Automated IP address management has been used for years to streamline the administration of IP addresses, but one small company and a couple of its customers have discovered a new use for the tool: to create an extra layer of endpoint security and access control.
MetaInfo, a spinoff of Check Point Software Technologies Ltd., is working with customers and partners to use the point at which users are given access to the corporate network—the IP address assignment—as a mechanism to stop and “frisk” the machine.
This lets the company ensure that the device is legitimate and complies with corporate security policies, according to Grant Asplund, president and CEO of the Seattle-based company.
“That is where the opportunity exists to take control of the machine initially and route it to where you want to send it, inspect it and let it have access,” said MetaInfo user James LoTruglio, vice president of IT for Hearst Service Center, the operational arm of Hearst Corp., in Charlotte, N.C. LoTruglio, who had been asking for such functionality for years, said he saw the potential for using DHCP (Dynamic Host Configuration Protocol) services to provide access to a secure area on the corporate network—such as a virtual LAN—and then, he said, “use a secure tool to interrogate the machine for various patch levels and the like.”
“Once that criteria is met, then provide them with a permanent space on the network,” LoTruglio said. “We wanted to make sure there was endpoint security, that policies were enforced at the onset of the connection, and then we could log that.”
Three things are fueling the need for such access control: the rise of the mobile worker, the increasing use of outside contractors who bring in their own laptops and access the corporate network, and the rise of malware such as worms and viruses.
“With the mobile work force as large as it has grown, Im sure there are a lot of enterprises where they have people connected from all over,” said LoTruglio. “You have contractors and people moving around the enterprise plugging their notebooks into the network. One would think theyd want to protect themselves.”
The issue of “laptops with legs” is a concern shared by Tom Duncan, chief security and privacy officer for Californias Monterey County. Duncan also wanted a reliable method to keep rogue wireless access points off the enterprise network. An example of the countys need to protect against laptops with legs is the Salinas Courthouse, which has dozens of citizens, lawyers and law enforcement personnel trying to access the network on any given day.
“We have a very distributed environment, with multiple departments that function as their own business entities tied in to the enterprise infrastructure. If we cant manage the physical layer, we cant ensure security, confidentiality and the integrity of the information assets,” said Duncan in Monterey.
To gain better control over who and what accesses the network, Monterey County plans to use MetaInfos hardened appliances running Meta IP and Meta DNS Pro to manage access at the MAC (media access control) address level for each machine trying to access the network.
“As devices come onto the network, they will be run against that database in the background,” said Duncan. Then the user will authenticate, and the software will scan the machine to ensure it complies with security policies before it is given access to network resources.
Meta IP and Meta DNS Pro centralize IP address management using MetaInfos SAFE (Secure Addressing Foundation Extension), which extends DHCP to evaluate clients before granting a lease. SAFE DHCP comprises a MAC address authentication module, an A-Key authentication module, a host integrity module and a Check Point authentication module. The tools dont provide the scanning function, although other such offerings can be integrated with Meta IP and Meta DHCP.
Compared with alternative edge-point access control approaches, such as IEEE 802.1x and NAT(Network Address Translation), Meta IP and SAFE DHCP are less costly, offer greater interoperability and are ready now, said MetaInfos Asplund.
“IEEE 802.1x or hardware layer controls are smart solutions, but theyre very costly,” Asplund said. “And the likelihood of full interoperability between multiple vendors 802.1x implementations is substantially reduced because its a fluid, evolving standard. DHCP and DNS are clear, and theyre not evolving. A NAT strategy requires that you replace the entire edge, and its only as good as the last piece of hardware that supports it.”
The DHCP-based authentication also leaves that function to hosts rather than to network switches or routers.
“This is good because IP networks work best when they are dumb packet handlers. Reliability and QOS [quality of service] suffer when you jam too many smarts into a packet network,” said Daniel Golding, an analyst at market research company Burton Group, in Midvale, Utah.
“DHCP-based authorization protects you against the most likely attacks—visitors with infected laptops, contractors without updated virus detection, etc.,” said Golding. But the downside is that “there is no widely implemented, standards-based DHCP authentication. MetaInfos approach is proprietary, but they do support efforts to standardize it,” he said.
Cisco Systems Inc. is pursuing a multipronged NAC (network access control) strategy that uses IEEE 802.1x, RADIUS and extensions to several other security protocols that involve key exchanges for authentication. “That is very expensive to deploy,” said Asplund.
Microsoft Corp., for its part, plans to implement network access protection in software, which quarantines hosts at the IP layer. But that functionality wont be available for at least two or three years, as Microsoft strives to make it work with Ciscos NAC strategy.
“Ive been harping on this for about a year,” said Duncan. “We needed to centralize DHCP, centralize DNS and have a centralized inventory address database we could manage our addresses from. Cisco and Microsofts work is down the road, but we need a solution today.”
Using IP address management as another layer of security is one piece of a puzzle that extends throughout the enterprise, said LoTruglio. “You need a whole set of tools that start at the perimeter and run throughout the infrastructure and run at the host as well,” he said.