Reduce the threat from computers: adding network-based policy enforcement to the LAN protects against endpoint attacks.
Generically known as policy-enforcement solutions, endpoint security technologies extend authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. and access control beyond the traditional examination of user and machine identity to include properties of the endpoint system. Security managers can use policy-enforcement technologies to base network access on patch levels, running processes, security configurations or other end-user machine settings. In many cases, these systems enforce access decisions by interacting directly with the network infrastructure, removing the responsibility for enforcement from end-user applications.
Dynamic, configuration-based access control protects a variety of network connection mechanisms. Many organizations start by adding policy-enforcement systems to their remote-access infrastructures, especially since virtual private network (VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. ) connections and mobile computers frequently introduce exploits to the protected network behind the corporate firewall.
Policy enforcement can also be implemented in wireless deployments, local networks and Web based Coming from a Web server. See Web application. access via secure socket layer (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ) VPN systems. To minimize the risks from unpatched or compromised machines, the same access restrictions should apply to all end-user systems trying to connect to a protected environment, no matter which connectivity mechanisms are in play.
The heart of any policy-enforcement system is the policy server, responsible for evaluating endpoint configurations and communicating access control decisions to the appropriate network infrastructure devices. Endpoint configuration data may be collected through a software agent or from network-based scans.
As policy-assessment technologies mature, each of these components may be distributed to include other components on the enterprise network. The policy server may form the repository of all endpoint configuration information within the organization. Or it may coordinate requirements from other enterprise management systems, such as centralized cen·tral·ize
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es
1. To draw into or toward a center; consolidate.
2. patch distribution or antivirus update servers.
THE ROLE OF POLICY SERVERS
Similarly, the policy-enforcement agent may directly observe the endpoint state, or it may query other software clients for detailed configuration information to relay back to the policy server. This flexibility takes full advantage of existing infrastructure, but does not demand that patch-management systems or centralized antivirus be deployed.
Once an audit has been performed, the policy server communicates the required level of access control to the appropriate network infrastructure device. Management communications may utilize standards-based protocols like 802.1x, vendor-driven mechanisms or device-specific methods like SNMP (Simple Network Management Protocol) A widely used network monitoring and control protocol. Data are passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device (hub, router, bridge, etc. .
These enforcement frameworks, and additional frameworks under development, provide the interfaces that let servers communicate access-control decisions to network devices. The network devices then use some form of dynamic access control, typically through virtual LAN Also called a "VLAN," it is a logical subgroup within a local area network that is created via software rather than manually moving cables in the wiring closet. It combines user stations and network devices into a single unit regardless of the physical LAN segment they are attached to and assignments or access-control lists.
Although some enforcement frameworks offer rudimentary rudimentary /ru·di·men·ta·ry/ (roo?di-men´tah-re)
1. imperfectly developed.
1. policy-assessment capabilities, most enterprise security managers will want the ability to support multiple policies, network connectivity mechanisms, endpoint operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and infrastructure devices. Vendors have created policy-assessment systems that layer on top of network-based enforcement frameworks. Some vendors have taken the additional step of handling older network access devices and implemented vendor-specific application program interfaces, in addition to other enforcement frameworks.
Because endpoint status, environmental conditions and security policies can change during the lifetime of a given network connection, policy-enforcement systems should monitor endpoint machines at intervals coming or happening with intervals between; now and then.
See also: Interval designated by the local administrators. If an endpoint's audit status changes, the policy server makes the appropriate access-control changes via the network infrastructure, just as it did when the connection first became active. Automated attacks like worms and viruses can be disruptive in short order, so the ongoing monitoring provided by most policy-enforcement systems greatly reduces production network exposure to new attacks.
POLICIES MAKE A DIFFERENCE
Even relatively simple policies can make a significant difference to an organization's network and data integrity. For instance, most enterprises deploy a single antivirus solution throughout their desktop population. There may be multiple antivirus versions in play, and there are almost invariably in·var·i·a·ble
Not changing or subject to change; constant.
in·vari·a·bil several versions of antivirus signatures in use at any given time, making the task of writing an audit condition for the antivirus application challenging. What all these operating systems, application versions and signature databases share is that they all need the antivirus application to be running to be effective.
So a simple "lowest common denominator low·est common denominator
1. See least common denominator.
a. The most basic, least sophisticated level of taste, sensibility, or opinion among a group of people.
b. " policy check might require an active antivirus process on the target system for network access to be granted, and similarly to take the target machine off the network if the antivirus stops running for any reason. Does this simple audit condition significantly protect an enterprise network?
More than 50% of all malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. detected by anitvirus vendors in a given month attempts to disrupt the performance of antivirus and personal security software. For instance, victims of the Agobot/ Phatbot family of Trojans often first discover they have been infected in·fect
tr.v. in·fect·ed, in·fect·ing, in·fects
1. To contaminate with a pathogenic microorganism or agent.
2. To communicate a pathogen or disease to.
3. To invade and produce infection in. because they notice that their antivirus software See antivirus program.
(tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. is unable to download new signatures, or otherwise indicates errors. Even before antivirus vendors have time to research new exploits, taking compromised machines off line as soon as their security applications are disrupted provides significant protection, at relatively low risk of interrupting legitimate activity.
Similarly, attempting to force installation of all operating system operating system (OS)
Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. and application patches quickly becomes a management nightmare, requiring extensive testing and troubleshooting, as well as increasing the likelihood of inconveniencing end-users. An alternative approach may involve requiring only critical software patches, for instance those matching the following guidelines for Microsoft Windows See Windows.
(operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. environments:
* the vulnerable software is a core operating system or application component, or is otherwise widely deployed within the organization;
* the vulnerable software can be accessed without authentication or user intervention;
* the vulnerable software can be accessed over the network, and does not require local access for exploitation;
* the vulnerability allows an attacker to execute arbitrary malicious code, or otherwise compromise a target machine; and
* exploits for the vulnerability are in circulation.
Many Windows administrators also consider Internet Explorer Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. patches mandatory, even though vulnerabilities usually require some level of user interaction for system exploitation. These guidelines can be modified to suit operating systems and environments, organizational security policies and risk tolerance Risk Tolerance
The degree of uncertainty that an investor can handle in regards to a negative change in the value of their portfolio.
An investor's risk tolerance varies according to age, income requirements, financial goals, etc. .
An organizational desktop policy may require the following checks for more complete security coverage:
* critical operating system patches are installed;
* security applications are installed, up to date and running;
* corporate applications (e.g., e-mail, database) are installed and up to date; and
* OS and applications are configured for automatic updates, as necessary.
Policy-enforcement systems create visibility into every aspect of an endpoint machine's configuration, including operating system and service pack levels, OS patches, installed applications, Windows registry The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system settings, content of configuration files, even network environment and host name, if necessary. This flexibility permits administrators to tailor audit conditions for a variety of desktop and laptop platforms, organizational roles and computer locations. Similarly, policy-enforcement systems should enable phased implementation, allowing administrators to monitor the compliance of end-user systems before enforcing network restrictions and allowing for easier testing and integration.
For more information from Infoexpress: www.rsloads.com/503cn-257
Tina Bird is security architect for InforExpres, Mountain View, Calif.