NETWORK SECURITY - Reduce the threat from computers

Adding network-based policy enforcement to the LAN protects against endpoint attacks.

Generically known as policy-enforcement solutions, endpoint security technologies extend authentication and access control beyond the traditional examination of user and machine identity to include properties of the endpoint system. Security managers can use policy-enforcement technologies to base network access on patch levels, running processes, security configurations or other end-user machine settings. In many cases, these systems enforce access decisions by interacting directly with the network infrastructure, removing the responsibility for enforcement from end-user applications.

The heart of any policy enforcement system is the policy server, responsible for evaluating endpoint configurations and communicating access control decisions to the appropriate network infrastructure devices.

Dynamic, configuration-based access control protects a variety of network connection mechanisms. Many organizations start by adding policy-enforcement systems to their remote-access infrastructures, especially since virtual private network (VPN) connections and mobile computers frequently introduce exploits to the protected network behind the corporate firewall.

Policy enforcement can also be implemented in wireless deployments, local networks and Web-based access via secure socket layer (SSL) VPN systems. To minimize the risks from unpatched or compromised machines, the same access restrictions should apply to all end-user systems trying to connect to a protected environment, no matter which connectivity mechanisms are in play.

The heart of any policy-enforcement system is the policy server, responsible for evaluating endpoint configurations and communicating access control decisions to the appropriate network infrastructure devices. Endpoint configuration data may be collected through a software agent or from network-based scans.

As policy-assessment technologies mature, each of these components may be distributed to include other components on the enterprise network. The policy server may form the repository of all endpoint configuration information within the organization. Or it may coordinate requirements from other enterprise management systems, such as centralized patch distribution or antivirus update servers.

The role of policy servers
Similarly, the policy-enforcement agent may directly observe the endpoint state, or it may query other software clients for detailed configuration information to relay back to the policy server. This flexibility takes full advantage of existing infrastructure, but does not demand that patch-management systems or centralized antivirus be deployed.

Once an audit has been performed, the policy server communicates the required level of access control to the appropriate network infrastructure device. Management communications may utilize standards-based protocols like 802.1x, vendor-driven mechanisms or device-specific methods like SNMP.

These enforcement frameworks, and additional frameworks under development, provide the interfaces that let servers communicate access-control decisions to network devices. The network devices then use some form of dynamic access control, typically through virtual LAN assignments or access-control lists.

Although some enforcement frameworks offer rudimentary policy-assessment capabilities, most enterprise security managers will want the ability to support multiple policies, network connectivity mechanisms, endpoint operating systems and infrastructure devices. Vendors have created policy-assessment systems that layer on top of network-based enforcement frameworks. Some vendors have taken the additional step of handling older network access devices and implemented vendor-specific application program interfaces, in addition to other enforcement frameworks.

Because endpoint status, environmental conditions and security policies can change during the lifetime of a given network connection, policy-enforcement systems should monitor endpoint machines at intervals designated by the local administrators. If an endpoint’s audit status changes, the policy server makes the appropriate access-control changes via the network infrastructure, just as it did when the connection first became active. Automated attacks like worms and viruses can be disruptive in short order, so the ongoing monitoring provided by most policy-enforcement systems greatly reduces production network exposure to new attacks.

policies make a difference
Even relatively simple policies can make a significant difference to an organization’s network and data integrity. For instance, most enterprises deploy a single antivirus solution throughout their desktop population. There may be multiple antivirus versions in play, and there are almost invariably several versions of antivirus signatures in use at any given time, making the task of writing an audit condition for the antivirus application challenging. What all these operating systems, application versions and signature databases share is that they all need the antivirus application to be running to be effective.

So a simple “lowest common denominator” policy check might require an active antivirus process on the target system for network access to be granted, and similarly to take the target machine off the network if the antivirus stops running for any reason. Does this simple audit condition significantly protect an enterprise network?

More than 50% of all malware detected by anitvirus vendors in a given month attempts to disrupt the performance of antivirus and personal security software. For instance, victims of the Agobot/Phatbot family of Trojans often first discover they have been infected because they notice that their antivirus software is unable to download new signatures, or otherwise indicates errors. Even before antivirus vendors have time to research new exploits, taking compromised machines off line as soon as their security applications are disrupted provides significant protection, at relatively low risk of interrupting legitimate activity.

Similarly, attempting to force installation of all operating system and application patches quickly becomes a management nightmare, requiring extensive testing and troubleshooting, as well as increasing the likelihood of inconveniencing end-users. An alternative approach may involve requiring only critical software patches, for instance those matching the following guidelines for Microsoft Windows environments:

Many Windows administrators also consider Internet Explorer patches mandatory, even though vulnerabilities usually require some level of user interaction for system exploitation. These guidelines can be modified to suit operating systems and environments, organizational security policies and risk tolerance.

An organizational desktop policy may require the following checks for more complete security coverage:

Policy-enforcement systems create visibility into every aspect of an endpoint machine’s configuration, including operating system and service pack levels, OS patches, installed applications, Windows registry settings, content of configuration files, even network environment and host name, if necessary. This flexibility permits administrators to tailor audit conditions for a variety of desktop and laptop platforms, organizational roles and computer locations. Similarly, policy-enforcement systems should enable phased implementation, allowing administrators to monitor the compliance of end-user systems before enforcing network restrictions and allowing for easier testing and integration.