Malware-infested, non-compliant endpoints can bring even a well-secured network to its knees unless steps are taken...
to assess and prevent damage. Checking the health and posture of every IP-enabled device connected to a network then taking action to enforce compliance may be a simple concept, but deployment can be tricky.
According to Forrester Research, 40 percent of enterprises have started network access control (NAC) initiatives in which endpoint integrity can play a role, but only four percent have completed them. Many promising projects are abandoned, victims of overly-ambitious goals, ineffective implementations, or inter-organizational struggles.
So what does it take to plan, implement, and maintain a practical-yet-effective endpoint integrity enforcement program? We asked several adopters about their experiences to uncover the secrets to success and pitfalls to avoid. These diverse implementations served varied populations but all employed some essential best practices. (see below).
Organizations offer nine tips for successful endpoint security enforcement initiatives
THE FALL AND RISE OF INTEGRITY ENFORCEMENT
Endpoint integrity has never been more essential -- or challenging to enforce. Between wireless mobility, bring-your-own phones, and a dizzying array of IP-enabled devices, everyone faces a daily influx of unknown, potentially risky endpoints. Enforcement through IT ownership is no longer feasible, and endpoint measures that do get deployed cannot disrupt business unless serious damage is imminent.
Many organizations that pursued NAC to enforce endpoint integrity backed off when users cried foul and help desks became overloaded. "In earlier deployments, NAC tended to be like an on/off switch, which proved too extreme in some cases -- nobody wants to be the person who blocked the CEO," says John Sheedy, marketing manager for Bradford Network's Network Sentry appliances.
Soon, the primary goal for most new NAC deployments became guest access -- basic friend-or-foe assessments that directed trustworthy insiders onto privileged segments while sending everything else to the Internet. Managed endpoints often received closer scrutiny, but guests did not. "Quarantine just involved way too many organizations and too much effort," says Mark Townsend, director of solutions management at Enterasys, and co-author of the Trusted Network Connect (TNC) Clientless Endpoint Support Profile.
But with BYO endpoints like iPads, Townsend is seeing growth in guest-plus access. In a nutshell, any device carried by a known user may be subjected to cursory assessment then granted better-than-Web access, followed by monitoring. "For cloud-based apps, you don't want to resort to screen-scraping to [detect] malware. This is giving rise to post-connect, continuous assessment, layer 7 flow analysis, and reputation-based rules," says Townsend.
BIGGER BANG FOR THE BUCK In fact, every organization we interviewed had gone beyond malware to reap benefit from endpoint assessment. For example, Miami Children's Hospital, a pediatric specialty facility, started endpoint integrity enforcement in 2004 to meet regulatory requirements.
"Our primary goal was to make sure we had proper controls over devices on our network," says IT Security Officer Alex Naveira. "We began with a rudimentary process, trying to leverage an old [port manager] that put machines on different networks, based on MAC. But that didn't give us the level of control we needed and wasn't very efficient."
When the hospital installed ForeScout CounterACT to enable out-of-band NAC, audit-mode reports were enlightening. "We expected about 3,000 devices, but discovered over 5,600," says Naveira. "That alone was a huge benefit. Plus, now we had the ability to quickly segregate those devices to better control traffic flows."
Today, the hospital maps endpoints onto VLANs by divvying them into three camps: guests (e.g., patients, families), personal (e.g., physicians, vendors), and hospital-owned (e.g., phones, clinical devices). Every endpoint discovered by CounterACT falls into an "other" bucket with Internet access. "A security engineer monitors that bucket to see whether any should be authorized and placed on a segregated VLAN," says Naveira.
All hospital-owned endpoints then receive on-going scans. "We have structured requirements: is anti-virus installed and up-to-date, is the C: drive write-protected, are [critical] patches installed?" explains Naveira. Even checks applied in audit mode have proven valuable beyond expectations.
"In one case, we used a standard template to deploy multiple virtual servers. When we looked at reports, all were landing in non-compliant. Admins had forgotten to install anti-virus before creating the template. That let us catch a big mistake quickly. CounterACT gives us eyes into our environment to make sure that other [measures] are being used effectively. This helps us close the gap on threats -- be they caused by errors or viruses."
According to Forescout director of marketing Jack Marsal, Miami's experience is common. "The benefit of finding and fixing gaps is underestimated. About 20 percent of customers find [some endpoint measure] not working properly -- as many as 50 percent of managed machines are not doing what is expected," says Marsal.
Pamela Chang, product manager for Symantec Network Access Control, sees enforcement as a complement to endpoint security. "Many customers used to just determine if laptops were corporate-issued," says Chang. "Now they look for whether [endpoint] software is actually running and current. With 20,000 to 35,000 new threats per day, a host that hasn't connected recently could be out-dated." Enforcement is becoming popular to deal with this more efficiently, she says, by warning users and delivering access for safe self-remediation.
FITTING INTO THE BIG PICTURE
Decisions can be enforced many ways. Security vendors like Symantec and Sophos emphasize host-resident agent enforcement. Network vendors like Cisco Systems, Juniper Networks, and Enterasys Networks prefer to leverage switch/access point/firewall capabilities. Drop-in appliances are sold by both camps and NAC specialists like ForeScout Technologies and Bradford Networks. Although users we interviewed had varied opinions about platforms, all stressed the importance of considering fit from the start. Essentially, organizations should pick a product that fits with their network, security platforms and processes instead of trying to work a deployment around whatever interfaces and workflows a product supports.
Pat Patterson, information security architect at Raymond James Financial, recommends a review of existing architecture and processes. "Look at how you're patching, how you're doing antivirus, and how those fit into any solution," he says. "We started with 802.1X but found that we couldn't [afford to] get that tightly coupled. We decided to integrate with DHCP because [combining] Sophos NAC with IP Source Guard made enforcement a lot easier."
Today, Raymond James uses the Sophos NAC agent to assess LAN access by financial advisors and office staff. Remote users are assessed by Juniper's SSL VPN Host Checker. Together, these platforms govern access by 17,000 endpoints.
"The first thing we validate is domain membership," says Patterson. "The next thing to look at was whether antivirus was up to date, but rather than break a lot of connections right away, we moved forward an inch at a time. Stock traders have a tendency to get cranky if you don't let them onto the network during the trading day."
And so that policy was deployed in audit mode, floor by floor, building by building. "The most tedious part was identifying devices that couldn't play with our agent, like printers and Macs. We just had to go through switch tables to add exclusions, but it was labor-intensive," says Patterson.
"We already had systems to monitor security across our domain (like LANdesk patching), so we just make sure those agents were running on our expected domain population," he adds. Disk encryption is also checked to meet PCI Data Security Standard requirements.
Non-domain endpoints (including smartphones and iPads) get IPs on a guest VLAN, where SSL VPN can still be used for portal access. But Raymond James opted against auto-remediation. "When you boot your machine, if the NAC icon says you've been quarantined, call our helpdesk," says Patterson. Support then reinstalls certificates and agents to return broken domain machines to good health.
According to Scott Patterson, product specialist at Sophos, many Sophos NAC customers use NAC to prove lost laptop encryption. By finding a solution that leveraged what it already had (Sophos, Juniper, DHCP), Raymond James quickly checked off several compliance boxes, saving time so energy can be focused elsewhere, says Pat Patterson.
CONTROLLING A DIVERSE ENVIRONMENT
Educational institutions were among the first to invest in endpoint assessment, because they cannot dictate endpoints. But diversity is no excuse; malware fires must still be extinguished. This challenge faced Bryant University when it first installed Bradford's Network Sentry back in 2004.
"We were coming off a home-grown system. At the time, [worms] like Blaster had decimated our network, so assessment was crucial," explains IT network analyst Jon Domen. Bryant started with registration-time scans then moved to an agent for ongoing scans in 2007.
Later, as part of a green technology initiative, Bryant compressed most IT assets (including Bradford) into 80 virtual machines on five blade servers. Domen expects this to cut costs without impacting endpoint enforcement. "Our experience to date supports this assumption," he says.
All network entrance points are scrutinized, including 45 dorms, admin buildings, and classrooms. "We see everything from laptops, desktops, and PlayStations to eReaders and Netflix-compatible TVs. There was a time when each student had one computer, but most now have at least two. One kid came in with his own laptop, Mac, iPhone, Droid, Nokia, Palm, BlackBerry Torch, and Wii," says Domen. "As long as they adhere to our policies, we allow anything."
Bryant manages university-owned assets, but faculty can bring their own endpoints as well. "We use Bradford's Device Profiler to discover our infrastructure, and we have a program to supply students with laptops. But every device belonging to someone else must be registered; we want tracking back to users after incidents," says Domen.
For endpoints on the student network, Bryant requires nothing more than antivirus. "In 2007, we had outbreaks that left users scared. People were ready to accept persistent agents if that would prevent [downtime] again." Nonetheless, Bryant had to tackle Big Brother concerns; he found that communicating what scans looked for plays a critical role in user acceptance.
"We learned that we had to be flexible. So long as you have some antivirus -- even free anti-virus ----we're happy," says Domen. "But it helps that we can do custom scans [to tighten controls during outbreaks]. That reactive piece lets us be more flexible on the proactive side. And, because users don't even know when they're getting scanned, I can step up frequency when something is going on."
Non-traditional devices like Wiis bypass antivirus checks, but don't pose the same threat. According to Bradford marketing manager Sheedy, Bradford's Device Profiler can associate new connections with historical data and use techniques like DHCP fingerprinting and port scans to auto-classify devices and deter MAC spoofing.
Bryant continues to find new uses for endpoint assessment. "After Virginia Tech, universities started to evaluate how they'd react. [Our agent] gives us a way to reach out to every machine on our network with just a few clicks," says Domen. "We've also been able to use audit mode to update machines running old Java. It's becoming the Swiss Army knife of our network."
Like Bryant, University of North Carolina at Chapel Hill extended its NAC solution to mine endpoint data for other uses, including applications that let users, admins, and security officers do their jobs without having to send requests to the network group. "Our implementation of NAC is paramount to how we conduct business and manage the network on a daily basis," says network director Jim Gogan.
But UNC takes a very different approach to enforcement. A combination of agent-less and agent-based techniques are used to assess more than 10,000 endpoints -- a number that is expected to grow to to 25,000 this summer. "We connect everything from massively-parallel computing systems to vending machines," says Gogan. "We see about 65,000 unique connections per day, including our residents, medical school, and dental school -- the groups now in our assessment pilot."
"Our residential network is almost 100 percent user owned," says senior network engineer Ryan Turner. "In our dental school, the vast majority are state-owned, so compliance policies are very different. Our medical school is a mix, and across all areas we have unmanaged devices like printers, door controllers, and steam meters. If an authorized machine has an unsupported OS, it bypasses our endpoint integrity solution. We have tried to cover 95 percent of the machines out there."
However, UNC's Enterasys platform accomplishes "bypass" in a novel way. "Our quarantine policy doesn't flip machines into VLANs or apply ACLs. Edge user ports rewrite the Diff Serve control point in port 80 traffic -- and only port 80 traffic -- so that it gets forwarded to our assessment server," says Turner.
"Door controllers and such don't browse the Web, so their communication is largely unaffected. It may seem unusual to allow all but Web traffic, but it works. We didn't need to shut off email or IM or anything else. Just preventing non-compliant machines from browsing the Web was enough of a carrot," he says.
But UNC also is concerned about peer-to-peer apps like BitTorrent and Limewire, as well as compliance mandates like HIPAA. "In the dental school, all machines were state-owned and enrolled in Active Directory, so a week before we turned on assessment, we used Group Policy Objects to push an agent to every machine," says Turner. This let UNC enforce school-specified policies like P2P bans and personal firewalls.
"When we expanded into the resnet [residential network], we had to change a lot. Not only were these machines not owned by us, but there's no paid support in dorms. We had to tread carefully to avoid isolating too many machines, and we had to use a captive portal to get our agent installed," says Turner.
UNC also needed a new result: a pop-up giving specific remediation instructions without blocking. "Our compliance rate was [significant] from that warning alone, without having to create a lot of angry customers or support tickets," says Turner. "Anything we can do to help users remediate themselves but let us verify they've done so turns out to be a win-win." UNC expects to use this same approach to promote compliance with Recording Industry Association of America intellectual property protections on the residential network.
A VIEW INTO THE FUTURE
All of these organizations used some flavor of NAC to meet immediate needs, but none were stereotypical network NAC deployments. For example, many had interest in 802.1X, but none based their solution on this one method. All focused on endpoint needs, policies, and practices, matched to each user constituency they supported. This focus, combined with seeking out ways to make scans even more valuable, served these adopters well.
But the march towards network and system-integrated NAC continues. Analysts expect the NAC market to shrink as scanning and enforcement become widely available in endpoints and network elements. This means that the most pragmatic approaches for yesterday's deployments may not still be the easiest tomorrow.
For example, Juniper is making strides towards consolidation, using JunOS Pulse to implement access-network-independent policies, and not just for laptops, but for iPhones and Androids that roam between VPN and LAN. The Trusted Network Connect Working Group's IF-MAP is making it easier for any assessment engine to factor in real-time observations by third-party systems (e.g., IPS, DLP). Meanwhile, Cisco plans to use its TrustSec Security Group Access to bind endpoints to roles and resources, abstracted into tags that network elements can dynamically enforce without VLAN or ACL configuration.
Bottom line: Platform selection will continue to be important, but don't start there. Like these successful organizations, start from the top and think outside the box --literally.
Lisa Phifer is president of Core Competence, a consulting firm focused on business use of emerging network and security technologies. Send comments on this article to firstname.lastname@example.org.