Whitepaper: The Peril of Unsecured Endpoints

Guidance on how to limit risk - but not productivity on endpoint decices - desktops, laptops and notebook computers


Where Could It Happen?

The possibilities are endless. Mobile and wireless devices are alluring targets for hackers. Organizations are seeing a critical need to control a notebook PC's ability to connect based on its location. Beyond that, corporations must protect the data assets resident on these mobile devices by controlling access to the PC's I/O ports.

Security Threats Are Everywhere

At work: WLAN-friendly Windows XP automatically enables wireless notebooks to connect to a neighboring business' network without the user's knowledge. Sensitive files can be copied onto CD's or thumb drives, against policy.

Away from the office: When the wireless card or radio is activated, networking ports are not closed to block unwanted access to the mobile computer's file shares. Users run peer-to-peer applications that introduce security threats.

At public hotspots and other locations where mobile users access the Internet: Hackers use port scanners to find ports left open by traditional desktop firewalls, and run scripted, peer-to-peer attacks that subvert the notebook's inadequate protections, gaining access to confidential data. In addition, hackers can gain access to VPN sessions, thereby gaining trusted access to the network.

At home: Most often, wireless home networks are unprotected and accessible to neighbors and hackers. Moving from one end of the house to the other may cause the machine to associate with a rogue, neighboring access point, with resultant access to files and, potentially, the corporate network.

Connecting to the corporate network: Mobile users who fail to run anti-virus software or neglect to keep signature files up-to-date infect the corporate network with a virus or worm when they reconnect connect to the environment. Users bring in viruses on USB thumb drives or diskettes.

Guidance on Endpoint Security Enforcement

The best way to reduce the risks associated with today's mobile, wireless workforce is through enterprise endpoint security enforcement. The idea behind this approach is simple: protect network and mobile data by enforcing client security policies which address new and inherent security risks as the enterprise shifts from stationary, wired networking to mobile computing.

Why would an organization want to do this? Consider the employee who is issued a new notebook PC to replace his or her aging desktop PC:

* When in the office, connected to the network via a wired connection on a desktop docking station, the security policy should allow unrestricted use of the notebook PC's hard drive, and access to only those portions of the corporate network for which the employee has appropriate rights.

* In the evening, as the employee works from home via a cable modem or DSL connection, the same security policy might disable the PC's wireless communications capability but keep the Ethernet cable port active

* If the employee happens to be at a location with public Wi-Fi access, (many coffee shops, airports, etc.), the security policy could also enforce VPN usage or disable all advanced networking, and allow access to only the local hard drive, preventing access to and from removable thumbdrives and other external file-storage devices

Though these measures might seem draconian, they are not at all unusual - and are highly desirable - for certain organizations, such as the government, the military, or within sensitive corporate environments. Endpoint security enforcement solutions provide a way to implement these long-desired tightly controlled, and highly adaptive security policies.

Policies are the Cornerstone

How is this done? An enterprise endpoint security enforcement solution creates granular policies - as many as necessary for an enterprise's diverse user groups - that are automatically downloaded to all endpoint devices (desktops, notebooks and tablet PCs) and stored in encrypted form on each device. This policy distribution capability should be able to reside outside the corporate firewall and, in fact, should be able to reside anywhere. No SSL links should be required for secure policy transfer, to improve accessibility and reduce performance issues.