Hark! Who goes there? -- Network device compliance

Traditional network security has long been about protecting the network perimeter via the "crunchy on the outside, chewy on the inside" method. But that method does nothing to stop viruses and worms from originating inside the network. Examine a corporate campus and count the consultants, service providers and temporary workers accessing the network. How can their access be controlled, ensuring they don't introduce viruses and worms to the network?

Today, many corporate networks are more open than all-night convenience stores. With that openness comes lost productivity, industrial espionage, insider abuse and much more. Even with layers of firewalls and IDSes, viruses and worms are still the curse of today's IT environments. Even for the organization that has an antivirus appliance at their gateway, end-node security is crucial since so many devices (PDAs, laptops, etc.) are now bypassing that first-level gateway of protection. A network card and DHCP is all that is needed to access many networks. This is atrocious given the risks that arise from a lack of effective end-node security.

Effective end-node security is all about verifying the security compliance of any device that connects to the network. Seeing the importance of end-node security, many vendors are getting into the game. While the company hasn't announced anything directly, Microsoft is working on a trust model of analysis and the quarantining of end points. Two announcements, by Symantec Corp. and StillSecure, were made early this week. Symantec Corp. announced the release of Symantec Client Security 2.0, which includes VPN Compliancy Check, and StillSecure announced its agentless end-node security solution, StillSecure Safe Access. Others vendor offerings include Infoexpress's CyberGatekeeper and Sygate's Adaptive Protection, but they don't have the level of infrastructure to leverage as Cisco's Network Admission Control (NAC).

NAC isn't a product per se but Cisco's collaborative effort to ensure network devices can't enter a network until they are compliant with the level of enforcement required. Non-compliant devices can be isolated and denied network access until they are appropriately patched. This host isolation is the greatest benefit of NAC. Typhoid Mary showed what one infected person can do to facilitate the spread of disease -- so too with a single infected host. Until it is isolated, there is little that can be done to stop its lingering effect on the rest of the network.

NAC's goal is simple: Ensure hosts can't harm the network. It's the equivalent of showing one's credentials before admission and having a level of enforcement after admittance. An example of NAC credentials would be the most recent antivirus definitions and operating system patches.

Cisco defined NAC's architecture and the specifications for NAC technology to be integrated into third-party products. Any developer that wants to integrate NAC into their solution licenses the NAC SDK. It is Cisco's hope that NAC will ultimately be ubiquitous at the desktop in the form of the Cisco Trust Agent (CTA) software. CTA will be the interface between the desktop and NAC, and will be freely available to end-users, much like the Adobe Acrobat reader.

The function of any desktop agent is to collect security state information from the desktop device and to report that information to the connected network where access control decisions are made and enforced. If the host is compliant, access is granted. If not, the device is placed in a quarantined area where the required patches are downloaded.

If an agent isn't loaded, default access policies are enforced according to the level of security desired. The beauty of such an architecture is that there is compulsory enforcement. Hosts that aren't compliant are denied network access.

End-node security fills the credo of trust but verify. With laptops, cell phones and wireless PDAs easily connecting to the corporate network, the security risks with this level of network ease of use can be utterly dreadful. It will be a while before the various end-node security initiatives are complete and fully deployed. But as a start, it shows that the best information security defense is a strong offense.

About the author
Ben Rothke, CISSP, is a New-York based security consultant with ThruPoint, Inc. McGraw-Hill recently published his book Computer Security: 20 Things Every Employee Should Know. He can be reached at brothke@thrupoint.net.

The article Cisco, antivirus vendors push access privilege to routers details Cisco's Network Admission Control.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Security Buyer's Guide,   NAC and Endpoint Security Management,   Client security,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Buyer's Guide Keystroke dynamics makes BioPassword Internet Edition a viable authentication option Access security with KoolSpan's SecurEdge NetChk Protect 5.5 Biometrics: Best practices, future trends 2006 Products of the Year: Emerging Technologies Secure Sphere 2.0 Scan & Deliver: SLAs force service providers and outsources to hit the mark ... or hit the road Secure remote access: SSH Tectia Manager Spycatcher Enterprise 3.2 Configuresoft's Enterprise Configuration Manager v4.7 Client security InZero Systems launches hardware-based security gateway DLP technology challenges security costs Endpoint protection best practices manual: Combating issues, problems Kaspersky update for SMBs in wake of free Microsoft Security Essentials Microsoft makes free antivirus software widely available Security best practices in hotels Best Antimalware Products Perimeter defense in the era of the perimeterless network Microsoft Security Essentials (MSE) shows no vision, expert says Smart tactics for antivirus and antispyware RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary brute force cracking  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) Crash Course: Spyware  (SearchSecurity.com) email spoofing  (SearchSecurity.com) phishing  (SearchSecurity.com) rootkit  (SearchMidmarketSecurity.com) social engineering  (SearchSecurity.com) Wired Equivalent Privacy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.