There was a time when a network or security administrator could sleep soundly at night as long as the network perimeter was locked down. If he or she had configured the firewall properly and the perimeter antivirus software was doing its job, it didn't really matter how patched or secured the servers and desktops were within the network. Or so the logic went.
As the attacks and threats to computer networks have expanded -- now including phishing attacks and spyware among other things -- and the traditional definition of the network perimeter has disappeared, the rules have changed. Now, users carry PDAs and cell phones that are connected to the corporate network. They use laptops with wireless connections, transport data on USB flash drives and have all but negated the concept of outside or inside the network.
With these changes in how we use and transport data and the increasingly clever attacks designed to compromise and steal that data, the line of defense has moved from the perimeter to the desktop or other endpoint device. Securing the endpoint is the primary focus for most companies and security administrators now, and there is an ever-expanding selection of products aimed at helping them do just that.
It is common for desktop machines to be running antivirus software locally, and many organizations include other security software such as personal firewalls or antispyware at the desktop level as well. Organizations that employ a HIDS (host intrusion detection system) or HIPS (host intrusion prevention system) for additional monitoring and protection are becoming more common.
However, even with those tools installed, some administrators may not keep the systems up to date with the most current versions, and rogue systems that join the network still pose a risk. By taking advantage of some type of endpoint security verification, companies can make sure that insecure or unprotected systems are not allowed to connect to the network.
You can use Cisco Systems Inc.'s NAC (Network Admission Control) or StillSecure's Safe Access to assess the overall security of devices before they are allowed to connect to the network and then block or redirect those systems that do not comply with security policy or have out-of-date security software.
Products such as Centennial Software Ltd.'s DeviceWall take endpoint security one step further and lock down the ability of the endpoint to work with certain devices. Using DeviceWall, you can restrict the ability to use USB drives, digital cameras, MP3 players or even CDs or DVDs with the system. Designated users or groups can be assigned permission to use any or all of these portable storage methods, and the software can automatically encrypt data that is written to removable storage devices. SecureWave's Sanctuary and Smartline Inc.'s DeviceLock provide similar protection.
A key consideration when you are investigating endpoint security options is the administrative overhead of implementing and managing the product. If an endpoint security product requires an agent of some sort to be installed, it can be a logistical headache for the IT department and will not offer any protection against rogue devices that connect to the network without the agent software installed.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony is co-author of Hacker's Challenge 3 and author of the upcoming Essential Computer Security. He also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit S3KUR3.com.
