The solution should be self-defending, making it impossible for a privileged end-user to bypass or otherwise defeat the security policy. This must include provisions for ensuring that the user cannot turn off the policy enforcement engine or otherwise cause it not to function.
A truly effective endpoint security solution should reside in the operating system kernel at the Network Driver Interface Specification (NDIS) driver layer for each network interface card (NIC). In fact, this is the strong recommendation from Microsoft itself. This ensures much higher security than first-generation firewall technology based solely on packet filtering or dirty hooks.
Additionally, the endpoint security solution should keep track of policy enforcement actions, as well as attempted attacks and activities, reporting back to an auditing service to ensure compliance with corporate policy as well as regulatory requirements.
Finally, such a solution should support a highly scalable security policy distribution architecture enabling existing IT staffs to keep thousands of enterprise users regularly and securely updated. It should integrate into the organization's Active Directory, NT Domains, and/or LDAP directory stores, instead of requiring yet another user database.
The threats discussed earlier indicate there are four key areas that must be addressed by an enterprise endpoint security enforcement solution:
* Mobile security enforcement
* Wireless connectivity control
* Enterprise-managed endpoint integrity checking
* Removable data storage device control
Each of these will be discussed briefly.
Mobile Security Enforcement
Enterprise endpoint security enforcement solutions must manage where and under what circumstances users are allowed to communicate, to protect critical data. This can be accomplished through a security software implementation integrated into the NDIS driver for each network interface card. Unsolicited traffic is stopped at the lowest levels of the NDIS driver stack by means of stateful packet inspection technology. This approach protects against unauthorized port scans, SYN Flood attacks, denial-of-service and other protocol-based attacks, in a way that optimizes security decisions and system performance. . .
Some managed firewall products purport to run 'deep inside the operating system kernel', but in fact use Transport Driver Interface (TDI) filters or hook drivers for security protection. TDI filters operate higher in the network protocol stack than NDIS intermediate drivers, so they can miss lower-level protocol attacks. As for hook drivers, Microsoft recommends they "should not be used in Microsoft Windows XP and later versions" of their operating system because [they also run] "too high in the network stack." Microsoft goes on to conclude "[t]o provide firewall functionality on Windows XP and later, you should create an NDIS intermediate miniport driver to manage packets sent and received across a firewall."(8)
Wireless Connectivity Control
Many IT managers believe they do not have a wireless connectivity problem because a) they do not allow wireless in their organization, or b) they have implemented a secure wireless network for their users, In fact, both situations require endpoint-based connectivity control. In the first instance, where wireless is not allowed, IT needs a way to enforce this. Since virtually all portable computers are wireless-capable, they can easily circumvent the prohibition.
In the second instance, it is easy for an organization's users to inadvertently connect to a neighboring WLAN, thus bypassing all the security built into the corporate WLAN. Access point connectivity should be controlled by group and location, allowing authorized network and service access while preventing connection to rogue, or unauthorized, access points. Even if the corporate WLAN is secure, hotspots and home networks often are not, and any data that happens to be on the endpoint is at risk.
Enterprise-Managed Endpoint Integrity Checking
Several aspects of the mobile PC must be checked to ensure safe operation. If the integrity checks pass, connectivity is allowed. Should any integrity check fail, connectivity is restricted until integrity issues are resolved, by either notification or updating.