Original URL: https://www.theregister.co.uk/2011/12/27/endpoint_enforcement/

What you can do to enforce endpoint security

A strategic roundup

By Danny Bradbury

Posted in Security, 27th December 2011 12:00 GMT

Thirty years after the PC was launched, security and management problems for the endpoint seem to be getting worse rather than better.

PCs have become more functional, creating a greater surface area for attack. And the number of endpoint devices has proliferated, as tablets, netbooks and smartphones have entered the fray.

The need for endpoint enforcement is therefore greater than ever. This roundup explores some of the risks that enforcement solutions can help to tackle, and examines some key factors to consider when designing solutions.

Assessing the dangers

The risks to modern endpoints are many and varied. PCs, and to a lesser extent Macs and mobile devices, are all potential targets for attackers.

Risks include data harvesting, in which PCs are compromised by malicious software that monitors keystrokes, screen activity or network traffic to pick up sensitive details. Data harvesting software may also simply scan the PC’s storage for likely looking files and beam them back to a botherder.

Data harvesting may not even entail compromising the PC with malware. In the right situation, such as public Wi-Fi access, an attacker could simply intercept the computer’s wireless connection to harvest data.

Malicious software can also be used to mount attacks on networks. Infection can be spread to other machines by exploiting the same vulnerabilities used to attack the original computer. Network worms, such as Conficker, spread this way. Devices can also be lost or stolen, as can any removable media.

One way to deal with these risks is by using endpoint enforcement policies.

Quantifying the endpoint

To properly enforce endpoint protection it is crucial to understand what you are dealing with. What is connected to your network? What is its configuration? Scanning for connected devices and cataloguing them may reveal more devices than you expected.

Some discovery mechanisms use agents installed on managed computers to log and document what is being provided to the network.

Network access control providers commonly provide agents for a variety of machines. They communicate with a central policy server to ensure that the machine is in an acceptable state to connect to the network. Any devices that do not meet pre-set security policies for endpoints can be dealt with in ways predefined by the IT department.

However, there is a downside to pure agent-based protection: it is unlikely that every device connecting to the network will be supported. Even if an agent supports Macintosh clients and Android smartphones, there are printers and other peripherals to consider.

There are other, agentless technologies that can replace or complement agent-based systems: active and passive scanning.

Active scanning can simply mean using a tool to footprint your network, or a systems management product dedicated to the task.

Passive scanning, on the other hand, watches traffic passing across the network to understand what is talking. A traffic sniffer or network flow analyser, such as TCPDump or Snort, can provide some insights here.

Discovering machines using these techniques provides more than simple security. Understanding what is on your network will let you classify devices into specific virtual LANs for better traffic flow management.

If, for example, a particularly chatty device is discovered on a network segment on which users are experiencing performance problems, it could indicate a legitimate endpoint that would better be served on its own virtual LAN (or perhaps an unauthorised Wi-Fi access point).

What to look for

Agent-based technologies can return a rich set of information that can be used to assess a machine’s level of vulnerability and therefore the danger to the network. Examples include missing critical patches to systems and applications software, as well as missing anti-malware patches.

Agent-based systems can also deliver information about insecure user configuration in areas such as user privilege data, auto update settings and root certificate audit, not to mention insecure passwords. Much of this information can be delivered, and enforced, using a standard policy server.

Discovery mechanisms can also help to identify compromised devices that may have been infected by malware. Intrusion detection systems may identify these devices based on their behaviour, while scanning systems might do it by simply scanning for malware and comparing it against known signatures.


How do we remediate devices when they are found to be compromised or in danger of compromise?

Until they are remediated, machines can be quarantined in a variety of ways. They can be separated at the IP level, by using two address pools allocated via DHCP. An alternative is to control things at the application layer by configuring HTTP access for users according to categorisation.

Sparking off a patch session using an automated system designed to cope with multiple third-party applications, such as Lumension Patch and Remediation, is an obvious task for systems that are out of date.

The same goes for anti-malware products that do not have signature updates. Weak or out-of-date passwords are changed by the users, who can run a wizard provided by the IT department to fix insecure configurations.

Defining policies

Before we can deal with the endpoints we discover, we must develop policies to manage them.

One challenge organisations face is deciding levels of authentication for devices. Binary “in or out” access may not be enough, especially for visitors who require privileged access to computing resources rather than basic surfing capabilities.

This is particularly true in the world of consumerisation, with contractors and employees bringing a variety of unmanaged devices into the organisation. If the vice-president of sales has a new iPad 2, and happens to be the key sponsor on one of your biggest IT projects, are you going to tell him he can’t use it to access the company CRM system?

One answer may be “guest plus” access, a policy that provides better-than-web access to selected clients. This needs some sophisticated monitoring after the initial connection, rather than simply auditing devices once and then allowing them full access to the network. Application-level packet analysis can play a big part here.

These policies can be referenced and enforced using a variety of policy servers. One is a host-resident system that sits on an existing server. Another option is an appliance – a piece of hardware dedicated to handling policy compliance evaluations from connecting clients.

The other option is to embed policy management logic into network equipment such as switches, access points or firewalls.

Application control

The truly well-managed system should have policies governing what software it can and cannot run. This application control can be implemented using a combination of blacklisting and whitelisting techniques, providing a defence-in-depth approach.

A software blacklist, usually implemented in some form of anti-virus package, helps to prevent rogue applications from finding their way onto the system. It protects the machine by scanning it against a selection of known signatures for malicious software.

The whitelist attacks the problem from the other end, allowing only software from a pre-defined list to be installed on an endpoint.

Even if a piece of whitelisted software is compromised, scanning against the blacklist can capture its signature and remove it. If that fails, behavioural analysis may pick up illegitimate activities on the system.

Remote enforcement

Endpoint enforcement is not limited to devices connected to the network. Increasingly, devices are mobile and need managing in the field.

Enforcing security on these devices can be a challenge because their network connections are sporadic, but there are some steps that IT departments can take.

Firstly, configuring devices to make their internet connections via the corporate LAN can help you to manage them effectively. Phones, including the iPhone, support connections via VPNs, which can secure information passing over the phone network or public Wi-Fi hot spots.

For endpoint enforcement on phones, however, IT departments should consider a specialist solution that includes facilities such as password enforcement, and application management to control what is being installed on the phones.

Application management is particularly important, given the rise of malware on some platforms. For example, in March 2011 it was discovered that over 50 Android applications openly available on the Android Marketplace had been compromised with malware called DroidDream, which used a user privilege escalation attack. After stealing all the information it could from the device, the program then proceeded to download more code.

Encryption is commonly offered by mobile device management suites. Encrypting data stored on the phone is a good way to meet compliance requirements, provided it is accompanied by some form of password enforcement.

Encryption is often complemented in such suites by remote locking and wiping of data. Some phones offer this as part of the standard feature set when they are purchased, but the advantage of managing this at the corporate level is that the IT department gets to control the phone.

There are caveats to all of this, however. The first is that these security suites require agents to be installed on the phones. This leaves IT departments mulling the issue of smartphone governance.

A corporate policy might dictate that a sanctioned mobile device with the agent installed has full access, while an employee-owned device falls back to guest-plus access or simple web-only capabilities.

One way for employees using their own phones to get better access could be to require them to install the mobile security software. If users want access to more corporate computing resources, then they will accede.

However, employees need to agree to report their phone lost or stolen at the first opportunity, and acknowledge that they may lose all of the data on their phone – including personal data – in the event that it is remotely wiped.

Because some users would agree to such terms without reading the agreement, some education is necessary. Endpoint enforcement can quickly become a cultural, legal and human-resources issue, rather than merely a technical one.

When media leaves the machine

Not all mobile devices carry computing capabilities. Some are simply removable, but still carry large amounts of corporate data with them. Hard drives, iPods, CDs and USB memory sticks can be used to carry off swathes of corporate information.

We have seen many examples of these problems. HM Revenue and Customs service lost 25 million child benefit records after they were copied, unencrypted, onto two CDs that were then lost in the mail. In 2008, the personal data of more than 11 million GS Caltex customers was found lying on two disks in the street.

Software can help to prevent some of these risks. Locking down ports on desktop and notebook machines stops data being copied across the endpoint onto USB sticks, and such software can also be used to lock down CD drives, stopping data from being burned onto them.

However, it is difficult, or even impossible, to lock down the ports and drives of unmanaged devices, which leads us back to restricting access to sensitive information.

One option to avoid complete lockdown is to use encryption. Forcing encryption on removable media renders the data useless to anyone who happens to compromise it.

It may not, however, prevent malicious employees stealing data, because they can give the encrypted USB stick to someone else using a password. This is where the realm of endpoint enforcement ends and role-based management begins.

Monitoring and reporting

Having identified the various devices on the network and implemented policies to protect them, monitoring becomes an important aspect of endpoint security.

It involves assessing how effective endpoint security policies are and logging administrator-level activities. The idea is to identify potential threats by logging system events, such as policy changes, and application execution attempts.

Reporting is the final piece of the puzzle for endpoint enforcement. Organisations must have a way to evaluate the results of their monitoring so they can see any suspicious activity and assess the outcome of remediation.


Endpoint enforcement is a crucial part of any organisational security policy. It also straddles both the technological and cultural realms, involving a mixture of network traffic awareness, software installation on the endpoint, policy definitions and user education.

It also extends into discussions of what types of user behaviour and user-owned devices are permissible on the network. The astute IT department will consider all of these factors when designing architecture to enforce security policies on the endpoint. ®