The only truly secure computer is one that's unplugged and buried in a hole 6 feet deep, or so it's been said. Unfortunately, you can't disconnect and bury your servers to keep them safe. You can, however, move access control from the user domain to the device domain. Anyone can punch in a user name and password and gain access to a secure resource, but if a device must be checked out and approved in order to connect to a host, you're in control of who accesses your network.
There are a number of efforts under way to move the security management burden from enterprise resources to the connected devices. Companies such as Cisco and Sygate have differing methods of accomplishing end-point and network access management, but neither goes as far as Elementary Security's ECS (Elemental Compliance System).
ECS wraps metered network access control with granular policy management and exceptional reporting. Although ECS relies heavily on software agents deployed on "known" PCs and servers, it still enforces policies on PCs not running its agent by limiting or denying connections to hosts that do.
ECS isn't intended for small networks; it's a full-blown enterprise system that requires enterprise-level infrastructure. It also requires Oracle 10g as its database engine, although the company is considering supporting IBM DB2.
In my test, I was more than impressed by how well ECS does its job. I was able to view the overall security health of some of my lab servers and to locate ones that weren't up-to-date with Microsoft patches. To test the enforcement aspect of ECS, I created a directive that blocked access from a host that was found running a particular executable. When the program was running, I could not connect to any protected servers until I shut down the offending application.
Secret agent man
ECS is an agent-driven system. In this release, ECS manages as many as 4,000 agent-installed hosts and will track as many as 30,000 unknown hosts.
Agents collect and report to the server very detailed information about the hosts on which they're running. That information includes OS and patch level, IP and MAC addresses, CPU, hardware manufacturer, anti-virus status, whether the host is a laptop or a wireless device, and even if it's running services such as DNS, mail, or Web. The agents also look for user-defined attributes such as running processes. Based on all this (and other) information, ECS automatically places the host into one or more groups, which are collections of hosts that share a common criterion.
Admins bundle policies with groups to create directives, the long arm of the ECS enforcement arm. For example, I created a policy based on an existing NSA Windows XP security policy and deployed it to my Windows XP hosts group as a new directive. The system comes with a large list of built-in policies, and administrators can build their own based on existing rules or policies or from scratch.
The agents have a built-in packet filter, which is key to enforcing directives on the hosts. Depending on the host's group affiliation and the directives in place, the packet filter prevents communication with other hosts or a specific group of hosts. For example, a PC in the Accounting group could have a directive that prevents any communication with hosts in the Wireless group.
Known vs unknown
It's easy to see how this works with known hosts running agents. This approach becomes interesting in so far as how ECS handles hosts on which agents are not installed. Hosts with agents report communication with all other hosts (with or without agents) back to the ECS server. The system places agentless hosts in an "unknown" group. Depending on the current directive, known hosts can deny connections to these unknown systems not running the agent.
For instance, admins could prevent unauthorised access to the network by installing an agent on a DHCP or DNS server and creating a directive to deny connections from any unknown PC, locking out the PC by denying it an IP address and DNS information. Additionally, an agent on a server could deny a connection to any unknown host should an enterprising attacker manually set his or her IP information.
When a new directive is deployed, there's inherent latency associated with it. The agents periodically check in with ECS, roughly every three minutes, but if they are turned off or a laptop is out of the office, they may not update for days. ECS will try to poll all agents every 30 minutes to gather statistics and network traffic.
It's important to note that, because of this, ECS is not a replacement for a good IDS/IPS system. ECS enforces overall enterprise policy and doesn't try to prevent "point in time" attacks on the network. With the proper directives in place, it will go a long way toward limiting exposure and vulnerabilities.
Flexible and informative
I like that ECS isn't an all-or-nothing system. You can create and deploy a directive against a group of hosts and just sit back and collect information. After a few days, or weeks, you can generate a report and see how many hosts might be out of compliance with the policy. And by drilling down into the report, you can see the exact rule a host is violating. At this point, IT tech staff can correct the out-of-compliance item, enable packet filtering on the agents, and set up stricter traffic control on the network.
ECS's reporting module is deep and extensive. Admins can slice and dice views of the enterprise any way they choose. I was impressed by how much data was stored for each host and by how easy it was to create and view a report. I could view the underlying data, for example traffic by protocol or directive compliance, by clicking the host name in the report.
ECS is a major step toward enterprise-wide monitoring and access control. The packet filter-capable agents do the enforcement, whereas the back-end server handles the data collection, analysis, and policy management. The level of granularity is superb, and the reporting engine is second to none. I really like the concept of "reverse policy enforcement" to systems not running the ECS agent. For companies looking to get a handle on network access, ECS is well worth checking out.
ECS 1.1 does an exceptional job identifying hosts on the enterprise. Through its powerful policy engine, ECS can enforce connectivity restrictions based on a large number of criteria. The reporting capabilities are enormous, and the amount of information recorded is staggering. Although it won't replace a standard IDS, it does provide a potent platform for discreetly managing all hosts on the network.