This article can also be found in the Premium Editorial Download "Information Security magazine: Is your data safe from next-generation attackers?."
Download it now to read this article plus other related content.
The roads to endpoint security are confusing. Here's some direction.
Endpoint security is arguably the hot information security topic in 2006-- small wonder. No matter how diligently you defend your perimeter, roaming laptops are bound to introduce worms, viruses and spyware into your network.
The mobility of commodity laptops equipped with wireless adapters has set your workforces free to work productively at home and on the road, as well as in the office. Consultants and vendors can plug into your networks for an hour or a day--how do you protect yourself against what they may bring in?
The two behemoths of network infrastructure and OS software, Cisco Systems and Microsoft, each have initiatives to ensure that endpoint devices comply with security policies before they are admitted to the corporate network. Not surprisingly, Cisco's Network Access Control (NAC) depends on the Cisco switching infrastructure, and Microsoft's Network Access Protection (NAP) works through Windows OSes. In addition to these pervasive yet proprietary approaches, Trusted Computing Group is developing the standards-based Trusted Network Connect (TNC).
Which, if any, should you choose to secure your endpoints and keep your local networks from being hammered by compromised machines that have become roaming malware collectors?
Faced with a security problem that needs immediate attention, you
|Pick Your Acronym|
|Click here for a comparison of NAC, NAP & TNC (PDF).|
This is a tall order for any security system, and getting on board with endpoint security isn't going to be simple. The "big three" architectures--NAC, NAP and TNC--are incomplete, costly to implement and complex to understand. They are also coming at the issues of endpoint security from different places, so it's not surprising that they aren't mutually exclusive:
- Cisco's NAC focuses on network infrastructure and policy definition and management, and, of course, assumes that you will have plenty of Cisco routers, use Cisco's security solutions and want to keep within the Cisco family as you move towards locking down your endpoints.
- Microsoft's NAP takes more of a health-assessment approach and remediation, assuming that you start with Microsoft servers and desktops, and that your primary focus is keeping them running and secure.
- Trusted Computing Group's TNC takes the broad-brush architectural approach, and assumes that every desktop contains a specialized piece of hardware to verify that the endpoint hasn't been compromised and builds on that hardware to monitor and enforce endpoint policies.
|5 rules of Endpoint Security|
All endpoint security systems should have these components:
Policy definition. You should be able to set and maintain a variety of security policies for different user populations, locations and machine populations, and be able to easily modify them from a central management console.
Detection. No matter how your users connect to the enterprise network, your system should be able to detect them. This includes using agents or agentless operations on each client, no matter what operating system version they are running.
Assessment. Your security system should be able to scan the endpoint and determine compliance with your policies. Ideally, the scans should take place prior to any network access, but your system should also allow other checks to occur after login, such as which Web browser the user is running and what security policies should be applied.
Enforcement. Your policies determine what network resources should be protected, including switches, VPNs and servers. You should be able to quarantine resources or refuse network access entirely depending on what policies you maintain.
Remediation. The system should kick off antivirus signature updates, apply patches to the OS and perform other measures after computers have been quarantined so that users can connect to the corporate network after everything is brought up to date.
NAC is ahead of the game because of the confluence of both architecture and products that support it. NAC is designed to secure network access through trusted modules that are implemented in its router and switch code, as well as Windows and Linux clients.
There are lots of vendors supporting NAC, and for good reason: You'll need several of them to put together a complete solution that can handle all five of the endpoint security requirements (see right). You'll need to run at least two agents on your endpoints to handle more complex policies and for SSL VPN compliance checking, for example.
NAC employs client software, the Cisco Trusted Agent, that gathers device information and passes it using 802.1X mechanisms to Cisco's RADIUS server, the Secure Access Control Server (ACS). ACS communicates with third-party policy servers (AV, patch) to determine compliance and enforce network access via the switching infrastructure.
Some analysts feel that NAC takes too many pieces to deploy; it may be difficult to implement because of having to manage all the IOS updates to get the pieces to work together and maintaining it as infrastructure changes are made.
The problem with NAC is that it is its own island of security, with reliance on Cisco's RADIUS servers as its sole authentication mechanism, and Cisco switches with up-to-date firmware. Moreover, NAC doesn't necessarily work with Cisco legacy infrastructure, unless it can be brought up to current firmware levels.
"Part of the NAC problem is that you have to upgrade your IOS versions," says Lloyd Hession, the VP and CSO for BT Radianz, a major IT supplier to the financial services sector. "I have 40,000 routers across my network, and that isn't an easy proposition." Instead, Hession chose ConSentry so he could eliminate MAC-layer filtering and access controls across his network. ConSentry sells an inline security appliance that assesses and enforces endpoint security policy compliance.
Moreover, NAC architecture is short on remediation--it falls short on managing patch levels of the endpoints themselves. Also, there's not much flexibility in what happens after a device is assessed: It either passes and is allowed on the network, or it doesn't and gets routed off to some VLAN with limited access.
"Getting a client out of quarantine is really the trick, and that is what we do," says Rich Lacey, the Altiris product manager who handles the company's NAC-compliant products, which provide remediation solutions through desktop management and replication.
Cisco has the support of McAfee, Trend Micro and Symantec antivirus products, along with a smattering of other hardware and software vendors. (For a complete list, see www.cisco.com/go/nac.)
Hession didn't find installing agents on all his endpoints to be particular appealing. "The problem with agents is that you end up having to install multiple ones to support all the things you want to do, such as antivirus and access controls. Cisco's NAC forced me to go in one direction with the agent that I didn't want to go towards."
"We currently support agents," says Russell Rice, director of product management for Cisco's Security Technology Group, but "we will also do agentless solutions, and active scans and assessments of other non-Windows devices."
NAC is widening its support beyond agents, and vendors such as Qualys--with its QualysGuard for NAC--are providing services that support agentless monitoring of network devices such as printers and other embedded devices that can't employ agents.
NAP is yet to be implemented in any product, although the effort has a long list of more than 60 supporters, many of whom are hedging their bets and are supporters of NAC as well (see www.microsoft.com/tech net/itsolutions/network/nap/napoverview.mspx).
NAP brings the security policy management and enforcement perspective into Windows Server that has been somewhat lacking since the early days of Active Directory.
"NAP will provide the ability to enforce policies through a variety of mechanisms, using IPSec for host authentication, 802.1X, or through a VPN or DHCP," says Mike Schutz, the group product manager at Microsoft's Windows Server Division, which is leading the charge for NAP.
Like NAC, NAP employs client software, Quarantine Agent, that passes information to Microsoft's Network Policy Server, which, like Cisco's ACS, checks with third-party servers for policy compliance. NAP promises multiple enforcement options including DHCP, IPSec VPN and 802.1X.
NAP will initially only support Longhorn Server and Windows Vista, as well as XP SP2, which will require a NAP update on each device. This will present problems for shops using older versions of Windows, and require commitments to the new OSes, and testing and managing XP upgrades. Further, authentication and enforcement servers, i.e., DHCP and RADIUS, will require Longhorn, needing further upgrades and making NAP even more proprietary.
"We don't think of NAC and NAP as being an either/or situation," says Schutz. "We've announced that we would be working together on interoperable solutions, so customers can choose what will best meet their needs." However, neither Microsoft nor Cisco is currently working with the TNC solution and have no immediate plans to do so.
The government in Fulton County, Ga., is already wading into NAP, with early versions of Microsoft servers and Vista desktops and laptops.
"Everything is still in beta," says Keith Dickie, who is managing the NAP rollout of the county's IT department. "But several members of our IT staff are using it on their production machines without any problems, including incorporating Symantec's Norton Anti-Virus with Micro-soft's SMS and Windows servers."
The county is using IPSec authentication, and its NAP deployment checks for a series of health requirements, including making sure that the version of Norton AV is current.
Trusted Computing Group's TNC
TNC is composed of dozens of industry heavies (one wry ob-server calls it "every- one but Cisco") supporting a bunch of open standards. The good news is that the standards more or less map to the five requirements for network access control security mentioned earlier--policy definition, detection, assessment, enforcement and remediation. The bad news is that not all standards have been defined, and woefully few products support much of the alphabet soup that is required to actually implement a solution.
The key ingredients with TNC (www.trustedcomputing group.org/groups/network/) are support for RADIUS and 802.1X authentication servers and protocols, along with a trusted hardware chip and software in the endpoints.
"This isn't a forklift upgrade," says Steve Hanna, the cochair of TNC and a product manager at Juniper Networks. This differs notably from Cisco's approach, which uses the Cisco ACS authentication servers.
A PKI chip, called the Trusted Platform Module (TPM), extends authentication features that help to secure laptops against unauthorized users--such as thieves or someone who simply finds a lost laptop--in a hardware implementation that thwarts potential compromises to software.
"You just can't trust software these days because a PC could have been compromised by a zero-day vulnerability or by something a user downloaded via the Internet. The only ways to detect this is through trusted hardware," says Hanna. A number of laptop vendors including Dell, Fujitsu, Hewlett-Packard and Lenovo, already include trusted hardware modules in their product lines.
Once authentication checks are satisfied, the trusted hardware routine passes control to a third-party software agent, which checks the device for policy compliance, working with the TNC architecture that handles network authentication and login access. As an open standard, TNC should potentially employ any enforcement mechanism.
Not surprisingly, TNC-compatible products are already available from Cisco competitor Juniper, which acquired Funk Software, makers of RADIUS server products.
|Pick Your Acronym|
|Click here for a representative list of Network access control products (PDF).|
SSL VPN Weak Spot
Missing from all three solutions is SSL VPN support: "Nobody has any product yet available in the [SSL] VPN space, and we can't support it yet. But we expect to see that coming quite soon," says TNC's Hanna.
SSL VPNs have a ways to go. Few offer support for more than a couple of antivirus scanners, and many don't go beyond Windows/IE combinations or scan for a connection prior to network login. Part of the problem is that most of the VPN vendors added support for endpoint security after they finished their first versions, and it shows. Nortel and Aventail, for example, have two different sets of access controls in their VPN product--one that supports endpoint security and one that doesn't. Many SSL VPN vendors are partnering with third-party endpoint security vendors-- a growing market that offers alternatives to NAC, NAP and TNC.
While the marketing wars among Cisco, Microsoft and Trusted Computing Group heat up, enterprises are looking for solutions that work now, and, perhaps, support NAC, NAP and TNC as the paths to the future. Several vendors are shipping products that address at least some of the requirements for securing network access.
These products offer a wide range of checking and enforcement options to control both managed and unmanaged devices and give customers a lot of flexibility. Many offer login-, agent-, and ActiveX- or Java-based scanning to determine endpoint compliance, which you can mix and match according to your needs. And, instead of a single enforcement mechanism, these products increasingly offer the choice of DHCP, 802.1X, agent-based, inline appliance or NAC, so your enterprise does have options to match your environment. (For a representative list of products see "Choices, Choices & More Choices," at right)
Cisco, in fact, has a second approach that is not completely aligned with its own NAC architecture, called Clean Client Access, the result of its acquisition of Perfigo. It does agent-based endpoint assessment, client, policy management and remediation services.
No Easy Answer
The truth is that no single vendor has a complete solution that will lock down all of your endpoints and keep your resources safe. You'll need to find a product that will handle different security policies to protect critical network assets as well as those roaming laptops. And, unless you have a completely homogeneous network composed of Windows XP users running IE, you will need support for other operating systems and browsers. Despite all the wonderful claims, no one comes close to delivering a general-purpose endpoint solution that works with both agent and agentless technologies.
If you stick within the XP/IE realm, if all your users have administrator rights to their systems, and if you don't mind them downloading some form of Java or ActiveX application from their browser, then you can almost make things work with one of the third-party appliance products or by using VPN solutions from companies like Juniper and Aventail.
If Microsoft's NAP vision aligns with yours, get a head start by running the VPN quarantine in Windows ISA Server 2004--that will form the basis of the Longhorn code when it finally is delivered early next year.
And, if you have all your Cisco routers up to their current versions and can continue to live in an all-Cisco world, one of the NAC solutions from Cisco and its partners might work for you.
But if these limited scenarios aren't your situation, you have your work cut out for you to implement the best possible endpoint security solution. The best advice, as with all information security initiatives, is to thoroughly understand your enterprise and business requirements. Address these questions:
- Who are your mobile employees, what OSes and security applications are they running, and how do they connect to the network?
- Do consultants and vendors regularly access the network?
- What is your network infrastructure and what enforcement/remediation mechanisms will it support? Is it homogeneous? Is it relatively new, with up-to-date firmware, or do you have legacy routers and switches that won't support network-based solutions?
This was first published in June 2006