Jay Butler, Senior Technical Consultant
The popularity of USB flash discs (thumb drives) and other handheld mobile devices has renewed focus on endpoint security; however, endpoints are actually a broader area where much is already being done. Think of an endpoint as anything with the means to access business information system resources: workstations, servers, laptops, the aforementioned personal devices, and even users themselves. Fortunately, existing security controls already provide basic protection for the most common endpoint, network computers.
Workstations and servers on the network are protected with layered security that typically includes firewalls, intrusion prevention devices, antivirus, content filters, and other strict access controls. Laptops must also include full disc encryption to prevent data leakage should the machine be lost or stolen and a personal firewall for protection while connected to remote networks. As for people, businesses usually screen employees they hire and provide training that includes basic security principles such as not sharing passwords. While secure networks include these basics and much more, many overlook the emerging threat of less obvious endpoints, some as small as a watch battery.
Readily available flash memory cards can hold as much as 4 gigabytes of data and their larger counterparts including USB thumb drives hold up to 8 gigabytes or more. Digital cameras, iPods/media players, Blackberry devices, Pocket PC/Windows Mobile devices, Palm devices, and Smart Phones all contain flash memory. In networks without specialized protection, users can freely connect any device enabling massive data transfers at their discretion. Network downloads risk exposing private business information and software to hackers, data thieves, or other unintended parties. Uploads from the same devices expose the network to unauthorized software installations including malware (viruses, Trojans, spyware, etc) and threaten to waste valuable network resources via uploads of personal pictures and music. Other endpoints such as portable hard drives, optical discs (CD/DVD), and floppy discs pose the same risk in varying degrees.
Endpoint security software provides precision control over the vast array of devices by managing connection points including USB, Bluetooth, parallel (LPT), serial (COM), FireWire, floppy, CD/DVD, WiFi, and infrared. Administrators choose who has access to approved devices so that USB keyboards and mice may be allowed for everyone while blocking iPods and digital cameras. Most software integrates with Active Directory to manage the endoints based on users, computers, and groups for maximum flexibility. User based control enables exceptions where individual needs vary, and policies follow the user to any computer he/she may use on the network. Device access may be completely barred or restricted to “read-only” or “write-only,” so Administrators may be allowed to read CDs for software installations but not write to them. Look for software that applies the security when offline as well as online to ensure laptops can be controlled while off premises.
After reviewing software from several manufacturers including DeviceWall, GFI Endpoint Security, DeviceLock, and Senforce, I have narrowed the focus down to GFI Endpoint Security and DeviceWall. Senforce provides more sophisticated security features than needed for most environments which makes it far more expensive (at about $65 per computer). DeviceLock and GFI each offer almost the exact same features, but GFI is a bit less expensive at $15-$25 per computer. DeviceWall costs about $25-$28 plus a $4-$5 maintenance agreement per computer; however, it provides a few features that GFI appears to lack in my preliminary research/testing1.
DeviceWall includes enforceable encryption for USB flash memory sticks, so users can be allowed use of them as long as they are encrypted; GFI can only block or allow access. DeviceWall can easily disable wireless internal NICs usually found in laptops. I found the auditing function in DeviceWall superior to that of GFI. Because it can be used to track existing usage patterns, Administrators can determine legitimate user needs prior to any policy enforcement. I found this very useful in maintaining legitimate user functionality while applying new controls. Both manufacturers offer a 30-day trial, free of charge, so you can give them a test run before making a purchase.
Mobile endpoint devices are one of the weakest links in computer security because they operate outside the network perimeter where existing security controls rarely extend. The relatively small cost of deploying a solution outweighs the risk of leaving so many endpoints completely open on the corporate LAN. Please keep in mind, the most recent version of Symantec Antivirus Corporate Edition has just been released with a new name, Symantec Endpoint Protection, so your solution may be only an upgrade away.
1I have performed limited testing only and provide this information as a preliminary overview. A full evaluation should be performed prior to choosing an endpoint solution.