The Many Myths of Endpoint Security: Page 2

Posted December 19, 2006

David Strom

David Strom

(Page 2 of 2)

Myth #4: Your endpoint solution will work seamlessly with your VPN.

It makes some sense and certainly would be nice if that creaky old VPN that you've had around for several years could just interoperate with that nice new shiny endpoint system. But no, this is not to be. For those of you that have enterprise IPsec VPNs, you are in a better place to implement an endpoint security solution, provided that you run those secure IPsec protocols on all of your local machines too. Most of the endpoint products support this approach, however cumbersome and unattractive it sounds at first.

Look no further than AEP Networks for an example of how strained relations are between VPNs and endpoint security approaches. The company has two different product lines, and the two don't talk to each other. If you want to wait until 2007, they promise that the integration will happen, so that you don't need to duplicate security policies between the two systems.

If you aren't willing to completely re-architect your LAN logins, and don't yet have a VPN that you want to keep using, some of the vendors offer endpoint solutions that integrate VPNs into their package. Vernier Networks and F5 Networks both have models that include each own SSL VPN, for example.

Myth #5: Microsoft will solve endpoint security with Vista and Longhorn.

Ah yes, Microsoft. They have their own architecture for endpoint security called Network Access Protection (NAP) that will be implemented one day soon, when Vista is deployed across the enterprise and Longhorn Server becomes a real product. When is that time, exactly? Maybe a year from now.

In the meantime, you have an enterprise computing department to run and don't want to wait. Well, Microsoft will have some agents for XP Professional PCs, but not much else. Microsoft's solution requires you to be very familiar with many different pieces, such as Internet Information Server (Microsoft's Web server), Network Policy Server (which is the new piece of Longhorn that will implement much of NAP), how Active Directory authentication is implemented, and Internet Security and Authentication Server 2006. Understanding how these various pieces are configured and interact with each other will require some significant learning and testing time.

If you have other operating systems, including older versions of Windows, then you are going to have to look elsewhere to finish off the job.

Myth #6: Cisco will solve endpoint security with its approach.

Wrong again. Cisco's is called Network Admission Control (NAC), and unfortunately you need to bring all of your network devices running IOS up to the most current levels to support this architecture. They have also already stated that they will rely on Microsoft's NAP to do much of the remediation measures that are not part of NAC.

As you can see, there is still a lot of room for improvement here. Maybe 2007 will bring truly useful endpoint products that can check for a wide array of problems and resolve them automatically. After all, a guy can hope, can't he?

Page 2 of 2

Previous Page
1 2

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.