Locking Down Endpoints to Prevent Virus Resurgence
Verifying PC security compliance before granting network access

by Mathew Schwartz

7/28/2004

Nesky.D and Bugbear.B are readily recognized by security as past threats, discovered months or over a year ago. Yet each appeared on Symantec’s Top 10 Malicious Threats for May 2004. In reality, despite rapidly updated signatures for antivirus engines whenever a new threat breaks, and the wide use of antivirus software on servers and desktops, many viruses and worms aren’t eradicated; they just fade away.

Laptops are one culprit, say experts. Mobile workers may use their PC at home or on the road, cancel antivirus or other important software updates, or just not be available to install them. When such PCs reconnect to the corporate LAN, they can restart an infection. Of course, it’s up to security managers to clean up the mess, perhaps again. “Back in the virus [attacks] of last fall, one behavior we saw is you’d have this initial bump in vulnerability, followed by infections, followed by a smaller bump two weeks later from people who hadn’t been updated,” notes Rick Bilodeau, director of corporate marketing for iPass.

To deal with this threat, The Yankee Group’s Matthew Kovar recommends a class of software and services known as remote endpoint security. One option is business process outsourcing—handing endpoint security, which can comprise VPN access, remote security, and software updating. Kovar says AT&T, Fiberlink, GRIC, and iPass are the leading remote end-point security service providers.

The goal for any client, says Bilodeau, is to know “are they who they say they are and are they operating on a trusted platform?”

“Enterprises have a ton of intellectual property on their network, notebooks, and PDAs,” according to Ken Denman, CEO of iPass. “It’s no longer enough simply to keep mobile workers connected. Enterprises must also secure multiple points of vulnerability in the connection process from the user’s device to the corporate network, and the data flow between them.”

Typical endpoint security software will protect the user’s identity, the actual device, the enterprise network, and also session data. “From a management standpoint, all this complexity should be largely transparent to users and IT staff,” notes Chris Christiansen, an IDC analyst.

Today, however, that’s not necessarily the case. “Where we see the current difficulties with today’s policy enforcement capabilities are they don’t really coordinate … They run next to each other on the endpoint, and don’t necessarily talk to each other,” says Bilodeau. To address that, iPass is releasing Policy Orchestration, to give companies a vendor-neutral way of applying various policies to end-user devices before they’re granted full network access.

For example, SecureConnect, already a current iPass feature, ensures necessary security software (personal firewall, antivirus engine) is running before the computer can even attempt to connect. Even when it does, the client remains quarantined. Effectively, the PC is in a DMZ, with limited access to resources—perhaps some Web sites or a network read-only folder containing the latest updates.

Under Policy Orchestration, the PC would then be subject to further tests via iPass, which queries a centralized policy server, or updates, which would then be verified. “[Many] companies are doing vulnerability assessment on the endpoints, on the mobile users. This will increasingly happen on the LAN points as well but … what doesn’t happen is any communication between [various] services and the connectivity service.

"Let’s say new vulnerability appears … the enterprise wants to make sure that patch is set up for its mobile users. We, as a connectivity provider, want to ensure [it’s applied] … So there’s verification that the assessment and remediation occurred,” says Bilodeau. Of course, non-critical updates—such as a word processing program improvement—don’t have to keep users in the DMZ.

The software will also allow for coordinated enforcement by using a “polling process,” notes Bilodeau. All involved applications—patch management, antivirus updates, even a fingerprint hidden in employees’ registry keys to identify them as a trusted user—must sign off before the device finally receives full VPN or LAN access.

Three other initiatives are also underway, including Cisco’s Network Admissions Control (NAC) and Trusted Network Connections from the Trusted Computing Group.

Microsoft is also getting into the secure-endpoint game, introducing such functionality in a forthcoming update of Windows Server 2003, code-named R2. The technology will restrict client access until its relative health has been deemed acceptable, or else update the client to get there.

Working with Microsoft on the client security, connectivity, endpoint policy management and enforcement, patch management, and networking aspects are such companies as Computer Associates, Symantec, Sygate, iPass, BigFix, Bindview, Citrix, HP, and Juniper Networks.

“IT administrators have told us that managing user access to their corporate resources in a safe and secure manner is a major concern,” notes Mike Nash, corporate vice president for the Security Business and Technology Unit at Microsoft, in a statement.