Published: 01 Sep 2008
4 ORGANIZATIONS SHARE THE CHALLENGES
For seven NAC tips, go to searchsecurity.com.
TechTeam Global delivers global, multilingual help desk services and other specialized IT solutions to multinational firms and is headquartered in Southfield, Mich. The company has used Sophos' antivirus software for several years and last year upgraded to Sophos Endpoint Security and Control 8.0, which combines antivirus and firewall protection with endpoint assessment. It now has 60 clients covered from a single server and plans to extend it to 1,400 within 18 months. TechTeam wanted to centralize its security reporting and management tasks and ensure that managed PCs would stay protected.
"Before we deployed the Sophos NAC client that comes with version 8, we had a variety of update sources and consoles that we had to check, some that were automated and some manual methods that involved visiting the physical PC in someone's office," says John Endahl, senior information security administrator at TechTeam.
"Now we can go to a single console and see if all of our PCs are compliant, if they have their firewalls turned on and operational," he adds. "This gives us the confidence that all of our managed endpoints stay managed and protected as best we can. We can extend our field of vision to know if we have an endpoint that is at risk of being compromised before they actually touch our network."
TechTeam initially rolled out the software just to the IT department, and now is expanding it company wide as part of a desktop hardware refresh cycle. But this is a bit of an issue, because "one of the problems we have now is that we are buying new hardware and it is running 64-bit Vista OS, which isn't yet supported by Sophos' NAC client," says Endahl. The company is postponing its Vista purchase for a few months to try to time it with the release of Sophos' support. Sophos' NAC client doesn't yet support Mac OS and Linux endpoints either, although the antivirus components do.
TechTeam was excited about adding the endpoint control features to its Sophos antivirus software. "It really enhances the entire package," says Endahl. "It gives us tremendous insight about the state of the security policy of each individual PC." Before deploying the NAC module, he says, "we couldn't validate the current firewall status of a PC using just the Windows Group Policies."
The company currently has a single NAC server. "Based on the performance of the server and our network we may or may not add more," Endahl says. "With locations around the world it's always good to keep policy servers as close to the systems they manage to keep latency down."
One of the sticking points with deploying NAC is the increase in login times and user perception that the PC takes longer to connect to the network. Given that many of the users at TechTeam are call center agents, they are very sensitive to any delays.
"We try to make sure that every employee can come in and get logged in to their PC as quickly as possible, because we are a service organization and very sensitive to anything which keeps us from providing that service in a timely fashion to our customers," says Endahl.
"We have timed this with stopwatches and found that the Sophos NAC client has already checked in with their policy servers before the PC has finished loading its applications, so the impact and delays have been almost nonexistent."
The Sophos product "just continues to get better by adding new functionality without over-complicating things," he says.
HIPAA compliance requirements plus the need to control vendors and contractors accessing its network drove Government Employees Health Association to look for a NAC solution. One incident in particular made NAC a necessity for the insurance company, which serves federal employees and retirees and has more than 221,000 health plan members.
"One day we were looking at the DHCP server and saw an unfamiliar host name that had obtained an IP address. We hunted it down and sure enough, a consultant had plugged a laptop into our network," says Justin Gerharter, senior systems engineer at GEHA. "That was the slap in the face that turned NAC from being a want into a need."
The organization installed Nevis Networks LANenforcer appliances across 1,800 edge switch ports to protect its workforce, which counts approximately 800 employees. The biggest benefit has been the ability to control contractors and other guests, Gerharter says: "We can allow vendors or whoever to plug their laptop in and give them access only to what they need, which is usually just the Internet."
GEHA isn't yet using the devices' client integrity scanning features.
"We're in reporting-only mode, which allows us to see what's going on," Gerharter says.
The logs help not only with compliance but with troubleshooting. "We can go back and see where every user went when they logged on during the day," Gerharter says. "We have audit trails of where every user is going. That helps with HIPAA compliance and post-mortem if something happens. We can go back and see if it originated from an endpoint."
GEHA initially deployed the Nevis technology to its network operations center and expanded from there. The deployment took about five weeks and didn't require the purchase of any additional hardware or software, or necessitate changes to existing security policies. "It was just a drop in," Gerharter says.
The organization is primarily a Windows shop, but does have IP phones that required some additional steps to get them to authenticate through the NAC appliance.
"It just takes adding a MAC address to an allow list," he says.
Engineers at GEHA installed two LANenforcer 2024 devices plus the LANsight management appliance, which provides a central place to up-date endpoint policies. Getting accustomed to the management functions required a short learning curve but in the end they are pretty straightforward, Gerharter says.
In August, GEHA planned to add two more 2024s for high availability. It also was set to install two LANenforcer 1048 Secure Access Switches for the organization's Citrix servers.
GEHA is using McAfee software to protect endpoints from spyware and malware, but may add Nevis client integrity scanning if tests go well.
The IT department was testing the functionality but testing was halted when many in the department upgraded to Vista because the Nevis agent didn't support the new operating system. When GEHA gets the latest code release from Nevis installed, it will resume testing. If all goes well, it will roll out the agent as an additional layer to its endpoints, Gerharter says.
Allina Hospitals & Clinics, a large collection of Minnesota hospitals and doctor practices based in Minneapolis, was looking for a better way to keep its client PCs updated with the most current OS patches and virus signatures. The organization also wanted to ensure that patient data was protected, given that its offices are spread out across the state.
Allina chose both the Microsoft Forefront Client Security and Enterprise Manager, and has been using the products for nearly two years with more than 20,000 clients connecting to a single policy server. Microsoft has marketed Forefront as its first Network Access Protection (NAP) implementation; Forefront combines several security applications, including antivirus/antispam, desktop patch management and policy enforcement.
Interestingly, all the clients are running just Windows XP with SP2. Allina is a big Microsoft shop, running Windows Servers, Active Directory, Operations Manager and other products. Even with all this Microsoft infrastructure, the organization still needed to add a Windows 2008 Server to handle the NAP services (they are not supported on earlier Windows Server versions) and change some Active Directory group policies, but it wasn't all that onerous. According to IT staff, the initial policy and server deployment took less than two work days.
"Forefront uses the knowledge of the virus signatures that you have and gives you a full picture of what critical updates are available, which gives you better visibility of your security," says Brad Myrvold, manager of desktop technology for Allina.
Before installing Forefront, hospital IT staff members tried a variety of antivirus solutions from CA, Symantec and McAfee but weren't satisfied for several reasons. Signature updates took too long to complete across the wide network, in some cases completely tying up network bandwidth. They also found these solutions difficult to centrally manage, and they didn't integrate well with AD policies. Before deploying Forefront, security policy updates required changes in three different systems. Now there is a single place to manage all the policies.
"By using Forefront, we have eliminated tracking down workstations that bring infections into our test and dev environments," Myrvold says.
"I can enforce hotfixes, virus protection and firewalls all from the same console and series of group policies."
Perhaps the most interesting point about this installation was when Allina's IT staff first ran Forefront. They found more than 500 infected PCs that required remediation. "A few of them needed to be reimaged, and most could be handled with automated tools and didn't need to be rebooted," says Myrvold. The IT staff wanted to disrupt users as little as possible and also wanted to use automated tools to fix the problems.
There were some scalability concerns since Microsoft recommended no more than 10,000 clients per server, but "understanding the effect of various configuration options" helped Allina address them, Myrvold says.
The pizza restaurant chain Papa Gino's takes a different tack when it comes to securing endpoints and controlling network access. The New England company has put together a collection of tools based on the Trusted Computing Module (TPM) and related software to help secure laptops used for various back-office functions. The IT team at Papa Gino's decided to control access to the network by first controlling access to the endpoints.
"We wanted to harden the endpoints themselves," says Chris Cahalin, manager of network operations for the corporation. "We discovered that by controlling access to the endpoint, we control who has access to the network."
IT staffers began buying laptops with TPM in spring 2005, and now have standardized on Dells. TPM is a special chip that has been included in all major laptop configurations for the past several years; it provides a protected environment not accessible to the Windows operating system that can store security keys and other encrypted information. The Papa Gino's rollout started with 250 PCs and laptops but might expand to several thousand machines over the next year, depending on whether the company extends the program to handle PC-based point of sale cash registers.
The solution involves Wave Systems' Embassy Trust Suite protection software, which works with the TPM to determine the state of a machine, and Seagate hard drives with built-in encryption. Each laptop user records his or her fingerprint, using the built-in reader, for pre-boot authentication and full disk encryption. "When a PC gets to the end of its life or needs to be reprovisioned, it literally takes us just a few seconds to securely repurpose it using remote instantaneous cryptographic shredding," says Cahalin. He and his team are also looking to incorporate the fingerprint scan as a means to authenticate a user to the network. "Our solution and Embassy works very nicely with Active Directory. You can set this up with a series of group policies in about 30 minutes--it is that simple."
One advantage of using biometrics with TPM protection is that IT can provide cheat sheets to employees on how to access the network without having to worry about them literally falling into the wrong hands, or fingers; the notes are Wave Systems-protected. Users can also create shared data repositories for specific users and purposes, such as for sensitive HR compensation documents.
"No one else has access to this data, even the departmental secretaries, because really, they shouldn't be able to see this information. And the encryption keys that are used to protect this data are being backed up to our servers and can be easily recovered. This way, we avoid any exposure if our employees lose their encryption keys. People may have the best of intentions, but we still need centralized control over data protection and data access," says Cahalin.
"The incremental cost is less than a few dollars per laptop; it's about as close to a no-brainer as you can get," he adds. The company eventually plans to move to Windows Server 2008 and NAP, and will use its TPM-based solution as the core. "TPM really provides a lie detector for endpoints because it enforces the integrity of the endpoint itself."