Whatever happens off-enterprise may not stay off-enterprise!

  • Article

Here is a guest post from Eirik Iverson of Blue Ridge Networks. Thanks Eirik!

Whatever happens off-enterprise may not stay off-enterprise! That’s the basis for the whole network admission control (NAC) concept. It’s quite an understatement actually.

Malware infestations have become so sophisticated as to be practically invisible to typical administrators and the tools they can use proficiently. “Stuff” happens on PCs when no one from IT is looking, particularly off-enterprise, that lead to helpdesk trouble tickets or data leaks. Prevention is critical, but not fool-proof. However, part-time policy enforcement is proof of foolishness. The old refrain is familiar: no anti-virus protection, no access to networked resources in the enterprise. But compliance on-enterprise does not guarantee compliance off-enterprise. A reliable software agent on each host can monitor them and enforce policies.

Beyond anti-virus, there are many other controls and monitors that an enterprise employing best practices would ideally implement on- and off-enterprise (i.e., continuous monitoring and enforcement). Anti-spyware, personal firewall, disk encryption, and other client security agents must be running properly. Another control includes enforcing registry settings that harden a PC from hackers, malware, and user mistakes. Add to that application and device monitoring and controls over what software may/must/must-not run on a PC and what a user may do with removable media (e.g., thumb drives, DVD writers, etc.). The controls must also make PCs safe from whatever USB thumb drives end-users insert. ESET Inc. recently reported that roughly 10% of their malware detections originated from thumb drives.

Even with all of these monitors and controls in place, the job is not done because the risk space is not static. Today’s vulnerability/exploit report on a software application found on many off-enterprise laptops may require a workaround such as a registry change regarding an ActiveX kill-bit (when implemented, this disables a specific ActiveX applet that could be exploited by a hacker) or maybe rendering that software “unstartable” until a patch is available. Some risks may not fall neatly into an existing policy category and can only be assessed or countered through a custom script. Therefore, the policy enforcement agent must be capable of doing the unexpected, receiving policy updates, and returning log files when off-enterprise.

Because endpoints are often off-enterprise and because IT organizations are often understaffed, many end-users are endowed with administrative privileges so they possess the flexibility they insist is required. Many of these users operate their PCs on a daily basis in this mode, increasing its susceptibility to malware infestations and increasing trouble ticket volume. Endpoint policies should not only reduce security risks but also prevent avoidable trouble tickets. End-users with administrative privileges, however, can circumvent endpoint policies. Such users warrant a hardier agent for administrators to employ, which can render a critical application, such as Windows Defender, unstoppable, despite the end-user’s administrative privileges.

Administrators can avoid finding themselves utilizing four different monitoring and control systems for endpoints on-enterprise, off-enterprise, using Wi-Fi, or using remote access VPN. Tight integration between Blue Ridge/Secure EdgeGuard™ and Microsoft's Network Access Protection (NAP) delivers a unified solution. This was demonstrated at InterOp Labs 2008. Check out this white paper posted on the SecureIT Alliance Web site to learn more about it. Additionally, you can learn more about other EdgeGuard capabilities, such as its defense against zero-day malware, on the Blue Ridge Networks Web site as well as many other information security challenges on our blog.

Eirik Iverson
Product Management
Blue Ridge/Secure EdgeGuard