Controlling Network Attached Devices: Endpoint Security

Post date: Oct 29, 2012 4:10:09 PM

There is currently a lot of interest in better controlling devices access to the network and determining the configuration of a device before it is allowed access to the network. The basic approach is being called end-point enforcement. The idea is to make sure that devices such as laptops and PCs have proper anti-virsus and other security software installed before they are allowed access to the network. The hope is that this will reduce the number of problems with malware coming in on laptops and infecting the rest of the network.

The questions is can these software packages do this without significant involvement and support from the network devices themselves? And could they really solve the problem?

There are two major challenges I see for these end-system only based solutions:

1. How to deal with devices that can not have the agent loaded on them such as printers, access points, and consultant or guest laptops.

2. How to deal with agents that have been compromised or a "fake" agent that will lie.

Because these end-point security solutions tend to be proprietary other vendors such as printer manufacturers can not incorporate the necessary software into their network devices. This means that some exception mechanism must be created for devices such as printers. But this creates a significant security hole, I can now pretend to be the printer to get access to the network. If I take the printers, MAC and IP Addresses I am now on the network and can access the network. This same technique would work for other devices, such as Access points, as well.

Since printers are generally in publicly accessible areas inside an organization this becomes a significant problem. In some ways this is analogous the problems we had with fax machines and modems in the mid-90's.

The second problem is significant because more and more security software itself has become the target of crackers and "security researchers". This means that these agents can become compromised blowing a hole inside the network. In addition, because the attack surface of an agent running on an end-station is so large it is very difficult to secure completely.

The problems with these solutions can be summarized as "Doing in a Better and more Integrated way the same thing that has not worked for the last 10 Years".