This article gives an introduction to Host Integrity Check mechanism that enables enterprises to enforce the connectivity of their endpoints (Laptops/Desktops) only if they comply to the security policies of the network (Like latest patches, signature updates etc), the components of such a solution, host integrity check for managed, unmanaged and unmanageable endpoints, challenges for deploying host integrity check applications.Prevention is better than cure. This applies to network security too. It is not only imperative for companies to secure their endpoints/networks with Anti-Virus, Anti-Spyware, Anti-Spam technologies, but they also need to ensure that the endpoints are always running the latest versions of those technologies. Anti-Virus updates might be frequently sent from the vendor companies, but for some reason if the employee doesn’t update to the latest version, their desktop/laptop could be under threat of infection and consequently, the whole network. Host IntegrityCheck: Host integrity check is a methodology by which any laptop/desktop/endpoint connecting to the network of a company is compulsorily checked for the latest patches/ security signature updates before allowing them to connect to the network. If the endpoints do not comply, they need to be put in to a separate quarantine/ VLAN, steps be taken automatically for their up-gradation and then they need to be allowed to connect to the network. Components of a Host Integrity Check solution: Generally, host integrity check consist of a Server appliance and Policy management tools to configure the policies on which parameters to check before allowing the device to connect to the network. This also enables the company to check for host integrity in a centralized fashion for all enterprise devices. The server/policies integrates with Anti-virus/Anti-Spyware, Radius/LDAP/AD, Firewalls, Network Switches, NAC appliances, VPN solutions, Wireless controllers, access points etc. as the requirement maybe. It is better if all the devices including the ones that connect over the wireless network, un-manageable devices like VOIP phones, Voice over wireless LAN clients etc. are all brought under a single umbrella of policy definition and management and applied various levels of host integrity check. In addition to the server appliance, there are also the local agents, web agents, remote agents etc. which work along with the server appliance, but are on the client devices to ensure that the client is updated with the latest security patches and signature updates. These agents might be permanently placed on the enterprise desktops/ laptops (local agents), temporarily inducted for guest access (temporary agents), made to work only if certain actions are taken – like a browser being opened, etc (web agents) or enables the monitoring of remote stations (remote agents). Host Integrity Check for Managed endpoints: Managed endpoints are those laptops/desktops owned and managed by the company.When these devices join the network, the local agent in them communicates with the host integrity checking server if they have the latest patches and signature updates. If they do, then they are allowed to connect to the network. If they don’t, they are sent for quarantine and applied the required patches and then allowed to connect to the network. So far, so good. Host Integrity Check for Unmanaged endpoints: But what if, there are certain laptops (like guest/contractor etc) that needs to connect to the network? Well, as soon as they connect to the network, the server appliance launches a temporary agent on to them to check for the OS version, update version, presence of anti-virus, anti-spyware agents etc according to separate policies for these unmanaged endpoints. These policies might be different from the ones for managed endpoints. But the IT support team needs to determine what to do in case these laptops do not have the required security settings. There are two options: Denythem the access to the network or update them with the required security softwares. This depends on the IT policy that is employed by a company. Host Integrity Check for Unmanageable endpoints: There are always certain endpoints that cannot be managed – those that cannot download an anti-virus package, for example. A lot of devices like IP Phones, IP cameras, Voice Over Wireless LAN Phones, PDA’s that run unique OS etc. Even these devices are susceptible to malware infections. It is better to place these devices in a special role/ VLAN that blocks and allows certain kind of traffic only. For example, the IP phones could be enabled to send and receive only SIP based traffic and not http based traffic. For this, strict integration with Network Access Control devices is required. For the wireless clients, the wireless controller needs to integrate with the host integrity check server and NAC policies. Certain wireless networking vendors support this. There is also a second option: Allow