Exclusive: ECS agents protect you from the unknown
Elemental Compliance System ensures only compliant hosts connect to your network
It's easy to see how this works with known hosts running agents. This approach becomes interesting in so far as how ECS handles hosts on which agents are not installed. Hosts with agents report communication with all other hosts -- those with and without agents -- back to the ECS server. The system places agentless hosts in an "unknown" group. Depending on the current directive, known hosts can deny connections to these unknown systems not running the agent.
For instance, admins could prevent unauthorized access to the network by installing an agent on a DHCP or DNS server and creating a directive to deny connections from any unknown PC, locking out the PC by denying it an IP address and DNS information. Additionally, with an agent on a server, it, too, would deny a connection to any unknown host should an enterprising attacker manually set his or her IP information.
When a new directive is deployed, there's inherent latency associated with it. The agents periodically check in with ECS, roughly every three minutes, but if they are turned off or a laptop is out of the office, they may not update for days. ECS will try to poll all agents every 30 minutes to gather statistics and network traffic.
It's important to note that, because of this, ECS is not a replacement for a good IDS/IPS system. ECS enforces overall enterprise policy and doesn't try to prevent "point in time" attacks on the network. With the proper directives in place, it will go a long way toward limiting exposure and vulnerabilities.
Flexible and informative
I like that ECS isn't an all-or-nothing system. You can create and deploy a directive against a group of hosts and just sit back and collect information. After a few days, or weeks, you can generate a report and see how many hosts might be out of compliance with the policy. And by drilling down into the report, you can see the exact rule a host is violating. At this point, IT tech staff can correct the out-of-compliance item, enable packet filtering on the agents, and set up stricter traffic control on the network.
ECS's reporting module is deep and extensive. Admins can slice and dice views of the enterprise any way they choose. I was impressed by how much data was stored for each host and by how easy it was to create and view a report. I could view the underlying data -- such as traffic by protocol or directive compliance -- by clicking the host name in the report.
ECS is a major step toward enterprisewide monitoring and access control. The packet filter-capable agents do the enforcement, whereas the back-end server handles the data collection, analysis, and policy management. The level of granularity is superb, and the reporting engine is second to none. I really like the concept of "reverse policy enforcement" to systems not running the ECS agent. For companies looking to get a handle on network access, ECS is well worth checking out.