|
Security-conscious organizations are becoming increasingly interested in network access control solutions. Administrators and security professionals are striving to better protect their networks from the dangers posed by both managed and un-managed endpoints.
One of the consequences influencing the viability of implementing a network access control solution is the need to maintain an agent or client on the endpoint. Many organizations are reluctant to commit to an agent-based approach; past experiences have shown that it would make additional demands on IT resources. From their perspective, installing and supporting an agent on all network endpoints means an increased IT work load, support-related headaches, and unwanted complexity.
Solution vendors are aware of the problems surrounding the use of agents. As such, vendors make numerous claims of ‘agent-less’ or ‘client-less’ network access control products. In a majority of cases, these so-called agent-less products actually rely on an ActiveX browser plug-in to test endpoints. While the agent-less claim makes for a compelling marketing story, in reality ActiveX is still a client-side an agent, just a non-persistent, network-delivered one, and it has many of the same administrative drawbacks as a persistent agent.
This month’s “Insider” clarifies how the “agent-less” label is being applied in the network access control market. It examines true agent-less solutions and ActiveX-based approaches that claim to be agent-less.
Network Access Control 101
Network access control technologies emerged in response to the shift from perimeter-focused attacks to attacks that target the endpoint, such as worms and Trojans. Endpoint-focused attacks attempt to gain access and spread havoc through exploits and ‘backdoors’ on PCs and remote and mobile laptops. Examples of such attacks include Blaster, MyDoom, Sobig, Sober, Zotob and many others.
Organizations have learned that they can’t adequately control or secure every endpoint accessing the network. Access is typically provided to corporate-owned endpoints, remote users, visitors, and employee-owned computers. Additionally, it’s next to impossible to police what users do on their devices; lax security habits, risky surfing activity, questionable software and peer-to-peer connections, to name a few, all provide opportunities to unknowingly pick up malicious code.
Network access control isn’t necessarily just about keeping the endpoint device secure—it’s about protecting the network from the havoc a single compromised endpoint can unleash. In that context, these technologies provide a method to police endpoints before they gain full access to the network. Network access control solutions typically have two primary functional components:
1. Testing —The security posture of the endpoint is assessed. Are OS patches up to date? Are AV rule definitions current? Is there spyware or Trojans residing on the device? Is required software, such as a corporate security software, patch management and a personal firewall, present, up-to-date, and running?
2. Enforcement —Based on testing results, the endpoint is quarantined, given restricted access, or provided full access to the network.
Numerous technical approaches are available to accomplish endpoint testing and enforcement. Initiatives such as Microsoft NAP and Cisco NAC are seeking to build these capabilities directly into the network infrastructure. Other vendors are leveraging existing network standards, such as 802.1X to control access. Others are patching together a mix of established security technologies, such as vulnerability scanners, intrusion prevention systems, and personal firewalls to accomplish the testing and enforcement end goal.
The Benefits of a True Agent-Less Approach
The agent-less approach to endpoint testing requires minimal resources to implement and support. It offers considerable benefits over testing through a persistent agent or an ActiveX control. Key advantages include:
1. Easily test unmanaged endpoints—Determine any endpoint’s security posture without installing an agent or downloading an ActiveX control.
2. No client-side software installation—Eliminates the need to support a downloaded or manually installed application. Additionally, testing can be accomplished on devices where application installation is prohibited.
3. Reduced or negligible help-desk calls—Eliminates the need to support/maintain/troubleshoot application software on each connecting endpoint.
4. Rapid deployment—Enables network access control system to be rolled out quickly. The application server is the only device requiring installation/configuration.
5. Eliminates the possibility of impacting endpoint performance—Agent installation can cause unforeseen problems with endpoint functionality. A true agent-less approach eliminates this risk.
True agent-less testing is doubly beneficial when applied to unmanaged endpoints—the devices that are not directly owned by the organization. These are the machines used by visitors, partners, and employee’s remotely connecting to the network with their home PCs. By definition, unmanaged devices represent a greater risk than managed or corporate-owned devices. Installing an agent (ActiveX or a persistent agent) on a majority of unmanaged devices connecting to your network is neither practical nor desirable. Agent-less testing, however, gives the organization a high degree of control of these machines—much more than was previously possible. It ensures unmanaged devices comply with security policy before they can access the network. Only an agent-less approach can accomplish this efficiently on a large scale.
ActiveX: An Agent by Any Other Name
ActiveX testing of endpoints can be a valuable alternative option when agent-less testing or testing through a persistent agent is not feasible. Advanced network access control solutions, such as StillSecure Safe Access, offer all three testing methods.
The issue with ActiveX testing is that it is not agent-less or client-less, as some vendors want you to believe. ActiveX controls are applications (i.e., agents) that are downloaded and launched from within the Microsoft’s Internet Explorer (IE) browser. Because ActiveX controls are not permanently installed on the endpoint (i.e., not persistent), vendors relying on the technology feel they can claim to have an ‘agent-less’ solution. Not so.
Compared to true agent-less testing, ActiveX testing has a number of drawbacks:
1. ActiveX only runs in the ActiveX-compatible browser—Devices running FireFox, Netscape, Mozilla, or other browser cannot be tested.
2. Testing activities may be prohibited based on users’ permissions—admin access is likely required for deep testing.
3. IE can be configured to block ActiveX controls—Blocking ActiveX is a common security practice.
4.ActiveX control must be downloaded each time testing occurs—No capability to retest a device after it’s been granted access. Machines that become non-compliant while connected are not identified. Not an option for dialup or over slow WAN links.
5. Browser must be open for testing to occur
6. ActiveX testing likely to be unacceptably slow over dial-up connections
When one or a combination of these conditions are present, the testing process itself is likely to fail, in which case two possible outcomes are likely:
1. The endpoint would be given access without any assessment of it’s security posture
2. The endpoint would be placed into quarantine or denied access, resulting in a call to the help desk.
Even if a small percentage of devices experience problems with ActiveX testing, on large networks with thousands or tens of thousands of endpoints, it could overwhelm support and network administrators.
ActiveX has a place at the endpoint testing table, along side true agent-less testing and testing through a persistent agent. There are instances where ActiveX may be the only option that will work, for example when the user does not have permissions to install an agent. The key is not to rely on ActiveX as the only or even the primary method. Advanced network access control solutions offer multiple testing methods and allow you to prioritize the order in which they are applied to the endpoint. Such an approach ensures that the maximum number of endpoints will be tested with a minimal impact on network and support resources.
Conclusion
Knowing that administrators shun solutions that are labor and support intensive, many vendors attempt to pass off products that test endpoints through an ActiveX control as “agent-less” or “client-less.” In reality, ActiveX controls have the same—if not more—drawbacks than a persistent agent.
True agent-less testing offers significant administrative advantages compared to ActiveX or agent-based testing approaches. No software is installed on the client side, so installation and support requirements are negligible. Unmanaged devices can be seamlessly tested, and there’s no chance of adversely affecting the performance or operation of the target endpoint.
About the Author
Mitchell Ashley is the Chief Technology Officer (CTO) and VP of Customer Experience at StillSecure. He can be reached at mashley@stillsecure.com or (303) 881-9353.
Go Back
|
