To help stem this tide, various endpoint security vendors have created solutions that take the form of appliances to assess laptop and other endpoint health. The hard part is in understanding how they differentiate their wares and the consequences of how they interact with your network infrastructure. Here is a brief guide of questions you need to ask your vendor to understand where these solutions fit into your overall networking and security infrastructure.
What's in an agent?
Every endpoint security appliance needs some kind of software agent to scan the remote machine and perform the health assessment. But the world of agents is becoming more complex, and how this software is delivered to the machine, how long it sticks around, and whether it can remove itself automatically are all critical questions for potential customers of these technologies.
Whether the products have one or more different kinds of agents, some of them are limited in terms of the kinds of client devices that they can assess, particularly when you move outside the Windows world. For example, while Forescout's CounterACT is completely agentless, it didn't support Mac OS clients until its latest version, 6.0. Symantec's on-demand agent runs on Mac OS and Linux, but its managed agents only work on Windows 2000 and XP. Microsoft has promised agents for Windows XP SP2 and for Vista to support its Network Access Protection (NAP) system – everyone else will have to find third parties if they want to make use of NAP.
Does it come with its own IPS/IDS or play well with others?
Some endpoint security products, such as the EdgeWall from Vernier Networks and ForeScout's CounterACT, come with their own intrusion detection and prevention systems (IDS/IPS) that are part of the endpoint security assessment process. Others work with existing IPS products. For example, Lockdown Network's NAC device doesn't have any IPS functionality, but works with Enterasys' Dragon intrusion appliances.
Some of the products come with other components that may already be in use on enterprise networks, which means more work to get them setup. Symantec's Network Access Control has its own RADIUS server, and additional software that is installed on Microsoft's Active Directory that handles DHCP assessments. Some of the products, such as Cisco's, require their own 802.1x authentication servers, and require upgrades to Cisco network switches and router firmware, which can get expensive.
Where does the hardware need to be located on the network?
Each of the endpoint products has a different design and is intended to function best in varying places on the enterprise network. Some operate in-line and are required to sit as close to the edge as possible, while others can protect critical network resources such as servers or particular departmental branches, or operate on span ports. Some start out operating out-of-band, then insert themselves into the network stream once a successful authentication has occurred through an Active Directory or VPN login. And some products are part of an overall VPN solution and offer more or less integration into these products as well.
Vernier's NAC platform is placed as an in-line aggregation device between traditional access and distribution or core switches. "By connecting directly in-line, we do not need to use tap or span ports, nor do we rely on out of band methods. With the increased throughput and port aggregation capabilities of our latest platform, we are starting to see some customers use the EdgeWall 8800 in place of distribution switches," says Rod Murchison, vice president of marketing for the company.
Lockdown's product, however, operates out-of-band: "We connect to the trunk and manage the routing of devices to different VLANs," says Clark. Lockdown plans on offering in-band VPN integration by the end of 2006, according to company representatives. Mirage Networks operates out-of-band, and then changes the Address Resolution Protocol cache of the endpoint for quarantine purposes.
How are health assessments carried out?
Each endpoint product carries out its health assessments somewhat differently in terms of when a machine is scanned (before or after a network login) and what exactly is part of the scan. Forescout and Vernier, because they have integrated IPS, both look to see if a user has valid domain authentication credentials and is using a managed PC that is already known to their system. If so, the user is immediately allowed on the network and further health assessment happens post-login. "We don't have to quarantine everything as they come on to the network," says Gord Boyce, vice president of sales and marketing at Forescout. "This means that the checks take only a couple of seconds for most users."
Sometimes the decision about what is healthy and what isn't is very binary. For Cisco, for example, either a client passes muster and allowed on the network, or isn't. Others have more granularity, and can remediate what they find wrong with the client's configuration. Finally, some products only do assessments after a user has authenticated himself to the network, which could be an issue for viral products that could already have been transmitted if a PC has gained access to a network.
Obviously, there is still a lot more work to be done with endpoint health assessment, and new vendors are entering the market every day. But these questions should help a network manager gain some clarity about which products are appropriate for particular situations.
About the author:
David Strom is founding editor-in-chief of Network Computing magazine and author of two networking books. He writes frequently on IT, networking, Internet, security, and other computing topics and his blog can be found at strominator.com. He is based in St. Louis and can be reached at firstname.lastname@example.org.
This was first published in November 2006