Quarantine for Computers

Nowadays, most companies’ IT systems are heavily fortified, and huge amounts of money are spent on monitoring and protecting all means of access to the internal network. Firewalls and intrusion prevention are now standard, viruses are usually caught at the gateway, and incoming emails are checked for spam by content filters on the email server. However, this external protection is increasingly failing, because employees and external service providers are bringing in worms and viruses that get past the security checks and into the company network via notebooks, USB sticks, and PDAs (personal digital assistants).

Mobility as a source of danger

The growing mobility and increasing popularity of portable devices pose new challenges for IT security, because notebooks take the reins out of the IT department’s hands. If, for example, a field sales employee accesses data using a customer’s Internet connection, the IT team has no control over how this connection is protected against worms and other bugs. The situation is the same in the home office, where only simple protection systems such as the integrated Windows XP personal firewall are usually in place. When an employee returns to the office, viruses that have gained access to the devices can spread without being noticed – perimeter security has been bypassed and doesn’t stand a chance.
A similar threat exists with USB sticks, which are often used to transport data between the company and the home office: it is impossible to ensure that infected files were not stored on the data media, and the viruses can then get past the gateway and onto the company network via the employee’s PC.

The dangers of spyware

Adware or spyware is another problem. These programs are usually distributed with free applications such as the “Kazaa” sharing software, and its purpose is to analyze user behavior in order to display specific advertising banners during Internet surfing. However, these marketing tools are also increasingly being used by unscrupulous people, and to help the bugs on their way, the programmers embed them in small tools, for example in icon collections. As a result, spyware and viruses are starting to resemble each other more and more. For example, virus protection manufacturer Kasparsky Lab recently issued a warning for a new variant of the browser hijacker “CoolWebSearch,” which spreads like a virus on the hard disk and infects files.
The problem with adware is that it cannot be removed using conventional virus scanners, because many of the programs do not cause direct damage, and they are also installed with user permission. The Meta Group includes spyware in its umbrella term “extended threats”. The Group believes its main danger lies in badly written code that adversely affects computer stability and thus user productivity.

Protection on the client

The PC – whether mobile or stationary – is becoming increasingly susceptible to all kinds of viruses. Protection of the client is therefore gaining importance in companies’ security strategies. The market researchers and manufacturers of security solutions have thought up a number of buzz words such as “endpoint security,” “endpoint admission control,” or “network admission control,” which all describe the same thing: a client potentially infected by a damaging program should be denied access to key network resources as quickly as possible, to ensure that the infection cannot even start to spread.
The functions of an endpoint security solution are based on checking the state of a client before it accesses the network – a process similar to user authentication, where the user rights are queried before access to various resources is permitted. If the client meets certain criteria, normal access is allowed. However, if the client does not meet the specifications, it is put into quarantine for the sake of security. In the simplest case, the solutions check whether the installed virus scanner and patch level of the operating system are up to date. Other parameters such as the existence of a personal firewall can also be verified.
According to the Meta Group, three basic technical components are required here: One instance ensures that only checked clients have access to company resources. This component can be integrated in switches that route incoming data to individual ports, or in VPN (virtual private network) routers. A second module is responsible for carrying out the check and communicates with the first component. This element is typically installed as an agent directly on the individual clients. The third element manages the relevant security guidelines. The checks to be carried out on the client are defined at this central point. Different requirements can be stored for different users or groups.

Quarantine if there is any doubt

It would hardly make sense strictly to prohibit any contact with the rest of the digital world for a client that did not conform to standards, because to bring virus signatures up to date, for example, a connection to the update server in the Internet or local network is absolutely essential. Quarantine areas are therefore a central element of endpoint security. Clients that are not to have complete network access for security reasons are connected to a sub-network. It is not possible to connect to enterprise-critical systems from this quarantine area, but to ensure that the affected user can continue to be productive, access to less sensitive applications, such as email servers, is still possible. In addition, different quarantine levels can be defined based on the potential danger posed by the client.
While this sounds quite clear and straightforward in principle, in practice it requires considerable effort. As the Gartner Group stated in its document “Protect Your Resources With a Network Access Control Process”, from December 2004: “Each device type will need its own unique set of security configuration policies that define a ‘desired state.'” After all, a notebook that is used outside the company’s IT system must be subject to different standards than a PC that never leaves the company premises. Similarly, access via a non-company computer, such as an external consultant’s notebook, or a business partner’s stock query will have a different weighting than the CEO’s PDA.

Some fall through the cracks

Gartner also found that some clients still need to be granted full network access even if the check on them was unsuccessful – either because they cannot be covered by the guidelines or because they are absolutely essential. In this case, the endpoint security solution must work together with the inventory systems used to manage and catalog the computers and software used, because administrators can only define exceptions if there is precise information on which systems are needed, with which configuration and for which tasks.
The IT industry has also recognized the fundamental need for client-based protection measures that go beyond local virus scanners and personal firewalls. Only recently, Microsoft made the headlines when it announced it would be working closely with Cisco in this area. In its study “Making Sense Of Network Quarantine” from August 2004, Forrester Research stated that, “With recent announcements by both Cisco and Microsoft, network quarantine has become IT security’s hottest topic.” All the main providers of network technology and security solutions now have the relevant products in their portfolios: Cisco, Check Point and Entrasys are all trying to convince customers of the value of their technology. However, these market activities are still very new: Cisco only recently integrated Network Admission Control (NAC) in a few products, and Check Point launched a concept named “Total Access Protection” just a few months ago. “There is much room for improvement over the coming 12 to 24 months,” the Meta Group claims. “At the moment, Cisco is setting the overall pace,” says Meta Group analyst Carsten Casper. “Until a general standard is developed, the offers from this vendor will therefore be the focus of considerations, along with the solutions of other providers that support the Cisco approach.”

Jan Schulze
Jan Schulze