Road Warriors on Trojan Horses
Ensuring end user compliance reduces the cost of network security.
In ancient days, the people of Troyopened their gates to a splendid woodenhorse—which turned out to be filledwith Greek soldiers bearing maliciousintent. Once inside the walls of Troy’spreviously unassailable fortress, theGreeks swarmed out of the horse’s belly towreak havoc within the city.
The networks at educational institutionstoday may bristle with firewalls, intrusiondetection systems, and antivirus software,but attacks of malicious code continue todisrupt educational processes and administrativefunctions. The cost of repairing thedamage from these attacks is increasing asthe quantity, speed of contagion, andseverity ofworms and viruses increases.
The problem stems from an unfortunateconvergence of three factors: the proliferationof mobility through laptop adoption,ubiquitous access to the Internet through lesssecure means, and the disappointing persistenceof operating system vulnerabilities. Atthe same time, public Internet access points—whether wired or wireless—are seldomgoverned by security policies as stringent asthose guarding internal networks.
Now, as wireless access gains increasingpopularity, the threat of contamination isnot restricted to public Internet access.Trouble can also emerge from “rogue”wireless access points, set up internally bynetwork-savvy community memberslacking safeguards of the campuswideinfrastructure, as well as the frequentmigration of laptops to unprotected homenetworks during vacations.
A Curious Conundrum
Reversing a fundamental assumption thatinformation technology yields productivitygains and cost savings, the more educationalinstitutions spend on security, the moresupport staff and resources are required.The Yankee Group (www.yankeegroup.com) estimates that the cost of patching asingle user averages $243 a year, with costsrising as the number of users increases.
While the rapid growth of threats andthe faster disclosure of vulnerabilitiescertainly fuel this inversion, it also appearsthat most security solutions have, untilrecently, focused on threat containmentrather than threat reduction. This has led toan explosion in perimeter security productssuch as internal firewalls, and bruteforcetechniques such as shutting off ports.Not only is protecting the security perimetermuch more difficult when every legitimatemobile user is the perimeter, but mendingindividual devices on the edge becomes ahighly labor-intensive and expensive task.Simply stopping a virus or worm attack isnot enough to reduce the burgeoningcost ofsupport; it actually escalates the cost.
Balancing Risk and Responsibility
Both network administrators and technologymanufacturers are working hard toaddress the challenge of threat reduction.Most colleges and universities distributeCDs filled with the latest patches and theappropriate client-based software forstudents to install onto their devices.Online support pages are also frequentlyupdated with notices and software tools.
Manufacturers are introducing newfeatures to old standbys. IP firewalls areaugmented with internal firewalls, whichcan cordon off parts of the network occupiedby infected machines. Wirelessnetwork gateways are outfitted with device-scanning capabilities, and antivirus softwareis distributed faster and more easily.
Interestingly enough, while mostuniversities and colleges have deployedsome, if not all, of these products, most stillexperience a high incidence of networkbreaches that lead to costly cleanup efforts.The situation is perilously unbalanced: Theuser community possesses the ability tocontrol the level of risk, yet it d'es not bearthe responsibility for security breaches. Atthe same time, network administratorshave little control over user computers, butbear the responsibility for eliminatingsecurity risks and cleaning up after attacks.
“Not only is protecting the security perimeter difficult whenevery legitimate mobile useris the perimeter, but mendingindividual devices on the edge becomes a highly laborintensiveand expensive task. Simply stopping a virus orworm actually escalates the cost of support.”
However, the addition of a “hostintegrity” approach may alleviate thisimbalance. Host integrity solutionspossess the following two characteristics:
- An ability to enforce the updates ofspecified patches and antivirus definitionson user machines.
- A mechanism that allows the supportdesk to delegate to the users the task offixing infected or vulnerable machines.
These two capabilities allow networks torun healthier machines. But many usersdisregard administrator requests to uploadcritical security patches or new definitionfiles, or often fail to turn on antivirus software.Thus, some kind of enforcement anddelivery mechanism on the host is necessaryto complement and strengthen existingsecurity products by removing or decreasingthis element of human error. A solutionwith the following characteristics effectivelytakes security policy compliance out of thehands of the users and puts it back into thehands of the network administrators:
- they can identify machines that areinfected or possess vulnerabilities
- they can deny network access to usersuntil the latest antivirus files andpatches are applied
- if required by the administrator, theycan automatically initiate the downloadingof the specified files and fixes.
This approach yields several benefits:
First, infected computers never enter thenetwork; therefore, cannot spread maliciouspayload to other computers. Second,computers with the latest security updatesfor their operating system are less vulnerableto viruses and worms. Third, organizationscan enjoy the full benefits of antivirussoftware with the assurance that theclient components are operational, properlyconfigured, and current. Finally, shouldan attack succeed in penetrating thedefenses, fixes are easily distributed toafflicted computers so that network downtimeis minimized.
As security boundaries continue to blur,rendering irrelevant the terms “outside”and “inside,” institutes of education mustfind security solutions that complementexisting perimeter defenses. Hostintegrity solutions are increasingly necessaryas user computers are recognized asthe principal risks to network security.With mechanisms in place to ensurecompliance by end users—as well as lowcostdistributed methods to repair theircomputers—the soaring cost of networksecurity may decline. And in today’s environmentof tight budgets, that is onegenuine “gift horse” organizations cannotafford to decline.
Irene Sandler is marketing manager forCisco Clean Access (www.cisco.com).Previously, she was the director of marketingfor Perfigo Inc., a provider of network securityand control solutions, which wasacquired by Cisco last year.
This article originally appeared in the 08/01/2005 issue of THE Journal.