Cisco Blogs

Do you trust the endpoints connecting to your network?

- September 25, 2017 - 0 Comments

Trust gets a bad rap in the security industry, but in reality, it’s a necessary part of any relationship. Without trust, today’s organizations couldn’t function, and productivity would come to a screeching halt. The thing is – how do you know that the devices coming onto your network are trustworthy?

We already verify user access to the network. In fact, access to the corporate network is the critical juncture in which you need flexibility for your employees to connect while still enforce effective security control on your network. We are all familiar with the username and password method of authentication. While this is still is an effective way to authenticate the user, this does nothing to verify the integrity of the user’s endpoint (whether that’s a PC or mobile device) when connected to the network.

Security experts estimate one-third of all endpoints that connect to the corporate network are insecure. When the average employee is using multiple devices at work, this creates multiple chances for an insecure endpoint to access sensitive information, or an infected one to spread malware. Vigilance on what is on your network is just as important as who is on the network.

This is why posture is so important. But what is posture? Posture is the compliant state of an endpoint. Companies establish criteria on how an endpoint is supposed to be configured to allow it access to the corporate network. Posture can include:

  • Operating system patch levels and updates – Does the endpoint have the latest OS updates and patches installed on the system?
  • Critical applications – Is an anti-malware package installed, active, and up-to-date?
  • Endpoint Services – Is disc encryption and the firewall turned on?
  • Peripheral awareness – Is there anything plugged into the USB ports?

Posture also covers other aspects of overall endpoint operations such as:

  • Application inventory – Which endpoints are running applications with known vulnerabilities?
  • Hardware inventory – Which endpoints have high memory utilization?
  • Trust – Is this my endpoint, an unmanaged endpoint, or one that needs to be enrolled?

Enforcing proper posture is good hygiene for your network. For example, Wannacry could have been prevented from spreading by ensuring that endpoints had the MS17-010 patch Microsoft released last March. A proper posture check would only allow network access to those Windows devices that were patched while also ensuring that that non-compliant endpoints were segmented off to contain any potential damage.

Cisco’s integrated approach simplifies and automates posture checks on your network. With Cisco’s Identity Services Engine (ISE), you have the ability set up the endpoint posture policies appropriate for your network based on employee’s role, location, type of devices, etc. Any endpoint could be denied access until it meets the requirements to connect.

Our AnyConnect Secure Mobility Client deployed on the endpoint collects a range of endpoint contextual information both on and off premises and then shares this information with ISE so that it can determine if the posture state of the endpoint warrants access. This is accomplished through the ISE Posture Module available in AnyConnect, one of the many different security services available within AnyConnect. AnyConnect’s flexible and modular approach enables different endpoint services, be it posture, VPN connectivity, roaming protection, or flow based behavior depending on your corporate needs. You don’t need to install another client on each of your endpoints for multiple security services. And in the latest release of AnyConnect 4.5, in conjunction with ISE 2.3, you can get detailed hardware information (e.g. memory and hard drive capacity and utilization) of the endpoint to further enhance your overall visibility.

Endpoint posture assessment is just one component of an overall effective security approach to providing secure access to your network. Now that you know a little bit more about posture, see how AnyConnect, ISE, and our other integrated technologies can help make your network more secure. For more information, please visit the Secure Access page.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.