Sep 02 2004

Security Quarantine

Published by Martin at 6:20 am under Simple Security

“Welcome to the network. Before you can go any further, we have to make sure your anti-virus and all your patches are up to date. Sorry if this causes you any inconvenience.”

I recieved this article from Security Wire Perspectives, an email newsletter I receive regularly, and I thought it to be worth your time to read. We are implementing portions of this in our corporate network, but I’m actually suprised it’s taking this long to catch on. I guess it just makes too much sense for this idea to have been implemented before.


*ISOLATE THIS: SECURITY QUARANTINES GROW
By Mathew Schwartz, Contributing Writer

Remember the days when dialing up via IPsec VPN software — when it
worked — granted immediate access to the corporate LAN? Consider
those days of instant access numbered. The problem: Enterprises
continue to get hammered by PCs without up-to-date antivirus
signatures, patches or other adequate security controls.

Today’s mobile workforce is often unavailable for PC updates.
“Enterprises have been more and more impacted by the mobility of
their workforces,” said Scott Olson, senior vice president of
marketing for endpoint security vendor WholeSecurity in Austin,
Texas. In short, since “the nature of the network has changed, so
your security approaches have to change as well.”

New security approaches include network quarantining and
endpoint-security checking. Simply put, PCs get restricted to network
quarantine zones, then upgraded until they pass security muster.
While easy application of this paradigm to all machines accessing the
LAN –whether from inside the enterprise, via wireless network, or
VPN — isn’t yet a reality, the movement is growing rapidly.

“Most large enterprises have been doing bits and pieces of this, in
terms of the quarantine and [forced] updating,” said Matthew Kovar,
vice president of security solutions and services at the analyst firm
Yankee Group in Boston. Yet “within the next year, I think you’ll see
50% of Fortune 100, if not closer to 80% or 90%, doing this.” As the
features become baked into products, expect continued uptake. For
example, Microsoft announced quarantine capabilities for Windows
Server 2003 via an upgrade by late 2005.

Two initiatives should also drive adoption: the Cisco Network
Admission Control (CNAC) program, a collaboration between Cisco and
antivirus companies McAfee, Symantec and Trend Micro; and Microsoft’s
Network Access Protection, which boasts 28 partners. (Note Cisco
plans to introduce a vendor-neutral API for integrating
endpoint-checking software into CNAC.)

Some new Cisco routers already have quarantine capabilities, with
switch support likely in the near future. The latter would be a
crucial step to applying the endpoint-checking paradigm to the entire
LAN. Analysts, however, suspect first-generation quarantining will
only work in homogenous networking environments — Cisco might not
play well with 3Com and Nortel, and vice versa, for example. One way
around that is network quarantine offerings from such vendors as
Enterasys Networks, Perfigo and Vernier Networks.

During quarantining, endpoints can be subjected to a variety of
security checks. Antivirus, antispyware, vulnerability checkers and
the like are “going to have a polling process — is this system good?
– and they’ll have a veto process,” said Rick Bilodeau, director of
corporate marketing at enterprise connectivity provider iPass in
Redwood Shores, Calif. If a machine fails, it can be forced to wait
for important upgrades before receiving full network access.
WholeSecurity and iPass already offer such capabilities, as do
appliance makers Mirage Networks and InfoExpress. iPass is also
developing software to coordinate a variety of endpoint checks at
once.

In short, while not granting immediate network access to users is a
paradigm shift, security managers may find it worth the wait.

Cisco Network Admission Control (CNAC) program:
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html
Microsoft Windows Server 2003: Network Access Protection (NAP):
http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx
Microsoft’s initial Network Access Protection (NAP) press release:
http://www.microsoft.com/presspass/press/2004/jul04/07-13NAPSupportPR.asp

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments are closed at this time.