Datamation: The many myths of endpoint security

You’ve got firewalls, intrusion detection and prevention, virtual private networks, and a perimeter that is as secure as can be. But the problem is that all of this security apparatus can be made moot in a matter of milliseconds with one user bringing their infected laptop into your office and spreading its diseased little package around your network.

That’s the sad state of affairs today. And not to worry – numerous vendors are standing by to take your call and sell you thousands of dollars of endpoint security products that will stop this infected laptop and other problems in their tracks. Or so they say.

The problem is that endpoint security isn’t easy, simple, or cheap. The products have a daunting array of features and fine print, and matching what you need, what inconveniences your users will tolerate, and what your network infrastructure will be able to bear isn’t a slam-dunk. Let’s examine the six biggest myths of this marketplace and tell the truth wherever we can.

Myth #1. Every endpoint can be secured with the same software solution.

Not true. If you have the unfortunate circumstance to have a heterogeneous network composed of many different operating systems, embedded devices with their own IP addresses, and switches from three different vendors, you are in for some trouble. The problem is that the software agents that root out the dirty work are very specific in terms of browser version and operating system. Some require initial administrator rights to be installed on the endpoint, while others are only present during the time an endpoint is logged into the network and disappear or “dissolve” when the session is terminated.

Then you have the situation of embedded devices. How do you protect those? Some endpoint solutions have “white lists” where you can specify that your Web cameras and print servers don’t have to be scanned for them to attach to your network. That is all well and good, until the bad guys figure out a way to compromise these devices and then trouble begins. Some vendors, such as Forescout and Mirage Networks, have ways to monitor these embedded devices as part of their systems, so if you have a lot of them on your network you might want to start with them first.

Before you examine a product, understand the device protection portfolio that is offered by each vendor and also what they have promised for the coming year. Many vendors, such as Symantec and Consentry, are still lacking basic Mac OS support, for example.

Myth #2: It is easy to identify an unhealthy endpoint and block it from coming on your network.

Again, troublesome. Figuring out what ails that endpoint isn’t simple. You need some sort of scanning routine – and done regularly – to determine if its file system, registry keys, anti-virus signatures, OS patch levels, and whatnot are up to spec.

As you might imagine, all this scanning takes a bunch of time during the login process, so setting up enduser expectations is critical before those support calls come in that “I can’t login to the network.”

Some of the products require all kinds of specific information to check, such as particular anti-virus signatures or personal firewalls. Some products scan at different degrees of depth depending on what kind of agent is doing the scanning. It pays to check this out carefully before proceeding further.

Myth #3: It is easy to cure an unhealthy endpoint.

Also false. Any remediation needs to cover all the things that can go wrong, and do it as automatically as possible. Otherwise, your enduser support lines will light up like a Christmas tree the moment you turn on any solution. Some of the products are better at remediation than others. Some, like Cisco’s solution, just send an unhealthy endpoint off to the network equivalent of Siberia without trying to fix the problem.

Myth #4: Your endpoint solution will work seamlessly with your VPN.

It makes some sense and certainly would be nice if that creaky old VPN that you have had around for several years could just interoperate with that nice new shiny endpoint system. But no, this is not to be. For those of you that have enterprise IPsec VPNs, you are in a better place to implement an endpoint security solution, provided that you run those secure IPsec protocols on all of your local machines too. Most of the endpoint products support this approach, however cumbersome and unattractive it sounds at first.

Look no further than AEP Networks for a brilliant example of how strained relations are between VPNs and endpoint security approaches. The company has two different product lines, and the two don’t talk to each other. If you want to wait until later this year, they promise that the integration will happen, so that you don’t need to duplicate security policies between the two systems.

If you aren’t willing to completely re-architect your LAN logins, and don’t yet have a VPN that you want to keep using, some of the vendors offer endpoint solutions that integrate VPNs into their package. Vernier Networks and F5 Networks both have models that include each own SSL VPN, for example.

Myth #5: Microsoft will solve endpoint security with Vista and Longhorn.

Ah yes, Microsoft. They have their own architecture for endpoint security called Network Access Protection (NAP) that will be implemented one day soon, when Vista is deployed across the enterprise and Longhorn Server becomes a real product. When is that time, exactly? Maybe a year from now. In the meantime, you have an enterprise computing department to run and don’t want to wait. Well, Microsoft will have some agents for XP Professional PCs, but not much else. And you will need a bunch of different servers to really implement the all-Microsoft solution anyway, so you might as well start looking at what they are doing by testing out the Network Policy Server in your labs now.

If you have other operating systems, including older versions of Windows, then you are going to have to look elsewhere to finish off the job.

Myth #6: Cisco will solve endpoint security with its approach.

Wrong again. Cisco’s is called Network Admission Control (NAC), and their dirty secret is that you need to bring all of your network devices running IOS up to the most current levels to support this architecture. They are also really lousy at the cure for the common cold – they announced last fall that any remediation measures would be handled by Microsoft.

As you can see, there is still a lot of room for improvement here. Maybe 2007 will bring truly useful endpoint products that can check for a wide array of problems and resolve them automatically. After all, a guy can hope, can’t he?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.