The network endpoint as we know it is dead. A firewall alone can no longer protect the corporate network from potentially dangerous endpoints introduced by remote users, partners, contractors, even malicious intruders. Vendors have responded to this de-perimeterization of corporate networks with products designed to perform "health checks" of connecting devices, permitting access based on the security status of the endpoint. The challenge for security practitioners is to choose the correct endpoint security solution for their network environment.
There are currently three major players in the endpoint security space, each offering a different solution:
- Cisco, with its Network Admission Control (NAC)
- Microsoft, with its Network Access Protection (NAP)
- TCG, with its Trusted Network Connect (TNC)
There is no clear leader, and the future is uncertain as to which vendor will fill the dominant role in the endpoint security space. The challenge is two-fold. The solutions from Cisco and Microsoft are for the most part proprietary, while TCG is the smallest. And the endpoint security solution choice you make this year is one that your organization will have to live with for years to come.
After all is said and done, all of the solutions are attempting to perform the same task. They use routers, switches, wireless access points, software and security appliances to enforce endpoint security, by requiring a baseline security configuration from endpoint devices. This baseline information is sent to the policy server, which then makes the decision as to whether the device should be granted network access or not.
Adding admission protection allows a "health check" to be done on a client. This health check is generally composed of information about the status of various client platform measurements, including the version of the virus scan engine and DAT file, personal firewall and other settings, and patch status. If the client does not conform to IT policy, it can be isolated onto a VLAN where remediation services can be offered.
Let's take a look at the big three and get a quick overview of each solution.
Cisco NAC is an API-level enforcement and quarantining technology built into the Cisco network infrastructure. NAC focuses on network infrastructure, policy definition and management, and is built on a foundation of installed Cisco devices.
NAC works via trusted modules (Cisco Trusted Agent) that are installed on Windows and Linux desktops, and implemented in Cisco routers and switches. Thus, NAC requires a Cisco infrastructure running a current version of IOS. For enterprises running legacy Cisco devices or older versions of IOS, this requires a potentially expensive upgrade. For non-Cisco shops, this is not a trivial expense. Finally, because NAC requires a software agent, it is not an option for those organizations that embargo new agents on desktops.
On the positive side, NAC is a shipping product with many deployments. One of the most important elements for a solid future is the development of long-term strategic partnerships, and Cisco has effectively done so with NAC. The company is also looking to increase its partnerships, which seems to only strengthen NAC's future.
With an inter-connected, global economy being a given, plus networks and extranets becoming more ubiquitous, combined with Cisco's dominance at the network layer, NAC seems to be a strong candidate for the most pervasive endpoint security solution.
NAP is the policy enforcement platform built into the Microsoft Windows Vista and Longhorn OSes. While NAC is built on a Cisco foundation, NAP is built on a Windows foundation and uses the Windows Quarantine Agent (QA). The QA gathers device information and passes it to the Microsoft Network Policy Server, which works with other devices (DHCP, IPsec, VPN, 802.1x and more) for policy compliance.
The downside to all of this is that NAP is only supported in Vista and Windows XP SP2, and it is still in beta development.
NAP allows you to create customized policies to validate computer health before allowing access or communication, automatically update compliant computers to ensure ongoing compliance and optionally isolate noncompliant computers to a restricted network until they become compliant.
With Cisco's dominance in the endpoint security market, Microsoft is finding itself in catch-up mode. But being in catch-up mode often brings out the best in Microsoft, as seen in its demolition of Netscape during the browser wars. The industry does not seem to actively await NAP's availability in Vista and time will tell how successful it will ultimately be.
TNC is the only fully open solution amongst the big three. It is built on the assumption that every device has a specialized piece of hardware to verify that the endpoint has not been compromised. TNC relies on hardware to monitor security and enforce endpoint policies.
TNC is a set of open standards and its mission is to develop and promote an open, vendor-neutral, industry standard specification for trusted computing building blocks and software interfaces across multiple platforms.
The challenge with TCG is that not all of the standards have been fully defined and there is limited product support to date. While the thought of a vendor-neutral, open architecture for endpoint security is an enticing idea, the snail's pace at which the TNC standards are coming out only delays its acceptance. Combined with the dominance of Cisco and Microsoft, TNC faces significant competition. It appears as if TNC will only be a supporting actor at best in the endpoint security space.
TNC provides security at the hardware level, but it requires a specialized piece of hardware to operate. The TCG standards are based on a security chip, called a Trusted Platform Module (TPM), placed in a desktop computer or laptop. Built into a new PC, the security chip protects the data at the hardware layer. TCG believes this hardware approach is much more beneficial than protection at the software layer. The TCG's ultimate plan is to have a TPM on every piece of hardware, from phones to thumb drives and printers.
While the big three have significant mind share, other vendors also want a piece of the endpoint security market, which is forecasted to be huge. Myriad vendors are in this space, including Check Point, Symantec, Juniper, Qualys, 3Com, ISS, McAfee and countless more.
Knowing that it is an uphill battle to fight against the likes of Microsoft and Cisco, many of these vendors are depicting themselves as best-of-breed players offering better and more customizable solutions.
Check Point, for example is using its installed base as a leverage point for its Integrity endpoint security software solution. Integrity is based on the protections in ZoneAlarm, the world's most deployed personal firewall. Because it is part of the Check Point Unified Security Architecture, it is completely integrated and managed within the overall Check Point management infrastructure.
As to which technology and vendor will be most dominant, no one can accurately predict that. As a whole, all of these products operate in pretty much the same way as the big three, with their solutions centered on policy management and policy enforcement.
The main difference is that for many of the best-of-breed solutions, their methodology centers on their own proprietary solution and may not necessarily integrate into a larger overall framework, such as Cisco or Microsoft.
While endpoint security is a hot topic with myriad hardware and software solutions, the reality is that there are no standards, many current solutions are proprietary, and solutions are costly and complex to implement. Combined with the fact that there are not a lot of experts in the field, organizations are trying to figure out how to best future proof their endpoint security investments.
The bitter truth is that security in general is quite difficult to future proof, let alone a cutting edge technology such as endpoint security. This is similar to the late 80s when Ethernet was still in its infancy and not standardized. Companies spent huge sums on cabling, often finding out later that they had installed non-standardized components.
With that, the best advice to this predicament is for organizations to implement comprehensive processes before buying any sort of endpoint security hardware or software. These processes include the ability to test, assess and validate all of the constraints that will be deployed as part of the endpoint solution. One such process that needs to be defined is how endpoints self-quarantine themselves during the policy enforcement process. Organizations need to define all of the potential scenarios and how they should be properly played out.
By defining all of these processes in advance, this solves two problems. First off, it ensures that regardless of what vendor is chosen, the underlying process can support the solution. And in the unfortunate event that the solution and the standards bifurcate, the underlying processes can support an alternate solution.
About the author
Ben Rothke, CISSP, is the Director of Security Technology Implementation for a large financial services company. He has more than 15 years of industry experience in the area of information systems security and privacy, and his areas of expertise are in risk management and mitigation, PKI, security and privacy regulation, design and implementation of systems security, encryption and security policy development. Prior to joining his current firm, Rothke was with ThruPoint, Baltimore Technologies, Ernst & Young, and Citicorp, and has provided security solutions to many Fortune 500 companies. He is the author of Computer Security -- 20 Things Every Employee Should Know (McGraw-Hill 2006), and a contributing author to Network Security: The Complete Reference (Osborne) and The Handbook of Information Security Management (Auerbach).
|IAM SCHOOL HOME||ENDPOINT SECURITY LESSON HOME||ENDPOINT SECURITY WEBCAST||ENDPOINT SECURITY PODCAST|
This was first published in July 2006