Remember the days when dialing up via IPsec VPN software -- when it worked -- granted immediate access to the corporate LAN? Consider those days of instant access numbered. The problem: Enterprises continue to get hammered by PCs without up-to-date antivirus signatures, patches or other adequate security controls.
Today's mobile workforce is often unavailable for PC updates. "Enterprises have been more and more impacted by the mobility of their workforces," said Scott Olson, senior vice president of marketing for endpoint security vendor WholeSecurity in Austin, Texas. In short, since "the nature of the network has changed, so your security approaches have to change as well."
New security approaches include network quarantining and endpoint-security checking. Simply put, PCs get restricted to network quarantine zones, then upgraded until they pass security muster. While easy application of this paradigm to all machines accessing the LAN --whether from inside the enterprise, via wireless network, or VPN -- isn't yet a reality, the movement is growing rapidly.
"Most large enterprises have been doing bits and pieces of this, in terms of the quarantine and [forced] updating," said Matthew Kovar, vice president of security solutions and services at the analyst firm Yankee Group in Boston. Yet "within the next year, I think you'll see 50% of Fortune 100, if not closer to 80% or 90%, doing this." As the features become baked into products, expect continued uptake. For example, Microsoft announced quarantine capabilities for Windows Server 2003 via an upgrade by late 2005.
Two initiatives should also drive adoption: the Cisco Network Admission Control (CNAC) program, a collaboration between Cisco and antivirus companies McAfee, Symantec and Trend Micro; and Microsoft's Network Access Protection (NAP), which boasts 28 partners. (Note Cisco plans to introduce a vendor-neutral API for integrating endpoint-checking software into CNAC.)
Some new Cisco routers already have quarantine capabilities, with switch support likely in the near future. The latter would be a crucial step to applying the endpoint-checking paradigm to the entire LAN. Analysts, however, suspect first-generation quarantining will only work in homogenous networking environments -- Cisco might not play well with 3Com and Nortel, and vice versa, for example. One way around that is network quarantine offerings from such vendors as Enterasys Networks, Perfigo and Vernier Networks.
During quarantining, endpoints can be subjected to a variety of security checks. Antivirus, antispyware, vulnerability checkers and the like are "going to have a polling process -- is this system good? -- and they'll have a veto process," said Rick Bilodeau, director of corporate marketing at enterprise connectivity provider iPass in Redwood Shores, Calif. If a machine fails, it can be forced to wait for important upgrades before receiving full network access. WholeSecurity and iPass already offer such capabilities, as do appliance makers Mirage Networks and InfoExpress. iPass is also developing software to coordinate a variety of endpoint checks at once.
In short, while not granting immediate network access to users is a paradigm shift, security managers may find it worth the wait.