Traditionally, companies have protected their computers from attack by using firewalls that stop unauthorised access to the network. But what about the dangers from authorised access?
All good IT managers control their PCs with an iron fist, ensuring that they are up to date with the latest anti-virus and anti-spyware patches, for example. But mobile employees who leave the building with company laptops take those computers outside of the IT department’s control, meaning that they could be compromised.
People reconnecting to the network, either over a secure link from outside the office or by plugging a laptop back into the network, may be authorised, but the IT managers cannot be sure that their PCs are totally clean. Operating system patches may not have been applied, anti-virus updates may be out of date, or unauthorised software may have been installed.
This means that mobile employees and visitors to the company connecting their laptops to the network can pollute the whole system with worms and viruses. Gartner Group research director Lawrence Orans recounts a story told to him by a client about a visiting photocopier repair engineer. Connecting his laptop into the corporate network to download a software patch from the internet, he became infected by a worm which then spread to the rest of the network.
Companies are working together to solve the problem using technology that vets computers before they are allowed to access company resources. Quarantine technologies detect when a machine tries to connect to the network and scans the PC to ensure that it is up-to-date with antivirus signatures, and patches to operating systems and applications.
Network equipment company Cisco has led the field with its Network Access Control technology. It uses a software agent installed on a PC to verify that the machine is safe. Administrators can set policies that send non-compliant machines to a cordoned-off part of the network. That subnetwork might allow them to surf the internet, but might not let them near the company’s other computers.
Cisco is working with industry partners selling anti-virus and configuration management software, so that their products can be used to bring non-compliant computers up to date before allowing them back on to the company network.
“The whole idea of NAC is to prevent infections from spreading to other machines on the network. It’s about reducing all of the costs and the business disruptions,” says Philippe Roggeband, product manager at Cisco.
Microsoft has been slower on the uptake. The company shipped an early quarantine technology called Network Access Quarantine Control in Windows Server 2003, but it only supported remote connections, rather than laptops connecting inside a company’s network.
The company originally planned to ship its newer quarantine technology, the Network Access Protocol, in an update to its Windows 2003 server towards the end of last year. It then delayed the technology until its next major version upgrade.
Now, the first version of desktop windows to support NAP will be the Vista PC operating system, which is supposed to ship in November this year. But the technology requires a server operating system to support it, which will not arrive until the Longhorn Server operating system is available in market-ready form later next year. By the time companies decide to take the plunge, it could well be 2008 before Microsoft NAP is used in anger.
The third major piece in this puzzle is the Trusted Computing Group (TCG), which has formed the Trusted Network Connect (TNC) working group. This initiative pulls together multiple industry partners to produce a standard for network quarantining technology.
How the technologies will work together is not yet defined.
Another part of the quarantining movement are virtual operating systems on PCs that run simultaneously alongside each other. Users can switch between the two without having to restart their computers, enabling employees to use one operating system at home and another “clean” system when connecting to the network.
Overall, network quarantining is available, but companies are still waiting for standards to settle down. Once that happens, the average corporate network could be a safer place.