Problem solve Get help with specific problems with your technologies, process and projects.

Hark! Who goes there? -- Network device compliance

A look at new developments in end-node security.

Traditional network security has long been about protecting the network perimeter via the "crunchy on the outside, chewy on the inside" method. But that method does nothing to stop viruses and worms from originating inside the network. Examine a corporate campus and count the consultants, service providers and temporary workers accessing the network. How can their access be controlled, ensuring they don't introduce viruses and worms to the network?

Today, many corporate networks are more open than all-night convenience stores. With that openness comes lost productivity, industrial espionage, insider abuse and much more. Even with layers of firewalls and IDSes, viruses and worms are still the curse of today's IT environments. Even for the organization that has an antivirus appliance at their gateway, end-node security is crucial since so many devices (PDAs, laptops, etc.) are now bypassing that first-level gateway of protection. A network card and DHCP is all that is needed to access many networks. This is atrocious given the risks that arise from a lack of effective end-node security.

Effective end-node security is all about verifying the security compliance of any device that connects to the network. Seeing the importance of end-node security, many vendors are getting into the game. While the company hasn't announced anything directly, Microsoft is working on a trust model of analysis and the quarantining of end points. Two announcements, by Symantec Corp. and StillSecure, were made early this week. Symantec Corp. announced the release of Symantec Client Security 2.0, which includes VPN Compliancy Check, and StillSecure announced its agentless end-node security solution, StillSecure Safe Access. Others vendor offerings include Infoexpress's CyberGatekeeper and Sygate's Adaptive Protection, but they don't have the level of infrastructure to leverage as Cisco's Network Admission Control (NAC).

NAC isn't a product per se but Cisco's collaborative effort to ensure network devices can't enter a network until they are compliant with the level of enforcement required. Non-compliant devices can be isolated and denied network access until they are appropriately patched. This host isolation is the greatest benefit of NAC. Typhoid Mary showed what one infected person can do to facilitate the spread of disease -- so too with a single infected host. Until it is isolated, there is little that can be done to stop its lingering effect on the rest of the network.

NAC's goal is simple: Ensure hosts can't harm the network. It's the equivalent of showing one's credentials before admission and having a level of enforcement after admittance. An example of NAC credentials would be the most recent antivirus definitions and operating system patches.

Cisco defined NAC's architecture and the specifications for NAC technology to be integrated into third-party products. Any developer that wants to integrate NAC into their solution licenses the NAC SDK. It is Cisco's hope that NAC will ultimately be ubiquitous at the desktop in the form of the Cisco Trust Agent (CTA) software. CTA will be the interface between the desktop and NAC, and will be freely available to end-users, much like the Adobe Acrobat reader.

The function of any desktop agent is to collect security state information from the desktop device and to report that information to the connected network where access control decisions are made and enforced. If the host is compliant, access is granted. If not, the device is placed in a quarantined area where the required patches are downloaded.

If an agent isn't loaded, default access policies are enforced according to the level of security desired. The beauty of such an architecture is that there is compulsory enforcement. Hosts that aren't compliant are denied network access.

End-node security fills the credo of trust but verify. With laptops, cell phones and wireless PDAs easily connecting to the corporate network, the security risks with this level of network ease of use can be utterly dreadful. It will be a while before the various end-node security initiatives are complete and fully deployed. But as a start, it shows that the best information security defense is a strong offense.

About the author
Ben Rothke, CISSP, is a New-York based security consultant with ThruPoint, Inc. McGraw-Hill recently published his book Computer Security: 20 Things Every Employee Should Know. He can be reached at

More information on NAC:
  • The article Cisco, antivirus vendors push access privilege to routers details Cisco's Network Admission Control.
  • This was last published in April 2004

    Dig Deeper on Endpoint protection and client security

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.