What's the difference between a PC sitting on a desktop at company headquarters dedicated to work and one on a kitchen countertop that an employee occasionally uses for work — when family members aren't e-mailing friends, paying bills, researching school projects or playing games on it? Nothing, according to a growing number of enterprise security managers.
As Kerry Anderson, vice president and information security officer at Fidelity Investments Brokerage, sees it, "There are personal machines and company machines, but you have to have a lowest common denominator for security on them."
Anderson and other security managers are starting to provide employees basic protection for their home PCs, as well as evaluating what other types of security products are necessary to keep all clients safe. Today's basic protection to-do list always includes installing antivirus software, but more frequently now it also features should- or might-haves such as a personal firewall, an intrusion-detection program or a VPN client to encrypt remote communications. Some IT managers also lock down desktop applications to prevent unauthorised use or install behaviour-blocking software, such as the Okena StormWatch product Cisco Systems recently acquired, to prevent new computer worms or other harmful bugs from ravaging the local registry.
At Fidelity, employees must use personal firewalls and antivirus software, which the company pays for, on home PCs. The Boston financial-services firm manages the antivirus updates remotely using Symantec Corp.'s LiveUpdate feature and blocks network access until users have updated the antivirus software with the latest signatures. And this year, as it upgrades corporate PCs to Microsoft's XP desktop operating system, Fidelity intends to lock down PCs so employees can't use unauthorised software such as online games and inadvertently allow Trojans on the network. It will push out desktop security settings to XP-based desktops via Microsoft Management Console or Active Directory. The company also will be able to configure XP as a desktop firewall.
Configuresoft is another vendor offering IT managers the chance to push out security template settings and enforce the use of desktop security software and virus-signature updates. With Enterprise Configuration Manager, users must have the security application running to gain network access; remote employees cannot turn off the antivirus function to speed computer processing and expect to tap into corporate network resources, for example. One step ahead of Microsoft capabilities at the moment, the Configuresoft product also will do remote audits and generate reports.
Buy off the menu or shop around?
Antivirus giants Network Associates and Symantec bundle desktop firewall and intrusion-detection functions in their respective McAfee Active Client Security and Client Security products. Third-ranked Trend Micro partners to provide increased functionality. For instance, Trend Micro's desktop antivirus software works with Check Point desktop VPN software so that every time a user establishes a remote connection, the VPN enforces use of the antivirus software and the latest virus-signature updates.
A strategy question facing every enterprise IT manager is whether to buy desktop security products from one vendor or shop around for point products. Long-term buying trends suggest small businesses primarily prefer to buy from one vendor, while larger firms are willing to put an array of products through laborious testing and review.
That kind of scrutiny paid off for Casey Family Programs, a Seattle social-services support organisation, when trying to determine the best desktop firewall to deploy. Sandy Basik, director of security at Casey, uncovered a number of integration issues when she analysed desktop firewalls with an eye toward bringing remote and home-use firewalls under corporate network management control.
"There are firewalls you can push to the home and still integrate into the corporate environment, through lockdown, so they can't be changed," Basik says. "Our corporate policy says non-Casey assets are not permitted to be connected to the corporate network."
Basik says she found the WatchGuard small office/home office doesn't work well with the Check Point Software Technologies Firewall-1. But, with a Cisco Systems PIX firewall and a Nokia. VPN, several software-based personal firewall products appear to work well on the desktop. These include The Zone Alarm Pro, Sygate's personal firewall, the Tiny Personal Firewall and Internet Security Systems' Black Ice. Hardware-based personal firewalls that worked well include Global Technology Associates' Gnat Box and those from NetScreen Technologies and Linksys Group, she says.
Safety in numbers
Some organisations favour a multivendor strategy. For example, the Defense Information Systems Agency has agreements with Network Associates and Symantec to provide antivirus software to the US military, which pays for home use of protection software. (Acknowledging that customers often use rival products, Network Associates and Symantec have adapted their management consoles to monitor and manage each other's desktop antivirus products.)
Prudential Financial relies on McAfee Security as its primary desktop antivirus vendor, but maintains relationships with other antivirus vendors because "some are faster than others" in identifying new viruses and preparing signature updates, says Kathy Kirk, director of information security at the Newark, NJ, company. Prudential allows access over the Internet to home workers, as long as they're using business-subsidised antivirus software. "Desktop protection is your last line of defence from external threats and your first line of defence from internal threats," Kirk says.
For enforcement, Prudential uses Sygate Technologies's Enterprise Security Client, which is loaded on each employee machine. IT can remotely manage and configure the Sygate software, granting or denying access based on time of day, patch level of the operating system or virus-signature update, for example, Kirk explains. "If it's not on the client," she adds, "you can't get into the network."