Endpoint security: Guard your network at the desktop

As the attacks and threats to computer networks have expanded -- now including phishing attacks and spyware among other things -- and the traditional definition of the network perimeter has disappeared, the rules have changed. Now, users carry PDAs and cell phones that are connected to the corporate network. They use laptops with wireless connections, transport data on USB flash drives and have all but negated the concept of outside or inside the network.

With these changes in how we use and transport data and the increasingly clever attacks designed to compromise and steal that data, the line of defense has moved from the perimeter to the desktop or other endpoint device. Securing the endpoint is the primary focus for most companies and security administrators now, and there is an ever-expanding selection of products aimed at helping them do just that.

It is common for desktop machines to be running antivirus software locally, and many organizations include other security software such as personal firewalls or antispyware at the desktop level as well. Organizations that employ a HIDS (host intrusion detection system) or HIPS (host intrusion prevention system) for additional monitoring and protection are becoming more common.

However, even with those tools installed, some administrators may not keep the systems up to date with the most current versions, and rogue systems that join the network still pose a risk. By taking advantage of some type of endpoint security verification, companies can make sure that insecure or unprotected systems are not allowed to connect to the network.

You can use Cisco Systems Inc.'s NAC (Network Admission Control) or StillSecure's Safe Access to assess the overall security of devices before they are allowed to connect to the network and then block or redirect those systems that do not comply with security policy or have out-of-date security software.

Products such as Centennial Software Ltd.'s DeviceWall take endpoint security one step further and lock down the ability of the endpoint to work with certain devices. Using DeviceWall, you can restrict the ability to use USB drives, digital cameras, MP3 players or even CDs or DVDs with the system. Designated users or groups can be assigned permission to use any or all of these portable storage methods, and the software can automatically encrypt data that is written to removable storage devices. SecureWave's Sanctuary and Smartline Inc.'s DeviceLock provide similar protection.

A key consideration when you are investigating endpoint security options is the administrative overhead of implementing and managing the product. If an endpoint security product requires an agent of some sort to be installed, it can be a logistical headache for the IT department and will not offer any protection against rogue devices that connect to the network without the agent software installed.

About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony is co-author of Hacker's Challenge 3 and author of the upcoming Essential Computer Security. He also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit S3KUR3.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Hardware Free security testing tools for Windows handheld devices Windows mobile security: Get it locked down Limit network access points to boost endpoint security Network security assessment for network infrastructure Managing Windows network access on additional servers Windows Server 2008: Looking good on the security front Conquer forgotten Windows passwords with Password Reset Wizard USB encryption security for Windows: IronKey review Why you should plan Windows network security tests What should I be asking a security vendor? Hardware Research Network Firewalls Network security assessment for network infrastructure Hacking for Dummies, 2nd edition: Chapter 9 How can I disable file transfer in MSN Messenger? Hacking for Dummies: Test your firewall rules Setting up IPsec bypass Automatic exceptions: IPsec bypass The hacker handbook: Eleven tips in eleven minutes Wireless network security testing Cisco patches flaws in multiple products Rootkits: Managing the threat with prevention measures Network Infrastructure security Kerberos authentication for network login on non-Windows networks Plan for a security breach, step by step Hunting down a hacker Contacting the domain controller Define server roles, counterattack zero-day threats Unsecured devices worry IT professionals Step-by-step guide: Hacking file servers Step 1: Exploiting a missing patch Step 2: Sniffing the network for juicy info Step 4: Executing related hacks that indirectly affect file servers RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.