By: Mark ElsNetwork World Canada (17 Mar 2006)
Security for the enterprise comes in all shapes and sizes. Its moving parts are coordinated by a mechanism known as network access control, facilitating dialogue between network-based security devices and client anti-virus software.
Appliances from Cisco, Juniper and Nortel communicate with McAfee, Symantec and CA, for example, to check whether distributed desktops, laptops and mobile devices that connect to the network are compliant with corporate security regulations.
Nortel Networks Corp. last month announced a switch aimed at extending its Secure Network Access from remote virtual private network connections to the LAN. The Secure Network Access Switch targets the endpoint as an added layer that brings client security in line with existing network protection policies.
Nortel’s new switch is both a credible and more heterogeneous alternative to Cisco’s Network Admission Control, according to Robert Whiteley, an analyst with Forrester Research Inc.
“Nortel provides all the same parts that Cisco can,” he says. “And Nortel tends to be more standards-based in its approaches, so when you plan to tie in multiple vendors, Nortel makes a friendlier foundation.”
The Toronto-based company is partnering with Juniper, Symantec, McAfee, IBM and Check Point to push interoperability standards with Trusted Network Connect, a task force of more than 70 vendors, including Microsoft, but not Cisco, within Trusted Computing Group.
The latest boxes are brimming with intelligence that’s engineered to keep security self-sufficient and simple. But managing the many layers between the network and its applications can be unwieldy, complex and costly.
While endpoint security may be technically feasible, Whiteley says it’s not economically viable. Vendors must scale the walls of interoperability for the technology to become cost-effective.
“We’re talking about integrating several back-end technologies to make endpoint security work,” says Whiteley. “The operational costs quickly escalate to the point where it’s not economically feasible.”
While endpoint security ties network protection and client security together, the appliance must also tap into the back-end to collect user information in Microsoft Active Directory, says Whiteley, as well as configuration or patch management software from vendors such as Altiris, Shavlik, PatchLink and BigFix.
“For this stuff to work together in multi-vendor environments, we need to get aggressive, we need to get behind [Trusted Network Connect standards], and we need to get visible,” says Peter Cellarius, Nortel’s head of enterprise security, wireless and routing.
Independently, Cisco and Nortel are also working to integrate their products with Microsoft’s Network Access Protection (NAP), server-based endpoint security software that will ship with Vista next year.
Cellarius says Nortel’s Network-Assured NAP hopes to integrate NAP inspection into the endpoint compliance methods of the Secure Network Access Switch. Similarly, if NAP discovers the Nortel switch, it can use Nortel’s port-based mechanism to enforce access rules.
Philadelphia-based law firm Duane Morris LLP has an array of security products that watches over its distributed information systems. CIO John Sroka supports 1,500 users across 20 offices, including 625 lawyers who often work on the fly. He admits it’s a complex environment to manage.
The company — which makes use of both a systems integrator and a managed security services provider — operates off a Nortel-based infrastructure, with McAfee virus scanning on the network, intrusion detection systems from Cisco (data) and Nortel (voice), and dual firewalls from Check Point. A managed security services provider takes care of the firewalls and monitors the network for intrusion detection.
At the client level, Sroka runs Microsoft’s firewall capabilities in Windows XP SP2. He also relies on Microsoft’s SUS (Software Update Services) for patch management and has implemented Symantec virus scanning for the desktop, ControlGuard Endpoint Access Manager, which locks down and controls USB ports and CD-ROM drives, as well as Postini and WebSense for e-mail filtering and Web blocking.
“We have a pretty locked down and standardized environment as far as our desktops are concerned,” says Sroka. “A lot of the security products are really independent, but they complement each other to work as a comprehensive solution. For example, if we look at virus scanning, it’s deliberate that we have one vendor on the desktop and a different vendor on the network.”
With its employees becoming more mobile, Duane Morris needs to be more flexible in the services it provides, says Sroka. “We want people to be able to bring their laptops into the office without compromising the network.”
To this end, Sroka has installed Nortel’s Secure Network Access Switch and is currently in an evaluation process. “One of the reasons we actually went to Nortel for endpoint security is they take that security to a switch-port level,” says Sroka, who is looking for as much integration as he can get with his current infrastructure.
“Our biggest concern right now is the laptops because they would be network-attached,” he says, adding that voice over IP is making the network that much more critical. Duane Morris is in the midst of what Sroka calls an aggressive rollout of VoIP. “Endpoints are of that much more concern,” he says.