Many people believe that every network device and endpoint should be responsible for its own security. As a result, desktop security is often set up in layers, so that if malicious software manages to get through one point, there's another point of protection.
While this is a popular method -- and it deserves your attention -- I contend that endpoint security is worthless for virulent malware (the kind you buy endpoint security products to protect against). If you haven't stopped malignant code at your perimeter, then you've already lost the battle, and your efforts ought to be toward cleanup and getting back to a known-good environment.
Endpoint security agents are just another thing to manage on top of other software packages that require planning, deployment, maintenance, tracking, relicensing, upgrading and removal. You need to learn how to use security software because a misconfigured product is not only worthless; it's also negligent behavior and an invitation to attack. It's also another expense for your company. In today's era of tightened budgets, you're probably under pressure to make IT look a little more like a profit center and a little less like a cost center.
In addition, have you ever heard the old saying, "An ounce of prevention is worth a pound of cure?"
There are many reasons why it's better to stop malware of any kind from getting into your network than relying on desktop programs to stop it. Internally, firewalls have as many holes as Swiss cheese. For instance, ports are opened to access old versions of QuickBooks, and users need Remote Desktop Protocol to access lab machines from their desktops. These firewalls are meant as a last line of defense -- and they're not even great at that.
Furthermore, human error can cause disastrous results. Regardless of how many times (and how many ways) you tell someone not to open email attachments from unknown second party, the very second they see a cute puppy face, they're double-clicking even if Hosni Mubarak sent it to them. (No, they're probably not old friends.)
Think of the human body -- you'd rather keep out harmful foreign substances completely than fight them internally. Your network should operate similarly. Individual desktops shouldn't have to stave off potentially life-threatening infections to your network.
Edge protection is where you should be defending your network. Spend your efforts and money making sure the malware never gets into your network in the first place.
ABOUT THE AUTHOR
Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. His books include RADIUS, Hardening Windows and, most recently, Windows Vista: Beyond the Manual.
This was first published in March 2011