Table of Contents

Editor’s Corner

Featured In This Issue

New Partnerships

Best Practices For Securing Your DNS Architecture

The Problem and Growth of Spyware

Cipher Trust’s IronMail Spam Profiler Tool

Five Steps to Enforcing Your Endpoint Security

The Costs of Managing Internal Passwords

Case Study

Akibia Partners

Contact Akibia

 

 

 

Five Steps to Enforcing Your Endpoint Security
By Frederick Felman
VICE PRESIDENT OF MARKETING: ZONE LABS
The network perimeter is expanding, thanks to technology such as laptops, SSL, VPNs, and wireless access points. However, as useful as those tools are, they also increase the exposure to risk.
With these unprecedented access opportunities, PCs bring viruses, hackers, unpatched software, and unapproved applications into your network easily. Security incidents resulting from any of these threats cost time, money, and your company’s reputation — not to mention your personal reputation as an IT professional.

Why is endpoint security posture frequently so poor, despite existing security investments such as antivirus and IDS, and corporate policies concerning patches or unapproved software? The truth is that the value of security policies and technologies is only theoretical if you can’t ensure that they’re enforced at all times.

To put it bluntly: security policy is all talk unless it has teeth — unless it can enforce compliance. Toothless is useless. Indeed, having a policy without enforcing it is worse than having no policy at all, as your false sense of security can make you complacent.Endpoint protection technology from Zone Labs, a Check Point company, gives your security bite.

An Endpoint Policy Framework
The solution is Check Point Integrity, which can force compliance with policies as a condition for network access. Indeed, that itself is your most fundamental policy. Here are four suggestions for constructing it:
— Policy: Only properly configured and secured PCs may access the network.
— Objective: Ensure confidentiality, availability, and integrity of endpoints and networks.
— Standard: The PC must pass configuration check before and during access.
— Guidelines: Leverage existing security and IT investments; maintain IT and end-user productivity.

Regarding the last point (about end-user productivity), keep in mind that remed-iation is as important as restriction. If you lock a user out, you’ve secured the network but caused a help-desk incident. You can’t “just say no” — you still have to bring the user back into compliance so they can get back to work. Integrity makes this easy, with out-of-the-box functionality to deliver these self-remediation resources to your users.

With this policy in place, network access is conditional on the secure state of the endpoint PC. Now you can move on to defining that secure state, and actually enforcing policy on your endpoints.

Steps to Endpoint Policy Enforcement
I suggest the following five steps to enforce your endpoint policy:

  1. Define the detailed policy.
    Define what endpoint security means for your enterprise. In other words, what specific policy elements do you need to enforce — that Integrity’s endpoint firewall is installed? That endpoint antivirus definitions are up-to-date? Your initial objective is to reduce risk without IT impact. You don’t need to make this definition perfect your first time out; it’s an iterative process, as implied in step 5.
  2. Select and deploy tools.
    The best choice is Integrity. When you deploy Integrity, you have a solution that ensures that any endpoint that accesses your network complies with this policy. With Integrity, you can mandate that the Integrity client is present on every end-point PC so that it can accept a centrally defined security policy, check the PC for compliance with all policy elements, and quarantine out-of-compliance machines until they’re brought back into full compliance.
    Furthermore, with Integrity, you get a solution that can’t be disabled by end users, even if they have local administrative privileges on their PCs. Finally, Integrity also provides both an installed agent and can work as an “agentless” solution. It can dynamically download and run an ActiveX control on any PC that accesses a private network via a Web connection (e.g., SSL VPN or Outlook Web interface). This protects your network from PCs you directly control as well as from guest PCs.
  3. Create access rules and implement the restriction mechanism.
    Whenever possible, leverage your network gateways to restrict access based on integration with your policy enforce-ment solution. Using a gateway as a choke-point ensures that the enforcement agent itself is installed and operating. Check Point, for example, uses a non-proprietary implementation of an open standard, like 802.1x, to integrate with switches and other network gateways. This means you can deploy Check Point products in heterogeneous network environments — in other words, real-world networks.
  4. Establish the self-service remediation process.
    Integrity provides self-service resources for your out-of-compliance users to get back in compliance quickly so they stay productive and don’t burden your support staff. Integrity helps you keep the remediation process easy enough for users to handle on their own; that’s important because if they don’t understand what’s happening during remediation, they’ll
    call the help desk. Like your endpoint technology, your remediation solution must itself be secure and unable to be bypassed. Integrity fits that bill.
  5. Monitor compliance and adjust your policy.
    Integrity gives you the tools to check employees’ compliance. Is their access often barred due to prohibited applications? Is frequent non-compliance of your mobile sales force due to overly restrictive rules? Security policies evolve and change over time. You’ll mandate updated versions of applications, and perhaps you’ll allow certain groups greater leeway — say, remote sales engineers who can be trusted with greater responsibility for their PC security.

The policies you create are up to you, and depend upon your unique environment. But with Check Point Integrity, at least they’ll now have bite.Visit Check Point at:
www.checkpoint.com