According to the FBI, the majority of security breaches are inside jobs. So how does the firewall you deployed at the edge of the Internet help you do this? It doesnt! What you need is end point security. End point security, whether local or remote and whether wired or wireless, ensures that only authenticated users and compliant devices can connect to the network and that these are authorized to access certain application and networking resources (all based on the enterprise security policy). This will better control who has access to which applications, protect peoples productivity against the worm du jour and ensure security audits associated with regulatory requirements can be met.
End Point Security And Layered Defense
Security needs to be implemented in a similar way to which we have built highly reliable networks, that is by removing single points of failure. This philosophy leads to a layered defense approach to security that places different forms of security at different layers or places in the network. Overall security is increased because threats that may pass one layer can be caught by another layer. This layered defense approach to security provides four basic functions: end point security, perimeter security, communications security, and core network security, incorporating many different approaches to enforcement ranging from access lists to behavior anomaly detection.
The first step in providing end point security is authenticating the user. While device-based authentication may be adequate in certain environments, user authentication enables role-based policy management that restricts user access to applications and network resources, and creates an environment in which users and devices are managed separately, an important factor in virtualization for increased mobility. User authentication consists of secure exchange of one, two or three identifiers (who you are, what you know and what you have) using for example hardware and software tokens, smartcards, and/or biometrics. User authentication can be done in a number of ways. Some options include: port-based authentication controls based on IEEE802.1x and the Extended Authentication Protocol (EAP); IPSec VPN authentication; submission of username and credentials via a SSL VPN. In all cases, inline gateways are required for the authentication and authorization session.
After user authentication, you need proactive checks to allow network access only by compliant devices, and reactive checks to detect and isolate non-compliant devices. End point security ensures that individual end points, whether wired or wireless, and at the desktop or mobile, are secured at the operating system, network, Web browser, and application levels.
End Point Security Under The Covers
End point security verifies that current security software (e.g., antivirus and personal firewalls) is running and totally reflects current security policies. It also detects device configuration errors that may compromise security, missing operating system patches and expired intrusion detection and prevention signature files that may make security mechanisms ineffective. Operating system security settings can also be checked via scans launched from the server or portal at the time the endpoint device comes online. Custom checks, which allow for monitoring of registry keys, files and processes, can also be defined.
Once users are authenticated and the devices they are using checked against the security policy, centralized access controls kick in. In this way, only authenticated users connect to the network and when connected only have access to authorized applications. Management can issue, revoke, and change user access privileges. A number of remediation or enforcement policies can be instigated based on status such as authenticated user, unauthenticated user, vulnerabilities in scan results and failed compliance checks. If a user is not authenticated to the network, this can result in limited access to specific areas of the network, while authenticated users can undergo more strenuous checks and be granted wider access to network resources. If a problem is identified, the out-of-compliance device can be sent an installation file, receive an alert message or be sent to a URL.
Client Versus Clientless Approaches
Both clientless and client-based end point security approaches check five parameters for assigning network context, and granting role-based access: Who the user is? Where the user is? What is the time of day? What is the level of compliance? Where can the user go?
Client-based approaches have been available for some time for remote access policy enforcement integrated into IPsec VPN clients. The evolution of SSL VPNs and the recognition that end point security is equally important on wired and wireless LANs has resulted in both client-based and clientless end point security solutions being made available to enterprises.
A client-based approach requires client-side code that monitors the user device for malicious activity under control of an end point security server; in contrast, a clientless approach relies on the device being able to support common browser functionality with all monitoring being performed by an end point security portal. The big disadvantage of client-based approaches is that software has to be available for every wired and wireless, fixed or mobile device in your network, including a growing list of networked devices such as smart phones, PDAs and security cameras. Client software has to be downloaded to each device and upgraded periodically. All this translates into higher life cycle costs compared to clientless approaches, and either holes in the end point security device coverage or restrictions on device connectivity pending availability of client software for a particular type of device.
In contrast, a clientless end point security framework avoids these operational requirements and costs, while securing the network from endpoint vulnerability in the most effective manner. A security portal is central to such an approach and needs to be highly reliable, scalable, and have the flexibility to work into a broad variety of back-end authentication and security policy management systems in determining policy compliance, policy based routing and policy definition for network optimization. It also interacts with the network to control application and network accessibility. Clientless endpoint security provides a simple end point security solution for local LAN/desktop users, for mobile campus workers as well as remote users and teleworkers (whether using IPSec or SSL-based VPNs), using fixed and wireless options.
Going forward, a combination of client-based and clientless approaches may be used to address the variety of devices that need to be supported. However, approaches that require that all packets be inspected by an in-line gateway are clearly less scalable than those in which the gateway makes the admission decision and then is out of the data path until re-authentication is required. IT
Tony Rybczynski is Director of Strategic Enterprise Technologies at Nortel. He has over 30 years experience in the application of packet network technology. For more information, please visit www.nortel.com.
If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at [email protected] or by phone at 800-290-5460.