Mobile madness: securing the endpoint

Road warriors have punched holes in the perimeter defences. Here's how to reorganize your defences.

Ken Salchow, F5 Networks

Today's computer networks have no boundaries. Their perimeters started moving a few years ago as road warriors began carrying their laptops to sales or work sites, logging in for customer information, critical construction plans and other necessary resources.

Next, they spread to the wireless and broadband networks in hotels, airports and coffee shops, as travelling executives and managers started logging in to read their e-mail or access year-end data for tomorrow's big meeting. Now, most office staff work every so often from home and others log in from all over the place using all sorts of devices, from laptops to PDAs to cellphones and even public kiosks. All access your confidential corporate data.

Ultimately, just like every other aspect of network and information security, this problem is best countered with a multi-layered and comprehensive assessment protection model. This provides a reliable degree of security where there was none.

Aside from the obvious secure tunnel, the first layer must take place at the endpoint itself. This should have basic security (anti-virus, firewall and other malware protection) in place.

The second layer should occur at the gateway. This should include components that can interrogate the endpoint reliably to ensure this baseline security is in place before granting network access.

Lastly, all of this hinges on another layer of protection, the network access and endpoint security policies themselves.

End point interrogation

SSL VPNs handle access securely on the basis of who requests access and from where. To some degree, SSL VPN vendors can test for things like the absence/presence of anti-virus and personal firewall software, the last time these were updated and whether they're from a trusted vendor. Most can also check things like operating system, version and patch level, browser version and patch level, SSL cipher-spec, and a host of other variables. To do this, however, takes VPN integration with a new and emerging group of products known as endpoint security policy enforcement (ESPE) products.

According to market research firm Stratecast Partners, the ESPE market is immature and shifting. Its outcome depends mostly on whether or not the two dominant stakeholders, Cisco and Microsoft, will develop products that can interoperate.

The problem is, most vendors support only one or two anti-virus or personal firewall vendors and require custom code or pre-installed software on each device to get the most protection. In fact they don't exist yet for Microsoft and Cisco.

So how can you run these tests against products that are not supported, and which, in the case of the employee-owned device, could be any one of hundreds of security applications? To meet the real market demand, vendor products need to interrogate all kinds of security products that run on all types of devices and brands of operating systems, regardless of whether they are remote, wireless or local to the corporate network.

What do you enforce?

But just developing these policies takes a lot of planning and hard work. To get started, you must understand who accesses your network remotely and for what resources. Most of this becomes clear from watching network traffic and following up with discussions with the business department leaders to understand their users' behaviours. This will provide general information about the device type and access medium (wireless mobile devices, static home PCs, etc) and location. From that, you can start forming baseline policies based on time and location and device type.

There's no stopping remote access. We all know it is a matter of competitive advantage to all forms of business. From my experience with sales teams and executives who travel non-stop, I know their real need is to have a consistent and reliable VPN connection from hotels, customer networks and wireless hot-spots like those at Starbuck's and airport lounges.

Making it secure takes a lot of work at both the infrastructure and policy level, with ongoing education to the end users. If planned and executed right, remote access will continue to be a competitive advantage, without creating new security risks for the well-protected enterprise network.

About the author

Ken Salchow has worked for F5 Networks for the past five years where he has served in several capacities, currently as a security systems architect. He is an MCSE, CCNP, N+, C|EH, CCE, and CISSP. In addition, he is the owner and operator of Binary Forensics, LLC (http://www.b4n6.com/), a boutique computer forensics lab that serves the legal community in criminal and civil litigation, and Digital Interlopers, LLC, a boutique penetration and testing organization for small and medium business entities. He lives in Minnesota.