Is combined security the way forward, or just another management headache?

In the cat-and-mouse game of computer security, a new development sometimes causes a big change in thinking. The Code Red worm...

In the cat-and-mouse game of computer security, a new development sometimes causes a big change in thinking. The Code Red worm was one such development.

It spread automatically by searching for vulnerable web servers - which can include client machines - and did not require e-mail forwarding or opening of attachments.

According to information from security supplier Symantec, Code Red doubled its infection rate every 37 minutes. Other worms, such as Sasser and MSBlast, followed this trend.

Companies realised that simply patching every couple of weeks was not good enough, because just as the time between an exploit being discovered and exploited was decreasing, so worm propagation times were falling. "We can no longer do everything using just signatures," said Rob Clyde, chief technology officer at Symantec. "We need more pro-active security."

Symantec uses the client compliance concept to help lock down network infrastructures. The idea is that infections often come from laptops or PCs that are used away from the office and then reconnected to the network. If the network can authenticate a client to ensure it is safe before it allows it to connect, it can protect the rest of the infrastructure.

Network supplier Cisco has promoted this concept with its Network Admission Control initiative, in which its access control server verifies an agent on the client before allowing it to connect. Microsoft will follow the idea with the Network Access Protocol technology in Windows 2003 Service Pack 2. Network Associates is also offering its own brand of client compliance products, and other firms will inevitably be looking into the idea.

Will getting the network to authenticate a client work? Not a chance, said Richard Stiennon, vice-president of threat research at desktop security software firm Webroot. These companies are attempting to marry the server and the desktop together as part of one security strategy, he said. That sounds good in theory, but companies tend to buy security products for the desktop and the server in different cycles. Trying to package them together will lengthen the sales cycle

Even if companies such as Cisco and Microsoft have time to spare, their customers do not, and the chances are that any companies rolling out these products are going to have some management headaches, said Stiennon.

There has always been tension between users, who want ease of operation, and security technology, which can create barriers to easy access. Client compliance technologies will lean too heavily towards obstruction, said Stiennon. "Enterprises have thousands of desktops. All you are doing is introducing more pain if you are forcing all these different security solutions to be up to date, and if you are going to stop a person from getting connected," he said.

That is not the only problem, said Arthur Barnes, technology security consultant at Diagonal Security. The client compliance doctrine assumes that the corporate network is a well-managed, well-designed infrastructure and that client machines are the only unknown quantity. Nothing could be further from the truth, said Barnes, who has worked as a penetration tester. "Speak to any network manager and they will say, 'Of course it's secure'. Get them down the pub and after a few pints they will tell you that they are not sure what is on the network." That is because many networks' server nodes and subnets spring up on demand. If the network is an unknown quantity how can you start to protect it?

Stiennon prefers to focus on what he calls "secure network fabric". The idea is to secure network nodes as far as possible by putting anti-virus technology in system builds and implementing the proper policies in e-mail servers, but assuming the worst about the nodes.

Put smart security products in the switching fabric. Get the switches to watch for suspicious activity, such as huge increases in traffic on certain ports, for example. After all, why would a desktop PC try to open 400 connections per second to its peers, unless a worm such as Nimda was directing it?

Choke off suspicious traffic and escalate the problem to intrusion detection systems or flag it on a management console.

The upside of this is that the PCs that connect to the network do not have to use pre-installed client agents. This makes it easier for third-party consultants to connect your network, or for a manager with a Windows 98 PC at home to log in and get his files.

This is similar to what Hewlett-Packard did last year in its trusted systems lab, said departmental manager Richard Brown. Its Virus Throttling technology assumes even the most fastidious PC user will be infected with a worm sooner or later. It compares all machines with known behaviour patterns of non-infected machines, and flags an alert if it detects suspicious activity.

Similarly, its complementary Active Countermeasures system does not use client-side agents. Instead, it maintains a list of currently known exploits and tries to break into clients using those exploits when they connect to the network. If a client proves impervious, it is allowed on to the network. If it is vulnerable, it can be quarantined until it is patched.

HP expects to offer Active Countermeasures as a product or service this year. It is trying to pursue the benefits of the client compliance concept without incurring the management overhead of an agent-based system. It is also participating in the Trusted Computing Group's Trusted Network Connect (TNC) group and working closely with Cisco.

TNC is trying to standardise the client compliance concept, but Cisco is going it alone, snubbing TNC and relying on its own market influence to push things through. "It would be preferable if all industry players were to sit around the table at the same time," said Boris Balacheff, trusted computing researcher at HP. In the meantime, HP will try to bridge the gap.

Products may appear, but users have to prepare themselves for the management problems that will inevitably follow. For the time being at least, decoupled server/desktop products are likely to be easier to implement.

An alternative approach     

VMware has an interesting approach to client compliance. The company, which built its reputation selling virtual machines, sells VMware ACE, a virtual desktop installation for remote users.  

The IT department creates a build for users to install on their home machines. The build is contained in a virtual machine - a full operating system running within the underlying Windows operating system. Users of the virtual operating system can log into the corporate network safe in the knowledge that their operating system is shielded from any malware on the underlying system. 

It sounds good in theory, but VMware's director of product management, Karthik Rau, admits that as a system running on top of the existing operating system instead of directly on the silicon, it is still vulnerable to attack.  

"When you are running on top of the existing OS, if the OS is compromised, any applications that are running on top of it are vulnerable," he said.

Read more on Antivirus, firewall and IDS products