The only truly secure computer is one that’s unplugged and buried in a hole six feet deep — or so it’s been said. Unfortunately, you can’t disconnect and bury your servers to keep them safe. You can, however, move access control from the user domain to the device domain. Anyone can punch in a user name and password and gain access to a secure resource, but if a device must be checked out and approved in order to connect to a host, you’re in control of who accesses your network.
There are a number of efforts under way to move the security management burden from enterprise resources to the connected devices. Companies such as Cisco and Sygate have differing methods of accomplishing end-point and network access management, but neither goes as far as Elementary Security’s ECS (Elemental Compliance System).
ECS wraps metered network access control with granular policy management and exceptional reporting. Although ECS relies heavily on software agents deployed on “known” PCs and servers, it still enforces policies on PCs not running its agent by limiting or denying connections to hosts that do.
ECS isn’t intended for small networks; it’s a full-blown enterprise system that requires enterprise-level infrastructure. It also requires Oracle 10g as its database engine, although the company is considering supporting IBM DB2.
In my test, I was more than impressed by how well ECS does its job. I was able to view the overall security health of some of my lab servers and to locate ones that weren’t up-to-date with Microsoft patches. To test the enforcement aspect of ECS, I created a directive that blocked access from a host that was found running a particular executable. When the program was running, I could not connect to any protected servers until I shut down the offending application.
ECS is an agent-driven system. In this release, ECS manages as many as 4,000 agent-installed hosts and will track as many as 30,000 unknown hosts.
Agents collect and report to the server very detailed information about the hosts on which they’re running. That information includes OS and patch level, IP and MAC (media access control) addresses, CPU, hardware manufacturer, anti-virus status, whether the host is a laptop or a wireless device, and even if it’s running services such as DNS, mail, or Web. The agents also look for user-defined attributes such as running processes. Based on all this (and other) information, ECS automatically places the host into one or more groups, which are collections of hosts that share a common criterion.
Admins bundle policies with groups to create directives, the long arm of the ECS enforcement arm.
I like that ECS isn’t an all-or-nothing system. You can create and deploy a directive against a group of hosts and just sit back and collect information. ECS is well worth checking out.