Assessing Your Endpoint Security Needs

As endpoint security technologies continue to proliferate, it can be difficult for IT managers to determine the best course to pursue. Here are some tips from those who have already taken steps to protect their endpoints.

Have a VPN that can protect smartphones and PDAs, especially when they are used for data entry. While there are many implementations of VPN clients for standard Windows and Mac computers, there are fewer products that cover mobile-phone-based operating systems. As these devices proliferate, they deserve the same level of protection that the standard desktop receives.

Some companies use different security products for their mobile devices. For instance, the Hill Country Memorial Hospital in Fredericksburg, Texas, uses SonicWall’s firewall but had problems with the company’s handheld VPN client on its Treo smartphones. So the hospital ended up using NCP Engineering’s Secure Entry client on 10 of its phones.

“We have people who visit patients in their homes in rural areas,” explains Ira Babb, the hospital’s network administrator. “Having the VPN coverage means that they can take vital signs and other data, but don’t have to come back to the hospital to upload that information. Plus, we save on travel costs.”

The hospital hasn’t had any interoperability issues either. “We haven’t touched the software once we set it up,” he says.

Control access on removable peripherals, especially USB-attached storage. Given that you can purchase 32GB USB flash drives for around $100, it’s easy enough to copy all your data on a removable drive. This presents all sorts of problems for network security managers, particularly if these drives become compromised. One solution is to run software agents on all desktops that control access to the USB ports and lock them down.

Mammoth Hospital in Mammoth Lakes, Calif., has been using DeviceLock for several months. “With the proliferation of USB drives, we needed to control access, especially since they have essentially replaced disks as a file-transfer medium between systems,” says Paul Fottler, the hospital’s IT operations supervisor. “We were concerned that some patient data could be carried out of our facilities in one’s pocket.”

The software from DeviceLock is configured on 300 PCs to lock access to the USB ports, record any activity on the DVD and CD drives, and make sure that no keylogging malware is installed on the hospital’s systems. Fottler set up policies in Microsoft’s Active Directory to install the software.

“Pretty much any input port on the PC can be locked down, including infrared and Bluetooth,” he says. “And you can build a whitelist of devices to enable them, rather than blocking everything.”

Understand what’s missing from your anti-virus and desktop firewall solutions and decide how you want to fill the gaps. Just because your users have desktop anti-virus protection and firewalls doesn’t mean that these systems are running or have appropriate updates. Many IT shops are complementing these security products to provide better endpoint protection.

One method is to start with an anti-virus supplier and then migrate users to a more complete network access control (NAC) product that can work in conjunction with the operating system. You can stick with your existing anti-virus supplier and either upgrade to its NAC product or use someone else’s NAC software. Another option is to scrap your anti-virus supplier for a more comprehensive solution.

Take SouthCoast Bank in Pleasant, S.C., which decided to upgrade its Sophos anti-virus software. “We originally wanted to open up our network to transfer files from our customers to make it more convenient for them to do overnight deposits,” says Paul Hollen, the bank’s chief operating officer. “I was nervous about the potential exposure, and that’s how we got started looking at NAC solutions. The more I looked at it, the more I wanted the NAC piece running on our internal Windows PCs as well.”

The bank upgraded its anti-virus clients with the full NAC solution, which is now on more than 300 PCs. “We now have better controls,” reports Hollen, “such as for guest workers like the repair technicians who want to bring their laptops into our networks to fix our multifunction printers.”

The city of Miami decided to scrap its existing anti-virus solution in favor of eEye’s Blink security software. It chose this product because of its promise of being able to protect the city’s machines from zero-day exploits.

“What really helped was eEye’s willingness to put skin in the game and work closely with us during testing, pilots and the eventual rollout,” says Nelson Martinez Jr., systems support manager for the city’s IT department. “That really separated them from the pack.”

FN Manufacturing took a different tack and added Skyrecon’s Storm Shield security software to complement its existing Trend Micro anti-virus solution. “We needed something better than the individually managed firewalls on our laptops,” says Olivier Vanderstraeten, the network security manager of the Columbia, S.C.-based weapons manufacturer.

“We wanted something we could centrally manage, especially after we calculated how much time we were spending updating our security policies. Also, many users don’t bring their laptops to our offices, so, this way, we can make sure they have the latest updates.”