A controversial topic in the security community recently has been Microsoft's push for a system of Internet-wide...
network access control. Many have already voiced their opposition, but enterprise information security pros would be wise to consider supporting Microsoft's initiative as the last, best hope to gain ground in the war on malware.
Microsoft's plan isn't new; in fact, it was featured in Trustworthy Computing chief Scott Charney's RSA Conference keynote back in March. In a nutshell, Microsoft believes the only way to prevent consumer PCs from continually falling prey to malware is with broader, more aggressive Internet access control measures to inspect and clean infected computers before granting them unfettered access to the Internet.
The concept was brought to the fore once again this month when Microsoft released a new position paper written by Charney entitled, "Collective Defense: Applying Public Health Models to the Internet" (pdf). As the title suggests, Charney asserts that consumer Internet security is like public health; to stay "healthy" individuals we must not only understand the basic risks, but also be taught how to avoid them. Yet, as Charney writes:
"…many consumers have no desire to become IT professionals, let alone security experts, and information technology can be so complex that knowing how to protect oneself online is not intuitive."
Microsoft's proposed "Global Collective Defense" initiative is a two-pronged approach that would involve identifying infected devices and, eventually, creating a standardized system for validating uninfected, properly protected machines. As an example of the former, Microsoft points to Comcast's Constant Guard botnet malware-notification system, which the mammoth ISP is rolling out to its more than 16 million Internet customers. For the latter, it naturally suggests its own Network Access Protection technology.
Interestingly, a number of enterprise information security professionals quickly dismissed the concept of Internet access control, citing a number of concerns. Foremost among them is that such a system would govern the way in which enterprises can access and use the Internet. However, Charney makes it clear that such a system would be geared toward consumers; enterprise IT departments already have the technology and know-how to put their own protection mechanisms in place, so it would likely not be applied to any organization that contracts for enterprise-caliber Internet services.
Another counterargument is that an infected computer couldn't be cleaned if it isn't granted full Internet access. Not true: Today's enterprise NAC products are capable of providing restricted Internet access to quarantined machines, allowing them to be disinfected without spreading malware. Applying the concepts of NAC consumer devices is possible, though making the remediation process consumer-friendly would be more challenging.
Some fear that those who end up with the power to decide when or why remediation is needed may abuse that power. It would seem the only two groups that have the authority or ability to enact wide-ranging Internet access control are ISPs and national governments, and neither could or would do it alone. Microsoft so far has been short on details regarding how such a plan could be implemented on a global scale, but ideally remediation guidelines would be governed by multiple independent groups with no stake in the outcome.
A few say why bother if zero-day attacks can't be thwarted? That threat would clearly remain, but by mandating client-based defense-in-depth principals -- timely patch updates, proper firewall configuration, updated antimalware -- the likelihood of a widely damaging zero-day attack would decrease.
Still others argue that Microsoft's plan is a tacit admission that it will never succeed in securing its own products, particularly Windows. That may be true and Microsoft has made more than its share of security mistakes, but there will come a day in the not-too-distant future when the most popular platform for Internet-connected clients will not be made by Microsoft. Whatever that next platform -- Android, MacOS, Linux or something else -- it will be assaulted just as maliciously and relentlessly as Microsoft's products have been for the past 15-plus years. Without a fundamentally different approach to the way Internet-connected clients are able to interact with each other, no widely used platform will ever truly be secure.
There's little argument that we're still years away from this kind of broad consumer Internet access control system, but with Microsoft and Comcast already advancing this concept, others will follow. Hopefully enterprise information security pros will come around as well. It would go a long way toward counteracting the pernicious botnets that at this moment are harnessing thousands of consumer computers each day to attack commercial and government entities alike. Information security as an industry rarely has the opportunity to take such a large leap forward; enterprise infosec pros should support (or at least consider) this one instead of spurning it.