Whitepaper: The Peril of Unsecured Endpoints

Guidance on how to limit risk - but not productivity on endpoint decices - desktops, laptops and notebook computers

For example, as part of a mobile security policy, antivirus integrity checking verifies that the endpoint's antivirus software is running and current with the latest virus signatures and definitions. By establishing integrity rules to automatically place policy violating devices into a safe, quarantine zone, infection of other network users is prevented.

* Policies can mandate immediate remediation, restricting a user to specific updates until the mobile endpoint is in compliance

* Customized messages should be used to alert the end-user that action is being taken for a reason, and they need not call the help desk.

* Additionally, integrity rules should be able to trigger other policy settings based on time, location, connection status, etc.

Storage Device Control

Endpoint policy enforcement products should enforce corporate policies regarding storage of information onto locally attached USB thumb drives or writeable CD drives. Such control could also prevent theft of data from unattended desktops and notebook PCs. Control should be enforced by location, depending on the threat profile. Such control could include any of the following:

No local data device control. All local storage devices are available.

Local data storage devices disallowed. Only the local hard drive is available; all other local storage media are disallowed. (Data cannot be copied to a USB device, for example.)

Local data devices disallowed except CD/DVD drives. Only the local hard drive and any CD/DVD drives are available. Users can access data stored on CDs or DVDs, and can write to CD-R/RW or DVD+/-R/RW devices. All other local storage media is disallowed.

In Summary

An enterprise endpoint security enforcement product should effectively and efficiently balance security and productivity for all users, regardless of whether they are connecting to the Internet or the corporate network via a desktop or mobile device. The following table shows the most critical features and benefits of such a solution.

Endpoint Security Enforcement Product Features

Operating system kernel-layer managed stateful firewall: Ensures a much higher level of security than first-generation firewalls based solely on packet filtering or hooks at higher levels of the protocol stack

Highly scalable security policy distribution: Keeps thousands of enterprise users regularly and securely updated both inside and outside the corporate network's managed security perimeter

Location-based controls: Allows security permissions to change dynamically as users move across different networks and encounter different risks worldwide

Protects mobile endpoints at the network adapter, regardless of how they connect to the Internet: Assures safety of data contained on mobile PC hard drives by shutting down all output devices and ports

Centralized IT control of WiFi connectivity: Simplifies compliance with corporate security policy guidelines

Advanced WLAN control (up to and including complete radio silencing): Allows management of every phase of an organization's wireless deployment


1 Gartner ITxpo Symposium, October 2002, Orlando, Fla.

2 Gartner Wireless & Mobile Summit, Spring 2004, Chicago, IL

3 Ryan Crum, wireless security specialist at PricewaterhouseCoopers, as quoted in Living in Wireless Denial, CIO Magazine, September 15, 2004 Issue

4 Craig Crossman, May 2004.

5 FBI and CSI Statistics for 2002

6 IDC, Feb. 4, 2003.

7 Meta Group 7/10/03

8 Microsoft Corporation, Network Devices and Protocols: Windows DDK, June 6, 2003

About Senforce Technologies Inc.

Senforce is a leader in policy-enforced endpoint security. Senforce Enterprise Mobile Security Manager (EMSM) ensures central management and control of all computing clients regardless of a user's location or method of accessing the Internet. It provides protection against exposure and risk caused by intrusion, unauthorized access, loss, theft, malware/viruses, unauthorized downloads or software removal, altered security or configuration settings, and more. Powerful standards-based core technologies ensure a higher level of security and management than available previously. The company is headquartered Draper, Utah, with executive offices in the Silicon Valley, California, and sales offices in Illinois, New York, and Washington, D.C. Senforce is privately-held and funded by Thomas Weisel Venture Partners, vSpring Capital, Rocket Ventures, American River Ventures and EsNet Group. The company serves customers primarily in the government, corporate, financial and healthcare sectors. For more information, visit www.senforce.com or call 1-877-844-5430.