Manage Learn to apply best practices and optimize your operations.

NAC best practices and technologies to meet corporate security policy

New solutions help you secure endpoints

Endpoint devices -- laptops, SOHO desktops, public terminals, etc. -- are your biggest security headache. Traveling...

employees log in without updated AV signatures or the latest OS patches. Home workers may have no AV or firewall protection. And who knows what unauthorized software and spyware are on connecting PCs?

Users jacked into your LAN may not be much better off. Even the most up-to-date patching will lag behind the spread of worms and viruses. According to Gartner, 90 % of cyber-attacks through 2005 will involve known vulnerabilities for which a patch or remedy already exists. Policy notwithstanding, internal employees and contractors disable AV scanners, fiddle with registry settings and run Kazaa and Quake on your network.

IT security staffers are often skeleton crews that can't keep up with basic patching, much less play cop with noncompliant employees and machines. The secure master build installed on each computer before it's released is often rendered obsolete by the latest vulnerability and exploit.

No wonder the number of endpoint security solutions is growing. These products ensure that each device complies with policy before it's allowed on your network.


  • Join us for a live interactive webcast on Thurs., July 29 at noon ET with Christopher King on policy compliance for end-point devices. (Webcast will be available on-demand after July 29.)
  • Learn more about network device compliance in this Security Tool Shed column.
  • Attend Information Security Decisions Oct. 6-8 in Chicago and learn more about the latest developments in network and endpoint security.

Endpoint police

How do you determine whether a particular host should or shouldn't be allowed to access the network? A solution should cover these compliance criteria:

  • Authorized OS version and hardware platform.
  • Required OS patches and registry settings.
  • Functioning AV software with latest signatures.
  • Firewall and VPN client with approved policy.
  • Required company software.
  • Absence of IM, P2P, spyware or other rogue programs.

Most endpoint security solutions attempt to cover these criteria, but in different ways. Most check compliance through direct login to the endpoint client and/or remote scanning. Typically, solutions use either a resident agent or thin client.

Solutions can work for remote and/or LAN-based clients, and most require manual remediation.

Direct Login

What if you could validate virtually all client systems, including public kiosks and SOHO computers? This is the big advantage to the direct login approach.

A gateway device will intercept the endpoint's authentication request and use native cached account credentials to validate compliance, checking for active processes, registry settings, OS revision, patches, etc.

The downside: Because of the credential caching, this type of endpoint security gateway is an important -- and additional -- user information store that must be stringently protected. Also, the gateway must be inline with your authentication servers, which could introduce additional points of failure and must be compatible with your authentication protocol (LDAP, Active Directory, NT Domain, etc.).

One example of this type of gateway is StillSecure's SafeAccess, an agentless solution. The SafeAccess server is a Layer 2 bridge based on Red Hat Linux with Apache for Web-based management. It's installed on a dedicated server that sits between the VPN gateway and firewall. Since it operates at Layer 2, it requires no IP addresses for devices in your DMZ. If a remote device is connecting to the corporate LAN for the first time, SafeAccess assigns a unique identifier so it can recognize it in subsequent connection attempts.

If a remote host isn't a member of the corporate domain, the user is directed to a Web logon page, allowing the Safe-Access server to log in to the computer (through Windows support only) and perform the checks. The login sequence is achieved via the Windows RPC service from within the VPN tunnel (all IPSec VPN vendors are supported) between the remote host and the corporate VPN gateway. SafeAccess checks for missing patches, software updates, up-to-date AV signatures, policy settings and required or prohibited programs.

Noncompliant devices are quarantined using ACLs defined on the SafeAccess server.

Remote Scanning/Agent Queries

Many solutions use vulnerability scanning technology to check the remote client or query client-side agents (or a combination of both) to determine if required security programs (firewall, AV, VPN with split tunneling disabled, etc.) are running.

These products eliminate the need to cache user names and passwords on the gateway device. However, client-side software of some kind is required -- a preinstalled agent, ActiveX thin client or browser plug-in.

Check Point Software Technologies' Zone Labs Integrity Clientless Security integrates with popular SSL VPNs. Its ActiveX thin client uses a combination of signatures and heuristics to detect, quarantine and block systems containing spyware, keystroke loggers, viruses, Trojans, worms, third-party cookies and hacker tools. Clients can be routed to a customizable URL for remediation.

Citadel Security Software's ConnectGuard uses a host-based agent to draw policies and remediation instructions from Citadel's Hercules patch and configuration server. The agent monitors all outbound traffic and blocks any connections that violate the corporate security policy. The first version of this product is fairly elementary; it offers no quarantining and only works in conjunction with Hercules.

ENDFORCE's ENDFORCE Enterprise uses a resident agent to check host OS, applications (such as AV, VPN and personal firewall), patches and applicable app or file signatures. ENDFORCE works in conjunction with most AV solutions, VPNs and personal firewalls. If a remote device fails the checks, ENDFORCE provides instructions or automated remediation steps.

InfoExpress' CyberGatekeeper suite offers appliance-based solutions using a resident agent executable or ActiveX thin client.

CyberGatekeeper LAN protects the internal LAN and integrates closely with Cisco switches to quarantine noncompliant hosts. The resident agent executable (Windows and Linux supported) checks running processes, registry settings, OS revision and patches, and enforces OS security compliance. Noncompliant hosts are automatically assigned to a segregated VLAN, allowing limited access until updates and configuration changes are made.

CyberGatekeeper Remote functions much like the LAN product but uses an ActiveX thin client, which is loaded onto the host via the browser.

iomart Group's NetIntelligence relies on a host-based agent, which checks for IM, P2P, malware and pornographic files via digital fingerprinting and provides Web content blocking and copyright theft detection. It can be used to monitor specific apps and removable devices, such as USB flash memory sticks. NetIntelligence provides integrated Kaspersky Labs AV protection, but no integrated VPN support.

Policies are defined by user and group and are pushed down from a central console on a scheduled or ad hoc basis. Policy enforcement is accomplished via client-side access controls applied to the firewall policy. Remediation can be implemented through a central console, which can apply changes individually or by group.

Sygate's Secure Enterprise (SSE) employs a resident agent to enforce policy and verify that Sygate's firewall, IDS and AV (all popular solutions are supported) are current and operational. SSE verifies OS version, patches, registry settings and files requirements. Noncompliant devices can be monitored and automatically remediated through user- generated scripts, or blocked entirely via VLAN manipulation.

Sygate plans to release Sygate On-Demand, which can use an ActiveX or Java thin clients instead of agents, and Magellan, a clientless direct login solution.

Symantec's Client Security checks compliance for LAN-based and remote clients. Its resident agent detects unauthorized activity, attempts to disinfect afflicted devices and prevents access to system or network resources via real-time AV protection, personal firewall and IDS--all controlled via the management console. Built-in location awareness capabilities ensure that the appropriate security policy is applied. For example, the policy for accessing company headquarters may be different than logging in to a branch office.

This solution is best deployed with Symantec VPN Sentry, which assures up-to-date Client Security is running. Noncompliant endpoints can be blocked or granted limited access.

Whole Security's ConfidenceOnline solution is completely transparent and requires no signatures. It uses an ActiveX thin client or Netscape plug-in to check for eavesdropping software and verifies that required processes and applications are running and conform to policy. Config-urable heuristics are also used to identify and disconnect remote clients that display infection symptoms.

Weighing the choices

It's tempting to steer clear of solutions that require client-side software and all the administrative pain that it entails.

On the other hand, clientless solutions require that you either trust the proprietary behavioral traffic analysis or entrust third-party security devices with automated domain administrator login access on your networks. Since domain administrator credentials are stored somewhere in these boxes, you should be concerned with their hardening processes and understand what services are active. For example, are stored domain passwords encrypted or hashed, and what hash or cryptography is used? Is your endpoint security solution utilizing Apache 2.0.37, which has a few known vulnerabilities, or does it have an unused, vulnerable version of H.323, which is susceptible to buffer overflows and DoS attacks?

From a management standpoint, look for solutions that offer global policy controls and granular ACLs based on location, user ID, group and role. Endpoint security solutions should also allow you to quickly tweak policy across client base, such as in response to new threats. Be sure to check under the hood before you buy.

About the author
CURTIS E. DALTON, CISSP, CISM ([email protected]), is the founder of Principal Security Group, an information security consulting firm. He has authored numerous magazine articles and co-authored Security Architecture: Design, Deployment & Operations (Osborne McGraw-Hill, 2001).


This was last published in July 2004

Dig Deeper on Endpoint protection and client security