End node problem
   HOME

TheInfoList



Click Here for Items Related To - End node problem
OR:
End node problem on:   [Wikipedia]   [Google]   [Amazon]

The end node problem arises when individual computers are used for sensitive work and/or temporarily become part of a trusted, well-managed network/cloud and then are used for more risky activities and/or join untrusted networks. (Individual computers on the periphery of networks/clouds are called end nodes.) End nodes often are not managed to the trusted network‘s high
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
standards. End nodes often have weak/outdated software, weak security tools, excessive permissions, mis-configurations, questionable content and apps, and covert exploitations. Cross contamination and unauthorized release of data from within a computer system becomes the problem. Within the vast cyber-ecosystem, these end nodes often attach transiently to one or more clouds/networks, some trustworthy and others not. A few examples: a corporate desktop browsing the Internet, a corporate laptop checking company webmail via a coffee shop's open
Wi-Fi Wi-Fi () is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves ...
access point, a personal computer used to telecommute during the day and gaming at night, or app within a smartphone/tablet (or any of the previous use/device combinations). Even if fully updated and tightly locked down, these nodes may ferry malware from one network (e.g. a corrupted webpage or an infected email message) into another, sensitive network. Likewise, the end nodes may exfiltrate sensitive data (e.g. log keystrokes or screen-capture). Assuming the device is fully trustworthy, the end node must provide the means to properly
authenticate Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...
the user. Other nodes may impersonate trusted computers, thus requiring device authentication. The device and user may be trusted but within an untrustworthy environment (as determined by inboard sensors' feedback). Collectively, these risks are called the end node problem. There are several remedies but all require instilling trust in the end node and conveying that trust to the network/cloud.


The cloud’s weakest link

Cloud computing Cloud computing is the on-demand availability of computer system resources, especially data storage ( cloud storage) and computing power, without direct active management by the user. Large clouds often have functions distributed over mu ...
may be characterized as a vast, seemingly endless, array of processing and storage that one can rent from his or her computer. Recent media attention has focused on the security within the cloud. Many believe the real risk does not lie within a well monitored, 24-7-365 managed, full redundancy cloud host but in the many questionable computers that access the cloud. Many such clouds are
FISMA The Federal Information Security Management Act of 2002 (FISMA, , ''et seq.'') is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (, ). The act recognized the importance of information security to the ec ...
-certified whereas the end nodes connecting to them rarely are configured to any standard.


Ever growing risk

From 2005 to 2009, the greatest and growing threats to personal and corporate data derived from exploits of users' personal computers. Organized cyber-criminals have found it more profitable to internally exploit the many weak personal and work computers than to attack through heavily fortified perimeters. One common example is stealing small business's online banking account access.


Solutions

To eliminate the end node problem, only allow authenticated users on trusted remote computers in safe environments to connect to your network/cloud. There are many ways to accomplish this with existing technology, each with different levels of trust. Many companies issue typical laptops and only allow those specific computers to remotely connect. For example, the US Department of Defense only allows its remote computers to connect via
VPN A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
to its network (no direct Internet browsing) and uses
two-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
. Some organizations use server-side tools to scan and/or validate the end node's computer, such as communicating with the node's
Trusted Platform Module Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a ...
(TPM). A far higher level of trust can be obtained by issuing a
immutable, tamper-resistant client
with no local storage, allowing it to connect only after device and user authentication, remotely providing the OS and software (via PXE or Etherboot), and then only providing remote desktop or browser access to sensitive data. A less expensive approach is to trust any hardware (corporate, government, personal, or public) but provide a known
kernel Kernel may refer to: Computing * Kernel (operating system), the central component of most operating systems * Kernel (image processing), a matrix used for image convolution * Compute kernel, in GPGPU programming * Kernel method, in machine learn ...
and software and require strong authentication of the user. For example, the DoD’s Software Protection InitiativeDoD Software Protection Initiative
offers Lightweight Portable Security, a
LiveCD A live CD (also live DVD, live disc, or live operating system) is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading fr ...
that boots only in RAM creating a pristine, non-persistent, end node while using
Common Access Card The Common Access Card, also commonly referred to as the CAC is a smart card about the size of a credit card. It is the standard identification for Active Duty United States Defense personnel, to include the Selected Reserve and National Guard, ...
software for authentication into DoD networks.


See also

*
Host (network) A network host is a computer or other device connected to a computer network. A host may work as a server offering information resources, services, and applications to users or other hosts on the network. Hosts are assigned at least one network a ...
*
Node (networking) In telecommunications networks, a node (, ‘knot’) is either a redistribution point or a communication endpoint. The definition of a node depends on the network and protocol layer referred to. A physical network node is an electronic devic ...
*
Secure end node A Secure End Node is a trusted, individual computer that temporarily becomes part of a trusted, sensitive, well-managed network and later connects to many other (un)trusted networks/clouds. SEN's cannot communicate good or evil data between the ...


References

{{reflist Computer network security Operating system security de:Netzwerkknoten