While you’re on a business trip, you use the hotel or conference room wireless network to check news and request an upgrade. A hacker exploits a new and un-patched operating system vulnerability to install a rootkit (a virtually undetectable infection).
You do a web search and end up on a web site that is malicious or has been invisibly hacked. The site uses a browser vulnerability to install a keystroke logger, capturing all your activities including passwords.
A co-worker tells you about a great new stock ticker, weather alert, or other cool doodad. Download it and try it out. Why not? It’s free! But it comes with a pack of spyware.
Something isn’t working right. You ask Larry, the computer “expert” in the next office. He suggests that you turn off your firewall. That did it. Thanks, Larry! Of course, now you’re totally exposed to attacks
Multiply these scenarios by hundreds or thousands of users and you have an idea of the risks malware poses for corporate networks today.
Bringing Infections Back to the Office
Employees can access corporate networks and applications from any place at any time through a variety of devices and access methods. The network perimeter now includes endpoints at locations around the world, from branch offices to hotel rooms.
Hackers and attackers no longer need to penetrate a corporate network’s tough perimeter defenses to spread infections. All they need is to find one poorly protected endpoint roaming outside the corporate firewall. Attackers can then use this machine as a software version of “Patient Zero” – an ignition point for the spread of viruses, worms, spyware, Trojan horses, and other infectious agents into a corporate network. Infected through insecure hotspots, Internet downloads, or other means, the user carries his infection back to his corporate network when he reconnects, typically through a secure, trusted connection. This infection then rapidly spreads to other vulnerable systems within the corporate network, causing a cascade of infections.
The security of a system on a corporate network is ultimately up to the user. Even the best user occasionally skips past corporate security procedures, fails to maintain his system, or otherwise breaks corporate security policies. These users may be their corporation’s next “Typhoid Mary”, unknowing carriers for unseen, incredibly destructive forces that, once they reconnect to their corporate network, could bring it and their corporation down.
Integrity Checks for Every Device
Traditional perimeter defenses provide strong access control security based on user and endpoint identification. However, they are unable to shield a corporate network from infections accidentally spread by authorized users with infected endpoints.
Endpoint integrity solutions provide critical additional protection. Before a system or device (an endpoint) can connect to the corporate network, it must pass an integrity check verifying that it complies with the company’s security policies. This check occurs before the endpoint is allowed to access the corporate network or even receive an IP address.
Endpoint integrity solutions provide two benefits for networks:
1. They identify, quarantine, and heal “sick”, non-secure endpoints
2. They improve the defenses of healthy, compliant endpoints by ensuring that endpoints connected to the network always have up-to-date and properly configured security software
Integrity checks should not be restricted to remote access or other “external” connections. Employees may bring their infected mobile devices into the network and connect them through any wall jack or access point. So all network access points should be protected.
How Endpoint Integrity Works
Endpoint integrity solutions work in a variety of ways but the basics are the same. When a user attempts to connect to a corporate network, the endpoint integrity solution checks the integrity of the user’s endpoint. Some endpoint integrity solutions also monitor endpoints after network connection to detect any change in their security status. The endpoint integrity check typically involves checking the status of the endpoint’s security software (anti-virus, anti-spyware, patch management, personal firewall, and other security products) against the company’s pre-set security policies for those products. Some endpoint integrity checks are more extensive, verifying all the hardware on the endpoint to make sure it’s valid. In any case, if the endpoint is found to be compliant with the corporate security policies the endpoint integrity solution allows the endpoint to access the company’s production network.
However, if the endpoint integrity solution detects a deficiency in the security software on an endpoint, it can immediately quarantine the endpoint, restricting it to a secure “quarantine network” until this deficiency is cured. Some companies skip this quarantine step, simply warning non-compliant users. This avoids employee inconvenience but reduces the security benefits.
A simple corporate security policy might state that all endpoints must have their virus definitions updated at least once a week. If a particular endpoint’s virus definitions haven’t been updated in two weeks, then the endpoint could be quarantined.
Choosing an Endpoint Integrity Solution
Many endpoint integrity solutions are available. Most use proprietary architectures. However, there is one standards-based network architecture based on open standards: the Trusted Network Connect (TNC) architecture from the Trusted Computing Group (TCG). TCG is a not-for-profit organization that develops, defines, and promotes open standards for trusted computing and security solutions across multiple platforms, peripherals, and devices. The TCG developed the TNC architecture and specifications to ensure endpoint integrity and protect networks from attacks. These specifications ensure that components from different vendors will seamlessly and securely operate together. They are based on established technologies and standards, ensuring support for existing networks, software, and systems and providing a quick path to endpoint security.
As companies search for an endpoint integrity product, they should keep a few thoughts in mind:
To keep network and business security at the highest level, companies should find an endpoint integrity solution that performs its integrity check before an endpoint has been granted any access to the corporate network, before it has even been assigned an IP address.
Companies should search for an endpoint integrity solution that is simple to operate, requiring little or no human intervention. An endpoint integrity solution that provides a single login for network authentication, authority, and endpoint integrity simplifies the process for the user, saving them time and the corporation costly support calls.
For companies with frequent guests, the ability to direct those guests to a “guest network” (isolated from the production network) is a valuable feature.
To maximize network security while minimizing implementation time and cost, look for a solution that is based on open and secure standards; supports existing installed equipment and software; works with a variety of networking technologies and interfaces; relies on established, scalable products; provides a clear roadmap for the future; and is ready for easy, immediate deployment.
Endpoint Integrity: A Must
An endpoint integrity solution is a necessity for today’s mobile, rapidly evolving corporation. Viruses, worms, spyware, and other malware are growing daily in number and voracity. The corporate network perimeter is continually being pushed and extended to identify many users and their endpoints as organizational insiders. Network administrators and IT departments need a solution that provides integrity checks on all endpoints, no matter who owns them or how they connect to the network. The security of the corporate network, and the integrity and financial future of today’s corporation are at stake.
Steve Hanna, senior engineer for leading network access security solutions provider Funk Software, helped develop the open endpoint integrity industry standard created by the Trusted Computing Groups Trusted Network Connect (TNC) Subgroup. Mr. Hanna is active in many networking and security standards groups such as IETF and OASIS. He is the author of several IETF RFCs and published papers, and an inventor or co-inventor on 21 issued U.S. patents. Mr. Hanna holds an A.B. in Computer Science from Harvard University.
For more information on endpoint integrity, visit www.Funk.com, or visit www.TrustedComputingGroup.org
