With the onset of NAC – Network Admission Control the boundaries of endpoint security have become blurred. True; NAC is a type of endpoint security product but it is mainly a mechanism to check hosts connecting to a network. NAC will ensure that a host is clean and has the various minimum requirements needed to join that network. Of course different NAC-type products will have different features that they offer. Some will go way beyond the minimal checks of verifying that there is an up-to-date anti-virus and personal firewall client on the endpoint, that the OS is properly patched and updated, that no known malware exists on the machine and offer more advanced checks. While other NAC solutions can be customized to insist on specific user-defined criteria as the minimum in order to be granted access; For example, you may have to have an anti-spyware tool on the endpoint as well. Ultimately a NAC solution is going to do exactly what its name says “Network Admission Control”, once allowed access to the network very few NAC products are able to then remediate an endpoint if it becomes non compliant during its connected session to the network. Endpoint security looks at the endpoint and its activity (hence also the user working on it) the entire time it is connected to the network so naturally the two technologies do complement each other.
By contrast, Clientless Endpoint Security Management (CESM) is broad endpoint security product that provides a comprehensive command and control of all activity that occurs on the endpoint; servers can also be included in this description of endpoints. Rather than just focusing on a single endpoint problem such as portable storage devices, CESM looks at all aspects of endpoint activity from applications all the way down to processes and registry values. This gives CESM a much broader view of the endpoint including the existing security and other solutions that currently reside on it. Customers looking to add a significant layer of security to the internal network need to consider how much value they will get from an endpoint security product as opposed to an endpoint security management product. An endpoint security product may resolve one issue that network endpoints suffer from and will more often than not involve deploying a client on each endpoint to address that specific problem. This is not cost effective for customers and would result in multiple products needing to be purchased over the course of time. CESM greatly reduces the investment of a customer in a number of ways. Firstly, there is no client deployment so there is no need to waste time installing a client on each and every machine. Secondly, CESM is able to identify unauthorized applications, processes, start-up commands, devices, toolbars and services that may be running on an endpoint. Even legitimate services that are misconfigured are identified or services being used in an environment that they shouldn’t be, for example, using a wireless connection inside a LAN are identified and repaired. So it gives a lot more functionality to the investment made and has longevity in that it does not need to be augmented by other solutions. Finally CESM is able to manage those 3rd party security clients that are so often disabled for one reason or another (including the NAC client) hence leaving the network open to a potential attack. If you are looking for endpoint security then CESM should be high on your considerations so as not to waste investment on point solutions.
NAC on the other hand is not just a point product and is a technology that goes hand in hand with Clientless Endpoint Security Management. NAC is becoming increasingly popular, whether it is the original iteration from Cisco or Microsoft’s NAP or the Trusted Computing Group’s TNC, the concept has been proven and is necessary in most corporate networks to stop infected machines from being allowed to enter a secure network. The technology is very effective in stopping worms and viruses from gaining access to networks through authorized external users that are given access to corporate networks. NAC can be considered as the new sentry, posted at the perimeter in order to put an end to those worm infiltrations from outside machines. However, depending on how many users you have and how far you need to go in your NAC deployment will determine how much a NAC deployment will cost and how effective it can be.
A typical NAC solution will quarantine an endpoint if it does not comply with certain prerequisites. In order not to increase the overhead on your help desk staff, some sort of automatic remediation needs to take place or instructions on how to remediate problems sent to the user. If there is no remediation capabilities of any type built in to the solution, the chosen NAC solution will dramatically increase the overhead to network administrators and help desk departments because they will spend most of their time fixing non-compliant endpoints. The chosen NAC solution has to be efficient and offer remediation that does not necessarily need physical intervention otherwise any perceived cost savings made will be swallowed up by increased personnel costs.
Costs and ROI
The cost of a NAC solution, as mentioned earlier, really depends on the number of users or workstations connecting to the network and the level of NAC functionality that is needed. A full blown Cisco deployment may include new Switches and networking gear that are part of the overall NAC deployment unless you already have the latest and greatest from Cisco. This will result in a large expense that may not justify the need, but if we consider that according to many industry studies, the cost of an internal breach can be prohibitively expensive, it would be wise to consider deploying NAC. Unfortunately, with NAC as with many security solutions, because it is a preventative measure determining Return On Investment (ROI) is not easy and is always based on the probability of a security event occurring. For most security solutions ROI can be calculated as part of the Annual Loss Expectancy (ALE). ALE is calculated as follows:-
Incident cost x Probability of incident occurring = ALE
This formula gives an idea of how much a company would have to spend to either recover from a security breach or to repair a security breach. The technology that is purchased to prevent such a breach occurring calculates its ROI based on the cost of the technology and the ALE related to that category of security breach.
With Clientless Endpoint Security Management solutions calculating the ROI is much easier because it is not only a preventative security product but also management solution that actually increases productivity and automates management of endpoint security and remediation. Its clientless technology allows administrators to do almost all of the remediation of problematic endpoints from their own workstation. A CESM solution is also able to verify that 3rd party security agents are indeed installed and available on all endpoints and if they are disabled the solution can re-enable them itself. The fact that remediation occurs in the background means that there is no PC downtime and users can continue working while the administrator fixes problems remotely. These benefits coupled with the relatively low cost of a CESM solution makes for a very quick ROI and its calculation much simpler.
In summary NAC is a necessary solution to block the infiltration of worms and viruses from infected authorized endpoints entering the network. A CESM solution is necessary to maintain that endpoint security during the course of time the endpoint is connected as well as from users’ unauthorized activity that may adversely affect the network. A complete solution would be CESM including NAC functionality, giving customers the best of both worlds. However, if you only have a budget for one type of solution then examine where your pain is coming from. If you do not have too many roaming users and most employees work within the confines of the corporate network, NAC is unnecessary and a CESM type product will serve you well for the long term. If most of your employees are roaming and access the corporate network from a number of different networks or you allow a number of external workers (contractors, temporary workers etc.) then NAC would make sense. If your budgets can extend to both then consider a CESM solution with perhaps a lightweight NAC module.
R S S feed
