Trapped! Your future in quarantine

One of the new features in the accompanying review of centrally managed client security solutions provides the ability to cut off offending clients, or even entire LAN segments, from the rest of the network. On one hand, this feature implies that computers or groups of computers would undergo a sort of constant triage to determine whether they were too sick to survive on the enterprise network. On the other hand, it suggests that an automated system would be deciding whether an entire group of users might be cut off from the world because it thought there was a security violation.

You can see the obvious issue. How do you isolate computers infected with viruses or worms, or that simply aren’t sufficiently protected, without preventing people from getting their work done and affecting the productivity of the organization? That’s the conundrum of quarantine and it’s a puzzle that will be with us for a while. In case you wondered, the future is firmly on the side of increased network access control. If offending machines aren’t removed from the network, it’s clear that the whole network will suffer. And vendors of the endpoint products we reviewed, each of which is trying by one means or another to lock out offending machines, aren’t the only heavyweights addressing the problem.

Cisco’s NAC (Network Admission Control) initiative — which includes McAfee and Trend Micro as partners, among others — is a means by which a security monitor can alert a router that there’s a badly behaved computer on the network. The problem might be anything from out-of-date anti-virus software to an active outbreak of Slammer worms. In any case, the management software will direct the router to isolate the segment with the problem, protecting the rest of the network.

Software to support this capability is spreading rapidly. Trend Micro already included it in this test. It’s a safe bet the others will by this time next year, especially considering that Microsoft has signed on to support NAC, promising that its own policy enforcement architecture, called NAP (Network Access Protection), will be compatible with the efforts of Cisco and its partners. According to Microsoft, NAP will arrive in the Longhorn edition of Windows Server due in 2007.

Meanwhile, for government orgs and other security-conscious organizations, point solutions aren’t a luxury but a necessity. The risks of letting malicious code run amok through your network are simply too great. This year, only two of the four products we tested have truly effective quarantines. You can assume that they’ll all have it next year. And you can assume that it’ll be standard the year after that.