Exclusive: ECS agents protect you from the unknown
Elemental Compliance System ensures only compliant hosts connect to your network
The only truly secure computer is one that's unplugged and buried in a hole 6 feet deep -- or so it's been said. Unfortunately, you can't disconnect and bury your servers to keep them safe. You can, however, move access control from the user domain to the device domain. Anyone can punch in a user name and password and gain access to a secure resource, but if a device must be checked out and approved in order to connect to a host, you're in control of who accesses your network.
There are a number of efforts under way to move the security management burden from enterprise resources to the connected devices. Companies such as Cisco and Sygate have differing methods of accomplishing end-point and network access management, but neither goes as far as Elementary Security's ECS (Elemental Compliance System).
ECS wraps metered network access control with granular policy management and exceptional reporting. Although ECS relies heavily on software agents deployed on "known" PCs and servers, it still enforces policies on PCs not running its agent by limiting or denying connections to hosts that do.
ECS isn't intended for small networks; it's a full-blown enterprise system that requires enterprise-level infrastructure. It also requires Oracle 10g as its database engine, although the company is considering supporting IBM DB2.
In my test, I was more than impressed by how well ECS does its job. I was able to view the overall security health of some of my lab servers and to locate ones that weren't up-to-date with Microsoft patches. To test the enforcement aspect of ECS, I created a directive that blocked access from a host that was found running a particular executable. When the program was running, I could not connect to any protected servers until I shut down the offending application.
Secret agent man
ECS is an agent-driven system. In this release, ECS manages as many as 4,000 agent-installed hosts and will track as many as 30,000 unknown hosts.
Agents collect and report to the server very detailed information about the hosts on which they're running. That information includes OS and patch level, IP and MAC (media access control) addresses, CPU, hardware manufacturer, anti-virus status, whether the host is a laptop or a wireless device, and even if it's running services such as DNS, mail, or Web. The agents also look for user-defined attributes such as running processes. Based on all this (and other) information, ECS automatically places the host into one or more groups, which are collections of hosts that share a common criterion.
Admins bundle policies with groups to create directives, the long arm of the ECS enforcement arm. For example, I created a policy based on an existing NSA Windows XP security policy and deployed it to my Windows XP hosts group as a new directive. The system comes with a large list of built-in policies, and administrators can build their own based on existing rules or policies or from scratch.
The agents have a built-in packet filter, which is key to enforcing directives on the hosts. Depending on the host's group affiliation and the directives in place, the packet filter prevents communication with other hosts or a specific group of hosts. For example, a PC in the Accounting group could have a directive that prevents any communication with hosts in the Wireless group.