Net access security plans sow confusion

The worms that threatened Win­dows computers last week made clear once again that vulnerable desktops and laptops pose a serious threat to network security - but the answer to shoring them up remains murky.

Vendors are developing such a wealth of products and security architectures for keeping potentially infected machines off the network and shutting down badly behaving ones that customers might have trouble figuring what is best for them, experts say.

“Everyone is rushing into network access control, and there are still a lot of start-ups coming in,” says Chris Liebert, senior network security analyst for The Yankee Group.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The worms that threatened Win­dows computers last week made clear once again that vulnerable desktops and laptops pose a serious threat to network security - but the answer to shoring them up remains murky.

Vendors are developing such a wealth of products and security architectures for keeping potentially infected machines off the network and shutting down badly behaving ones that customers might have trouble figuring what is best for them, experts say.

“Everyone is rushing into network access control, and there are still a lot of start-ups coming in,” says Chris Liebert, senior network security analyst for The Yankee Group.

Seventy-four percent of 304 IT executives surveyed by IDC say they expect to spend more on this type of endpoint security within the next two years, and 15.5% say they expect the increases to be large or very large.

The two vendors carrying the most clout in this area are Cisco and Microsoft, which have an­nounced and started to implement their respective plans for ensuring individual devices meet network security policies. Their products are so pervasive that many customers might be swept along by their endpoint security plans, Liebert says.

Both companies have compiled long lists of vendors that agree to support their schemes, making them more attractive to customers who already own gear made by these security partners.

Cisco’s Network Admission Con­trol (NAC) requires all-Cisco networks with all the gear up­graded to a certain software revision. Microsoft’s Network Access Pro­tection (NAP) is based on software in Windows clients and servers that relies on cooperation of hardware vendors for enforcement.

Others in security arena

Network vendors Juniper and Nortel have their own endpoint security schemes, as do a host of security vendors including Check Point, Endforce, Vernier, Nitro Security, Mazu and LAN­Cope. Many remote access VPN vendors have their own endpoint security software that determines whether machines are admitted to VPNs but that don’t fit into larger endpoint security frameworks for corporate networks.

Security specialist Symantec recognizes the importance of such technology, as demonstrated by its planned purchase of Sygate, announced last week . Sygate has arguably one of the best-developed endpoint protection offerings, says Chris Christiansen, an analyst with IDC.

The common thread among these products is that a central server scans machines before they gain network access to see, for example, if they have personal firewalls properly configured and running, anti-virus software updated and running, and properly patched operating systems. “It comes down to checking the endpoints with a client to see if they are compliant with a policy that says they are safe to be admitted to the network,” Christiansen says.