Cisco, others plan to ban insecure PCs

Cisco Systems has teamed up with three top antivirus companies in a security initiative intended to ban insecure mobile devices from corporate networks.

The initiative, dubbed the Network Admission Control program, would allow companies to set their network devices to refuse connections from any mobile PCs or devices that fail to meet corporate security policies, such as not having the latest software patches and antivirus updates. Antivirus companies Network Associates, Symantec and Trend Micro joined Cisco in making the announcement Tuesday.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The plan is meant to combat one of the common weaknesses of company networks: workers who log on from outside a company using insecure PCs or who bring those computers inside the company and connect to the network.

"Currently, no check is made to see if the PC is compliant with corporate security policies," Charlie Giancarlo, senior vice president of product development for Cisco, said on a conference call Tuesday. "The user might become infected at home or through a hotel Internet connection...(and) immediately spread a worm throughout a corporate networks."

The move by the companies is a reaction to recent computer worms and virus epidemics that have managed to spread into businesses due in large part to the insecure PCs mobile workers use. Both the Slammer worm in January and the MSBlast worm in August were able to get past corporate defenses by hitching rides on the laptops of mobile workers who were lax with security.

"The explosion of wireless, mobile devices and pagers has made the corporation much more vulnerable to attack through the devices," said George Samenuk, CEO of Network Associates.

Other companies have reacted to the problems the worms have highlighted. Microsoft announced in October that it would augment its focus on securing its software through patching, because the earlier system of updates hasn't been able to stem the epidemics. Other companies, including Internet service providers, have blocked certain types of traffic for weeks at a time to stop threats.

Putting agents in place
Cisco's Network Admission Control program would enable companies to install on every PC and mobile device a client, called the Cisco Trust Agent, which could attest to certain levels of security, such as whether the device has been recently patched or has the latest virus recognition files. Antivirus software makers would modify their products to provide information to the software that could be used by companies to determine how secure the PC might be.

Giancarlo stressed that completely locking out mobile users is not an answer. "Clearly, the solution is not to eliminate one of the most important aspects of these devices: their mobility," he said.

The secure connections that allow employees to connect to the internal corporate network from home, virtual private networks, are also seen as a major threat to businesses' security.

Cisco has already focused on delivering such connectivity in its products. Earlier this month, the company announced an upgrade to the Cisco VPN 3000 Concentrator to add secure network functionality, dubbed WebVPN, based on the Secure Sockets Layer protocol browsers widely use.

Cisco's concentrators are network devices that act as central connection points for virtual private networks and, as such, are an ideal place to put in additional network defenses.

However, the technology won't work unless security software can tell the Trusted Agent application the current state of security on the computer or mobile device.

"This important problem can't be addressed individually," said John Thompson, CEO of Symantec. "Collaboration is a must."

The technology might also spur sales of PCs and devices that use trusted-computing hardware--controversial technology that uses encryption, special memory and security software to lock away secrets on a PC from prying eyes. Adding further protections to the system that attests to the security of a computer owned by a company is a reasonable use of the system, said Bob Gleichauf, chief technology officer for the Network Admission Control program at Cisco.

"We need a trust boundary between the network and these devices, and the system needs hardware and software to do that," he said.

Cisco plans to introduce the technology in the middle of 2004.