Endpoint security is arguably the hot information security topic in 2006. Small wonder. No matter how diligently you defend your perimeter, roaming laptops are bound to introduce worms, viruses and spyware into your network.
The mobility of commodity laptops equipped with wireless adapters has set your workforces free to work productively at home and on the road, as well as at the office. Consultants and vendors plug in to your networks for an hour or a day. How do you protect yourself against what they may have picked up?
The two behemoths of network infrastructure and OS software, Cisco Systems and Microsoft, each have initiatives to ensure that endpoints devices comply with security policy before they are admitted to the corporate network. Not surprisingly, Cisco’s Network Access Control (NAC) depends on Cisco switching infrastructure, and Microsoft‘s Network Access Protection (NAP) works through Windows OSes. In addition to these pervasive yet proprietary approaches, Trusted Computing Group is developing the ) standards-based Trusted Network Connect (TNC).
Which, if any, of these do you chose to secure your endpoints and keep your local networks from being hammered from compromised machines that have become roaming malware collectors?
Solution Needed–Now
Faced with a security problem that needs immediate attention, you should be looking for a solution that allows you to define granular policy, detect every device that connects to your network, assess its level of compliance, enforce access policy and remediate noncompliant machines (see “Measuring Up,” p. xx).
This is a tall order for any security system, and getting onboard with endpoint security isn’t going to simple. The Big Three architectures–NAC, NAP and TNC–are incomplete, costly to implement, and complex to understand.
The three approaches are coming at the issues of endpoint security from different places, so it isn’t surprising that they aren’t mutually exclusive.
- Cisco’s NAC focuses network infrastructure and policy definition and management , and, of course, assumes that you will have plenty of Cisco routers, use Cisco’s security solutions and want to keep within the Cisco family as you move towards locking down your endpoints.
- Microsoft’s NAP takes more of the health assessment approach and remediation, assuming that you start with Microsoft servers and desktops, and keeping them running and secure is your primary focus.
- Trusted Computing Group’s TNC takes the broad-brush architectural approach, but first assuming that every desktop will contain a specialized piece of hardware inside that will verify the endpoint hasn’t been compromised and building on that hardware to monitor and enforce any endpoint policies.
Let’s look at these efforts and see what they claim to cover and where they come up short.
CISCO’S NAC
NAC is ahead of the game because of the confluence of both architecture and products that support it. NAC is designed to secure network access through trusted modules that are implemented in its router and switch code, as well as for both Windows and Linux clients. There are lots of vendors supporting NAC, and with good reason: You’ll need several of them to put together a complete solution that can handle all five of the endpoint security requirements. You’ll probably need to run at least two agents on your endpoints to handle more complex policies, and for SSL VPN compliance checking, for example.
NAC employs client software, Cisco Trusted Agent (CTA), which gathers device information and uses 802.1X mechanisms to pass the information to the Cisco’s RADIUS server, Secure Access Control Server (ACS). ACS communicates with third-party policy servers (AV, patch, etc.) to determine compliance and enforce network access via the switching infrastructure.
Some analysts feel that NAC takes too many pieces to deploy, and it may be difficult to implement because of managing all the various IOS updates to get all the pieces to work together and maintain it as infrastructure changes are made.
The problem with NAC is that it is its own island of security, with support for Cisco’s RADIUS servers as its sole authentication mechanism, and Cisco switches, with up-to-date firmware.
Moreover, NAC doesn’t necessarily work with Cisco legacy infrastructure, unless it can be brought up to current firmware levels.
“Part of NAC problem is that you have to upgrade your IOS versions,” says Lloyd Hession, the VP and CSO for BT Radianz, a major IT supplier to the financial services sector.“I have 40,000 routers across my network, and that isn’t an easy proposition.” Instead, Hession chose Consentry so he could eliminate MAC-layer filtering and access controls across his network. Consentry sells an inline security appliance assesses and enforces endpoint security policy compliance.
However, its architecture is short on remediation–it falls short on managing patch levels of the endpoints themselves. Moreover, there’s not much flexibility in what happens after a device is assessed: It either passes and is allowed on the network, or it isn’t and it gets routed off to some VLAN with limited access.
“Getting a client out of quarantine is really the trick, and that is what we do,” says Rich Lacey, the Altiris product manager who handles their NAC-compliant products, which provide remediation solution through desktop management and replication.
Cisco has the support of McAfee, Trend Micro and Symantec antivirus products along with a smattering of other hardware and software vendors. (For a complete list, see http://www.cisco.com/go/nac.)
Hession didn’t find installing agents on all his endpoints to be particular appealing. “The problem with agents is that you end up having to install multiple ones to support all the things you want to do, such as antivirus and access controls. Cisco’s NAC forced me to go in one direction with their agent that I didn’t want to go towards”.
“We currently support agents,” says Russell Rice, director of product management for Cisco’s Security Technology Group. “We will also do agentless solutions and do active scans of and assessments of other non-Windows devices.”
NAC is widening its support beyond agents, and vendors such as Qualys with their QualysGuard for NAC are providing services that support agentless monitoring of network devices such as printers and other embedded devices that can’t employ agents.
Microsoft NAP
NAP is yet to be implemented in any product, although the effort has a long list of more than 60 supporters, many of whom are also hedging their bets and are supporters of NAC as well (see www.microsoft.com/technet/itsolutions/network/nap/napoverview.mspx).
NAP brings a security policy management and enforcement perspective into Windows Server that has been somewhat lacking since the early days of Active Directory.
“NAP will provide the ability to enforce policies through a variety of mechanisms, using IPSec for host authentication, 802.1X, or thru a VPN or DHCP,” says Mike Schutz, the group product manager at Microsoft’s Windows Server Division, who is leading the charge for NAP.
Like NAC, NAP employs client software, Quarantine agent (QA, which passes information to Microsoft’s Network Policy Server, which, like Cisco’s ACS, checks with third-party servers for policy compliance. AP promises a variety of enforcement options, including DHCP, IPSec VPN, 802.1X.
Significantly, NAP will initially only support Longhorn Server and Vista, both still in beta, as well as XP SP2, which will require a NAP update on each device. This will present problems for shops using older versions, and require commitments to the new OSes and testing and managing XP upgrades. Further, authentication and enforcement servers, i.e., DHCP and RADIUS, will require Longhorn, requiring further upgrades and making NAP even more proprietary.
Of course, once there is shipping product we’ll see how pluralist NAP really is, but at least now Microsoft is talking as open a talk as they can.
“We don’t think NAC and NAP as being an either/or situation,” says Schutz. “We announced that we would be working together on interoperable solutions, so customers can choose what will best meet their needs.” However, neither Microsoft nor Cisco are currently working with the TNC solution, and have no immediate plans to do so.
The Fulton County, Ga., government is already wading into NAP, with early versions of Microsoft servers and Vista desktops and laptops.
“Everything is still in beta,” says Keith Dickie of the county’s IT department, who is managing the NAP rollout. “But several of our IT staff are using it on their production machines without any problems, including incorporating Symantec’s Norton Anti-Virus with Microsoft’s SMS and Windows servers.”
The county is using IPSec authentication, and their NAP deployment checks for a series of health requirements, including making sure that the version of Norton’s AV client is current before giving out an IP address to their network for remote users.
Trusted Computing Group TNC
TNC is composed of dozens of industry heavies (one wag calls them “everyone but Cisco”) supporting a bunch of open standards. The good news is that the standards more or less map to the five requirements for network access control security mentioned earlier– policy creation, detection, assessment, enforcement and remediation,. The bad news is that not all standards have been defined, and woefully few products support much of this universe of alphabet soup that is required to actually implement a solution.
The key ingredients with TNC (www.trustedcomputinggroup.org/groups/network/) are support for RADIUS and 802.1X authentication servers and protocols, along with a trusted hardware chip and software in the endpoints.
“This isn’t a forklift upgrade,” says Steve Hanna, the cochair of TNC and a product manager at Juniper Networks. This differs notably from Cisco’s approach, which uses the Cisco ACS authentication servers.
A PKI chip, called the Trusted Platform Module (TPM), extends authentication features that help to secure the laptop against unauthorized users–such as thieves or someone who simply finds a lost laptop—in a hardware implementation that thwarts the potential compromises to software.
“You just can’t trust software these days, because a PC could have been compromised by a zero day vulnerability or by something a user downloaded via the Internet. The only ways to detect this is through trusted hardware,” says Hanna. A number of laptop vendors including Dell, Fujitsu, HP and Lenovo, already include trusted hardware modules in their product lines.
Once authentication checks are satisfied, the trusted hardware routine passes control to a third-party software agent, which checks the device for policy compliance, working with the TNC architecture that handles network authentication and login access. As an open standard, TNC shouldpotentially employ any enforcement mechanism.
Not surprisingly, TNC-compatible products are already available from Cisco competitor Juniper, which acquired Funk software, makers of RADIUS server products.
SSL VPN Weak Spot
Missing from all three solutions right now is any SSL VPN support: “Nobody has any product yet available in the [SSL] VPN space, and we can’t support it yet. But we expect to see that coming quite soon,” says TNC’s Hanna.
SSL VPNs have a ways to go Few offer support for more than a couple of antivirus scanners, and don’t go beyond Windows/IE combinations or can scan for a connection prior to any network login. Part of the problem is that most of the VPN vendors added support for endpoint security after they finished their first versions, and it shows. Nortel and Aventail, for example, have two different sets of access controls in its VPN product–one that supports endpoint security, and one that doesn’t. Many SSL VPN vendors are partnering with third-party endpoint security vendors, a growing market that offers alternatives to NAC, NAP and TNC.
Can’t Wait?
While the marketing wars among Cisco, Microsoft and Trusted Computing Group heat up, enterprises are looking for solutions that work now, and, perhaps, support NAC, NAP and TNC as a path to the future.
Several vendors are shipping products that address at least some of the requirements for securing network access..
These products offer a wide range of checking and enforcement options to control both managed and unmanaged devices and give customers a lot of flexibility. Many offer login-, agent- and ActiveX or Java-based scanning to determine endpoint compliance, which you can mix and match according to your needs. And instead of a single enforcement mechanism, these products increasingly offer the choice of DHCP, 802.1X, agent-based, inline appliance and NAC, so your enterprise does have choices to match your environment. (For a representative list of products see “Choices, Choices and More Choices,” p. xx).
Cisco, in fact, has a second approach that is not completely aligned with its own NAC architecture, called Clean Client Access, the result of its acquisition of Perfigo. It does agent-based endpoint assessment, client, policy management, and remediation services.
No Easy Answer
The truth is that no single vendor has a complete solution that will lock down all of your endpoints and keep your resources safe. You’ll need to find a product that will handle different security policies, to protect critical network assets as well as those roaming laptops. And unless you have a completely homogeneous network composed of Windows XP users running IE browsers, you will need support for other operating systems and browsers. Despite all the wonderful claims, no one can come close to delivering a general-purpose endpoint solution that works with both agent and agentless solutions.
If you stick within the XP/IE realm, if all your users have administrator rights to their systems, and if you don’t mind them downloading some form of Java or ActiveX application from their browser, then you can almost make things work with one of the third-party appliance products or by using VPN solutions from companies like Juniper and Aventail.
If Microsoft’s vision with NAP aligns with yours, then get a head start by running the VPN quarantine in Windows ISA Server 2004, because that is what will form the basis of the Longhorn code when it finally is delivered later this year.
And if you have all your Cisco routers up to their current versions, then one of the NAC solutions from Cisco and
its partners might work for you if you can continue to live in an all-Cisco world.
But if these very limited scenarios aren’t your situation, then you have your work cut out for you to implement the best possible endpoint security solution. The best advice, as with all information security initiatives, is to thoroughly understand your enterprise and business requirements. Address questions such as:
Who are your mobile employees, what OSes and security applications are they running, and how do they connect to the network?
Do consultants and vendors regularly access the network?
What is your network infrastructure and what enforcement/remediation mechanisms will it support? Is it homogeneous? Is it relatively new, with up-to-date firmware, or do you have legacy routers and switches that won’t support network-based solutions?
Sorting out NAC, NAP and TNC is going to take some time, and you’ll have to live with your decisions to secure endpoint access to your network. Choose the solution(s) that best meet at least your most critical needs now and align with your enterprise’s plans for the future.