Most enterprise organizations are undertaking new projects in 2005-2006 to address the issue of endpoint security. The results of the 2005 Security IT Adoption Survey showed that 74% of respondents are budgeting, doing research on, or implementing an endpoint security solution this year. (See www.stillsecure.com/docs/Security_adoption_survey_Jan05.pdf). Blaster and successor malware programs exposed the Achilles heel of every network: poorly secured endpoint devices. Regulatory and compliance requirements added the business justification to allocate funds and resources to solve the endpoint security problem.

Organizations need to clearly define what endpoint security problem they are trying to solve. The answer may not be obvious at the beginning of an investigation into available endpoint security options. Rushing out to buy the latest enterprise firewall or host agent technology may not solve the right problem.

Locking Down Endpoints
Securing all endpoints, i.e., locking down or hardening the security of these devices, might seem at first like the logical solution to implementing endpoint security. One of the most significant differences when considering endpoint security approaches is that unlike network infrastructure devices (routers, switches, servers, etc.) a significant number of endpoint devices connecting to the network aren't managed, configured, or controlled by the IT or network organizations. In large enterprises, 20,000-30,000 unmanaged devices might connect through the VPN alone. Applying a single corporate standard for anti-virus updates, security patches, and personal firewalls at best only addresses the security of corporate endpoint assets to which these polices are applied. These single policies can be difficult to enforce across the enterprise.

Most early endpoint security technologies designed to lock down endpoints were created using existing security technologies or software agents. The most common were personal firewalls, software patch delivery agents, and host intrusion detection software (HIDS) agents. These single-purpose agents have been enlarged to check for software patch levels, anti-virus, and in some cases other security checks on endpoint devices.

Any enterprise endpoint security approach must allow for the fact that multiple anti-virus, software patching, personal firewalls, and other security technologies will be used on the wide range of laptops and desktop computers connecting to the network. Rather than relying on a single personal firewall technology to lock down the endpoint, polices should be established for the security posture requirements of visitors, contractors, and home users, as well as corporately managed desktop and laptop devices. While locking down the security of endpoints may be an option for some or even most enterprise-managed assets, more is needed to address the myriad other endpoints that connect to and use the network every day.

Access Control
An important part of the endpoint security equation is controlling or limiting access for endpoint devices until the security posture of the device is known. Usually the access control method has very little to do with determining the security posture of endpoint devices. The access control technology relies on other processes, other security vendors, or even requires that the enterprise security staff build all of the testing policies from scratch. Regardless, the testing process must communicate the device's security posture status to the access control system.

See Figure 1

Many approaches are offered for solving this problem and each has its benefits, infrastructure requirements, and limitations. A few common approaches are:

• Device Connection - Determining that new devices have connected or powered up on the network can be done in a variety of ways: through port state changes on a network switch, requests for an IP address through DHCP, or detecting network traffic from a previously unseen device. These methods can usually be implemented with little impact or change to the network infrastructure configuration.
• User Authentication - Users can supply credentials through a Web-based network registration login, network OS based login (such as the Windows domain login), VPN authentication, or an 802.1X authentication process. Upon successful authentication, the device's security posture is discerned. Implementing endpoint access controls through user authentication requires a greater degree of coordination and integration between infrastructure elements of the network.
• Local Agents - In some situations, as is the case with personal firewall or HIDS agents, the agent software on the endpoint device can act as the enforcement point for controlling access to the network. It relies on having agents installed on all devices.

Until the security posture of the endpoint device is determined, the device is "quarantined." This can be achieved at layer 2 with VLANs and port-level authentication, or at layer 3 through access control lists, IP address assignment and routing restrictions. Whichever method or methods are used, access control provides a mechanism for quarantining unknown devices and devices that don't meet an organization's security compliance requirements.

Security Compliance
A compliance-based strategy takes a different view of endpoint security. Rather than relying on a single limited set of technologies for securing endpoints, compliance implements a policy-based approach by matching the appropriate security policy to each endpoint device. This approach recognizes that some enterprise-managed assets can be required or even forced to use only a standard limited set of security technologies on managed endpoint devices. It also accommodates other security solutions that, while not the corporate standard, satisfy the security requirements through other security technologies on unmanaged endpoint devices.

See Figure 2