A brand new product combines three network security techniques in one, and experts say it's likely to be one of...
many new hybrid network security products emerging in the near future.
San Mateo, Calif.-based Elemental Security Inc. today unveiled its first product, the Elemental Compliance System. The network security software package blends host configuration, policy management and network access control functions.
The software runs on a Linux server on the corporate LAN and handles basic end-point security functions like locating new hosts, quarantining misconfigured devices, preventing unauthorized access and enforcing configuration change restrictions.
The server gathers network activity information using agent software on end-point devices. Ram Krishnan, Elemental's vice president of marketing, said the agents aren't required on every end-point device; in fact, having agents installed on 400 end points out of 1,000 would be enough to detect the surrounding unmanaged devices and enable policy enforcement.
Krishnan said the product was designed to bridge the gap between a company's written network security policies and the realities that administrators must deal with when securing different types of devices.
"In large organizations, there's continuous change and new threats, and new threats are emerging at all times," Krishnan said, from both inside and outside the network. "If a new laptop is being plugged into the network and it's not compliant with network policy, it can be denied access."
In addition to competing with end-point security vendors, Mark Nicolett, a vice president and research director for Stamford, Conn.-based research firm Gartner Inc., said Elemental is also taking on systems management specialists like NetIQ Corp., BindView Corp. and others.
Nicolett doesn't necessarily expect the product to foster more cooperation among security and network professionals, since those groups should already be collaborating on issues such as vulnerability and patch management, network access control and antivirus systems.
However, Eric Maiwald, an analyst with Midvale, Utah-based research firm Burton Group, said even though more teamwork among enterprise network and security groups is required with combination products, offerings that combine policy management, systems management and vulnerability management are likely to become more common.
"Some of the bigger players like Symantec, IBM and CA [Computer Associates International] also look at combining all those functions," he said, "so all these aspects are coming together. It's just a matter of whether organizations are set up to take advantage of it or not."
Perhaps the Elemental Compliance System's most innovative feature is its custom policy expression language. Called Fuel, it was inspired by Elemental's founders Dan Farmer (co-author of the SATAN security tool) and Guido van Rossum (creator of the Python development language).
Using Fuel, the product allows administrators without any programming knowledge to create customized policies for device types or user groups using virtually any combination of the system's 1,700 rules. For instance, all Windows-based Wi-Fi notebooks can be required to undergo rigorous antivirus checks before gaining network access, while Solaris servers or users in an engineering group may have specific security guidelines of their own.
"Because we have our own language, the actual communication between the server and the clients is very compact," Krishnan said. "Enforcing a policy in some other products involves sending full scripts across the network, so our approach reduces network traffic."
The Elemental Compliance System can also dynamically cluster any new device into policy groups based on configuration, network activity and hundreds of other attributes. If a device's behavior changes, it can automatically be moved into a high-risk or low-risk group.
The server's management software ships with several default profiles that ensure corporate networks adhere to common security guidelines and comply with government regulations such as the NSA's and SANS Institute's security configuration guidelines. Policy templates for Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) are in the works.
"If you look at the HIPAA or Gramm-Leach guidelines, they don't specify mechanisms or configurations," Maiwald said, "so it's hard to create a policy template that shows you're in line with a policy."
Nicolett said there's a growing need for products that automate the compliance process.
"Regulatory compliance issues and audits are driving demand for projects that can map higher-level policies to operational implementations," Nicolett said.
Extra features include a packet filter for granular network traffic monitoring. Though it can detect and control any network device, elemental agent software is required for servers and desktops throughout the network.
Krishnan said the Elemental Compliance System is available immediately from the vendor and its resellers, and that the cost for a company with about 5,000 end points would range in the low six figures.