Automated IP address management has been used for years to streamline the administration of IP addresses, but one small company and a couple of its customers have discovered a new use for the tool: to create an extra layer of endpoint security and access control.
MetaInfo, a spinoff of Check Point Software Technologies Ltd., is working with customers and partners to use the point at which users are given access to the corporate network—the IP address assignment—as a mechanism to stop and "frisk" the machine.
This lets the company ensure that the device is legitimate and complies with corporate security policies, according to Grant Asplund, president and CEO of the Seattle-based company.
"That is where the opportunity exists to take control of the machine initially and route it to where you want to send it, inspect it and let it have access," said MetaInfo user James LoTruglio, vice president of IT for Hearst Service Center, the operational arm of Hearst Corp., in Charlotte, N.C. LoTruglio, who had been asking for such functionality for years, said he saw the potential for using DHCP (Dynamic Host Configuration Protocol) services to provide access to a secure area on the corporate network—such as a virtual LAN—and then, he said, "use a secure tool to interrogate the machine for various patch levels and the like."
"Once that criteria is met, then provide them with a permanent space on the network," LoTruglio said. "We wanted to make sure there was endpoint security, that policies were enforced at the onset of the connection, and then we could log that."
Three things are fueling the need for such access control: the rise of the mobile worker, the increasing use of outside contractors who bring in their own laptops and access the corporate network, and the rise of malware such as worms and viruses.
"With the mobile work force as large as it has grown, Im sure there are a lot of enterprises where they have people connected from all over," said LoTruglio. "You have contractors and people moving around the enterprise plugging their notebooks into the network. One would think theyd want to protect themselves."
The issue of "laptops with legs" is a concern shared by Tom Duncan, chief security and privacy officer for Californias Monterey County. Duncan also wanted a reliable method to keep rogue wireless access points off the enterprise network. An example of the countys need to protect against laptops with legs is the Salinas Courthouse, which has dozens of citizens, lawyers and law enforcement personnel trying to access the network on any given day.
"We have a very distributed environment, with multiple departments that function as their own business entities tied in to the enterprise infrastructure. If we cant manage the physical layer, we cant ensure security, confidentiality and the integrity of the information assets," said Duncan in Monterey.
To gain better control over who and what accesses the network, Monterey County plans to use MetaInfos hardened appliances running Meta IP and Meta DNS Pro to manage access at the MAC (media access control) address level for each machine trying to access the network.
"As devices come onto the network, they will be run against that database in the background," said Duncan. Then the user will authenticate, and the software will scan the machine to ensure it complies with security policies before it is given access to network resources.
Meta IP and Meta DNS Pro centralize IP address management using MetaInfos SAFE (Secure Addressing Foundation Extension), which extends DHCP to evaluate clients before granting a lease. SAFE DHCP comprises a MAC address authentication module, an A-Key authentication module, a host integrity module and a Check Point authentication module. The tools dont provide the scanning function, although other such offerings can be integrated with Meta IP and Meta DHCP.