DUBLIN, Ohio – Security threats such as Blaster, Beagle, Slammer as well other worms and viruses have shed new light on the risks of having even a small number of non-compliant endpoints on the enterprise computer network. A fair question from the boardroom is why is this still a problem?

According to the Gartner Group, by the first quarter of 2005, enterprises that don?t enforce security policies during network login will experience 200 percent more network downtime than those that do. Other analyst firms and industry pundits are busily reinforcing this conclusion from a variety of perspectives, including network infrastructure, desktop security applications, OS patch management, security compliance reporting.

Enterprises have invested millions of dollars in multi-vendor, best of breed security software and hardware solutions in an attempt to control mass infections, limit network downtime, and manage risk.

Promises Made. Promises Kept?

Operating system vendors have renewed their focus on security, and have made tools available which are touted as simple, low-cost ways to manage our regular diet of patches and upgrades. Traditional desktop security application vendors have blurred their product descriptions by adding terms like policy enforcement and centralized management to their existing IPS, AV, and PFW products. And, of course, unless you?ve spent the past year in an undisclosed location, you know that major networking equipment vendors have leaped into the fray with well-publicized promises of ?worm detected ? worm destroyed? solutions that have generated more than a little skepticism.

In an attempt to extend their products outside of their core area of expertise many vendors have engineered solutions that are complex and time-consuming. When the expense of upgrading related systems is factored in, they are also anything but low cost.

Yesterday?s Vulnerabilities are Tomorrow?s Problems

So, again, with all of the time, energy, and money that has been spent on corporate security, why is this still a problem? Why is it still possible for a single contaminated endpoint to infect an entire network? For that matter, why are there still contaminated endpoints?

The answer, as is so often the case in IT, comes down to a combination of technology and human nature. Most of the technology-based solutions that have been deployed are reactive, where the software diligently searches for yesterday?s threats, or under user control, where they can be turned off if they?re inconvenient. To make matters more complex, like most good coders, hackers have continued to update and refine their malicious code so that it does its thing, whether it be denial of service attacks, privacy violations, or social commentary, in new and more effective ways.

In many cases, newer examples of malicious code no longer rely on direct user action to spread (i.e. clicking on an attachment or URL). They simply require that the user be passive (i.e. not update OS, AV, or PFW software), which preserves the ideal environment for a hacker?s malicious code: an out-of-date security profile, operated on the public network, by a user with more important things than security on his mind. In other words, a passive user has gone from being an asset, to a big part of the problem.

These trends, taken together, have effectively raised the bar for endpoint security beyond the capabilities of today?s commonly deployed solutions. The net effect is that IT organizations are unable to centrally define security policies, systematically assess endpoint configurations, comprehensively report policy compliance, and enforce security policies in a transparent, non-disruptive manner across their LAN and WAN infrastructure. So, once the decision has been made to enforce security policies on the PC?s in the hands of end users, what?s the best way to go about getting it done?

It?s All About The Right Approach

Enterprises must balance the trade-offs between end user mobility and required access, current and planned network infrastructure, heterogeneity of the current security environment, and enterprise attitudes towards security compliance. Industry standards bodies such as the Trusted Computing Group, and proprietary initiatives including Cisco?s Network Admission Control (NAC) and Microsoft?s Network Access Protection (NAP) have aligned behind a common, agent-based approach that relies on intelligent software on the endpoint, interacting with centralized policy management capabilities. Specific implementations vary in many respects, and time-lines for some initiatives go to 2007 and beyond, but the fact is that robust, vendor-neutral solutions are available today.

Dennis Brouwer has nearly 20 years of experience in networking and security, and is an expert in providing secure connectivity to mobile and remote users. Prior to ENDFORCE, Dennis served as Vice President, Product Marketing at UUNET and CompuServe Network Services, leading providers of best-in-class security, VPN and connectivity products to over 1,000 enterprise customers through the United States, Europe, and Asia/Pac. You can email Brouwer at [email protected]