Coordinating Our Network Defenses

Making the case for coordinated endpoint security, as developed by Trusted Computing Group


Jan walks into the office at 8 a.m. with a hot cup of coffee and a calm look on her face. After a few minutes, she notices that the dreaded “Fawlty” virus tried to bring the corporate network to a grinding halt last night, but didn't. At first glance it looks like a visitor to the Executive Briefing Center inadvertently infected the guest wireless network, but a deeper trace suggests that a malicious Russian hacker spoofed a VOIP call to gain access to the core data center.

Finally, the records show, that amidst the chaos of last night's maintenance window, Jan's coordinated defense system correlated the “Fawlty” virus and the VOIP session to an infected, but authenticated, laptop running Windows XP in the EBC and quarantined it. She now has a name and number of an executive to follow up with today. She decides that she'll walk this one up herself.

Jan's fictional coordinated defense system sounds too good to be true. For most cost-sensitive buyers of off-the-shelf network security systems, it is too good to be true. For starters, Jan would need to know exactly where to look to find out what devices are on the network, who is associated with those devices, where those devices have been, what the network traffic from those devices looks like, and as much activity history of those network devices as possible.

Unfortunately, for most, this information is scattered among the various logs and records of firewalls, provisioning systems, and switches to name just a few places. In most organizations, gathering this data would require a heroic effort if it is possible at all. Furthermore, individual security components, such as firewalls, IDs and IDPs, antivirus gateways, client software, and authentication systems look for vastly different types of threats and are not configured to coordinate with each other. One component may perceive a system-wide threat as a network worm, another may see it as a compromised endpoint, and another may see it as a distributed authentication attack.

The various systems have no common way for contributing their piece of knowledge to a common picture to gain a more complete view of network and endpoint activity and status. Without such mechanisms, it is impractical, or impossible, to provide appropriate, coordinated responses to attacks using heterogeneous components, even if they are from the same vendor.

What about NAC – Is It Enough?

The concept of fine grain regulation of network connectivity by Network Admission Control (NAC) has been developing for the last five years. However, Jan's story requires something more; it requires a coordinated network defense.

Regulating the admission process with NAC is only the first step. With the variety of capable and proven NAC technologies available on the market today, we are entering an age where multi-vendor coordinated defense is the logical next step. What is coordinated network defense, and is it possible?

In a coordinated defense system, the various pieces of network infrastructure which are involved with providing services to devices (sometimes called "endpoints”) share information. The shared information helps build a holistic picture of network activity in order to better inform each component about specific actions.

The various components can be broadly categorized into the following groups: logical devices, access requestors, policy enforcement/decision points, sensors, core network and identity management services (see side bar for definitions).

The ideal multi-vendor coordinated defense system would allow various products which act in the roles above to share information and act on that shared information.

While proprietary systems from Microsoft (NAP) and Cisco (NAC) admission technologies can play a role in a multi-vendor coordinated network defense, the Trusted Network Connect (TNC) Work Group of the Trusted Computing Group has already defined and released an open architecture and a growing set of standards for endpoint integrity.

This content continues onto the next page...