trick is understanding what is available, what is to come and what makes sense for your customers.

Three major endpoint security efforts are currently under way: one from Microsoft, one from Cisco Systems and one from everyone else under the guise of open systems and the Trusted Computing Group. Ciscos is called NAC (Network Admission Control). Microsofts is called NAP (Network Access Protection). And the open-systems effort is called Trusted Network Connect.

But behind the labels are some big differences in approach, architecture and practice. Ciscos focus is on the router and switch fabric of networks, Microsofts is on its Windows servers and desktops, and Trusted Computings is on putting special hardware chips into laptops and other devices that can respond to commands if the devices have been tampered with. Each effort has its merits.

Ideally, a solution would combine the three approaches, covering five steps.

First, you need to define security policies for each user, machine and situation and manage these policies from a central console. Second, your system should be able to detect violations of these policies when a machine or user connects to your customers network. This includes using agents or agentless operations on each client, no matter which operating system version the client is running. In some cases, your customers might already have intrusion detection and prevention systems that protect your network assets, and it would be nice if the endpoint system worked with these as well.

Third, detection should provide a detailed health assessment to determine what isnt right about the machine or device. Most products involve some sort of scan through files to check for the latest anti-virus signatures, operating system patches and other critical elements that will keep an endpoint protected and up to par. The fourth step is enforcement. Your policies determine what network resources should be protected, including switches, VPNs and servers. You should be able to quarantine resources or refuse network access entirely.

Finally, there is remediation. The ideal system should kick off anti-virus signature updates, apply patches to the operating system or take other measures after a machine has been quarantined so that users can eventually connect to the corporate network after everything is brought up-to-date. This should take place quickly so users dont think their connections have disappeared.

So where can a VAR learn more about endpoint security? Start with SSL (Secure Sockets Layer) VPN gateways and familiarize yourself with their endpoint security features. Unfortunately, "SSL VPNs are still the soft underbelly of endpoint security," said Rod Murchison, marketing manager for Vernier Networks, of Mountain View, Calif. Vernier is one of the vendors supplying technology in this arena. But most leading SSL VPN players (such as Juniper Networks, F5 Networks, Aventail and Cisco) have strengthened their endpoint features recently and continue to remain competitive here.

Figure out whether to go agent or agentless when it comes to deploying a solution. Most endpoint products require you to go one way or another. Agents make sense if your customer (or you) can reach out and manage all those roaming laptop users. An agentless approach is more useful if you want to expand your coverage beyond the desktop and integrate into the network infrastructure as well.

Look to the anti-virus vendors, such as Symantec, McAfee and Trend Micro, to help out here, and if your customer uses one of these consistently across the enterprise, then this is a good place to start with your endpoint health assessment. In addition, examine these vendors partner programs and figure out which has the right set of support tools to help your own efforts.

David Strom is a St. Louis-based writer, speaker and consultant and can be reached at david@strom.com. He also is a former editor in chief of Toms Hardware and Network Computing, and his blog can be found at strominator.com.

Rocket Fuel