The Security Skeptic

Endpoint security and admission control: necessary but not sufficient

11/29/2009 01:38:33 PM

My partner Lisa Phifer and I have been evangelizing endpoint security for some time, as have many other security practitioners and companies.

All you had to do to realize endpoint security would become a priority to large enterprises five years ago was listen to your clients and customers. In our case, we had opportunities to speak and work with Fortune 100 firms and security-minded users who were cobbling in-house measures and evaluating “point” products in search of an endpoint security solution that best met their requirements. The early adopter organizations managed all these measures in custom ways, and identified the requirement to oversee their deployment in a centralized manner, and to provide admission control measures.

Determining whether a device is actively protected from malicious code, running personal firewall software and correctly configured to use VPN adapters before admitting that endpoint to a network are common features of endpoint security. Many WLAN, switch and security system vendors are implementing variations on this theme today. These, however, are merely mile markers along the endpoint security highway. Future incarnations of admission control may check to see that an appropriate seurity policy is enforced at the endpoint, that critical files have not been altered, that no restricted access files have been copied to the endpoint, and that any sensitive data that resides on the endpoint are encrypted. Even this is a “starter list” so expect that it will continue to expand.

Hardware endpoint security enforcement appliances and hyper-intelligent network interfaces sound innovative and convenient. As you roll out Cisco NAC, Microsof NAP and other endpoint and admission control solutions, don’t overlook traditional best security practices.

Take stock of security measures you can and should implement now. These include:

  • Educate users on the need to maintain mobile (in general, any client) system security.
  • Identify a baseline of security for all clients; for example, your security policy may state, “Antivirus measures are mandatory. Personal firewall software configured with the following policy is mandatory. Event logging is mandatory. File encryption is required on all information relating to *foo* is mandatory…”
  • Harden your endpoint devices. Implement available security measures at operating and file system levels. Visit the Center for Internet Security (CIS), learn how to use the security benchmarking tool, compare your endpoint security configurations against consensus best practice standards. The benchmarking tool will help you identify and eliminate promiscuous and unnecessary services, anonymous sharing, group permissions, exploitable browser settings, and limit administrative privileges. If you are a Windows shop, leverage Active Directory and push a uniform security policy to all Windows endpoints throughout your organization.
  • Establish a help desk service for your organization. Identify a MTTR objective for resolving endpoint admission problems. For a mobile workforce, provide multiple means of contacting support and acquiring requisite policies, software, and patches: extranet/web and instant messaging accessible “outside the gate” are useful complements to phone-based (help desk) support.

A popular line of thinking is that systems will never be secure: securing systems is too much to ask from users, so it is inevitable and important that we throw additional defenses in front of vulnerable systems. A corollary to this thinking is that appliances, irrespective of form factor, are easier to manage and deploy. Both have merit, but the danger inherent in always following these adages is that we put too much distance between users and their responsibility and accountability to the security process. It is imperative that you engage your users. Users who understand the risks and consequences to an organization and know they are accountable for non-compliance to your security policies are more likely to be responsible than users left to fend for themselves.

Endpoint security is as much about basic security principles as innovation in admission control and client policy enforcement. In the 1990s, we began earnestly applying layered defenses to protect networks Use endpoint and admission control to add another layer of defense, but don’t forget to add layers of defense to each and every endpoint.