TELUS Corp. is touting a new security product as a competitive advantage in pursuing enterprise customers nationally, as well as an example of how it approaches threat protection in a more integrated fashion than its biggest rival, Bell Canada.  On May 26, TELUS announced the availability of its End Point Enforcement (ANGEL) product, designed to keep computers infected with virus and other bugs from taking down corporate LANs and WANs. TELUS director of managed security Rick Shih tells Network Letter the product is unique in the market, and is an attractive complement to the company’s other recently security product, one designed to deal with distributed denial of service (DDOS) attacks. ANGEL is designed to work by putting computers including laptops into a quarantine state – just for a few milliseconds – when they are first hooked into corporate networks. The computers are checked against security policies governing patches, confirmation of identification, anti-virus updates and the ilk, and are allowed to connect to the network only when they pass. Should they fail, they continue in quarantine until users or administrators correct whatever issues are found. The system, developed in-house by TELUS’ security team and proprietary to the company, is designed to deal with the large threat that has emerged to corporate IT security since firewalls and VPNs made it nearly impossible to cripple networks by users already connected to the network. Instead, says Shih, 40-60% of virus and other attacks are imported into networks by users who flip laptops between home and network environments.  Infected laptops, about which users may or may not be aware, remain a vulnerability even in networks running strong security measures since administrators can’t verify compliance with policies until it is too late, Shih says. Though an elegantly simple solution, Shih says competitors – whether other carriers or systems integrators – don’t have the same bulletproof configuration. Without naming the company providing a similar competing solution, Shih says all but TELUS’ product leave networks vulnerable to infection during the initial boot-up phase when the network is assigning the laptop or other device an IP address.  For example, he notes, the Slammer worm using a single packet delivery method that hit the Internet in 2003 would have time to infect a network unless the device is placed into immediate quarantine. Further, he says, the unnamed competing system will only work with 802.1x switches – which aren’t yet ubiquitous. Without an update, Shih says using the 802.1x-only product would require a forklift effort. Complementing existing security solutions The product complements a second security offering designed to protect against DDOS attacks, a service that arose, says Shih, out of a real world extortion effort by hackers against a TELUS client. The customer was at the mercy of a group of hackers that had demanded a $50,000 pay-off for not knocking the company’s site offline. When the company refused to pay, its site was duly hammered out of commission by a zombie attack. The TELUS offering, Shih says, was developed to identify and mitigate DDOS attacks – something the company can do since it has tight control over its backbone network. "Within the security realm, you have to promote defence in depth…you can’t just be focused on the perimeter. You’ve got to think of it like a castle. You’ve got to have a moat. You’ve got to have a drawbridge, you’ve got to have internal people, all those kinds of things. With security, you’ve got to protect all of the different layers."There’s seven layers to the (open systems interconnection) model.  With TELUS being a carrier, we are positioned as one of three companies in Canada that can provide the full layer 1 to 7 protection. These other systems integrators that you talk about, they cannot do the full 1 to 7. We’re uniquely positioned. With our national backbone…have a distinct advantage. We are like the one-stop shop for all of the security solutions. Whereas, you know, the systems integrators would always have to come to us or Bell or Allstream to try and get the network capabilities."