Check Point Integrity shines in NAC policy management

Check Point Integrity

Cost: $37,000 for a 1000-user license

Score: 3.7

Check Point Integrity NGX brings to fruition the integration of the endpoint-security technology purchased with Check Point's ZoneLabs acquisition and Check Point’s signature firewall-product line.

You’ve got some options with this product. In both cases the Integrity client conducts all of your endpoint assessment. From there, you can then have the Integrity client do the NAC enforcement by perhaps putting in desktop firewall rules to block network access.

This is not ideal, however, because you likely don’t want all your security blocking capabilities sitting out on an endpoint that could be compromised. To that end, Check Point offers what it calls “cooperative enforcement” (all other vendors just refer to this process as plain, old enforcement). Check Point's scheme means that the Integrity client software can combine with network-access devices, such as an enterprise firewall, a remote-access VPN concentrator or an 802.1X-supported switch to block physical network access if the endpoint is not in compliance.

For testing, we opted for cooperative enforcement and installed Integrity on a Windows 2003 server and integrated it with a Check Point NG firewall for LAN access. We also tested Integrity’s integration with the Cisco’s IPSec VPN connections for remote-access ties. While you can tell from the relatively clean management interface that CheckPoint is pushing to manage all these necessary NAC pieces in an integrated fashion, but the company in not fully there yet. All of the Juniper NAC work together more completely to provide more NAC functionality as well a granularity for setting and maintaining policies.

For guest access, CheckPoint doesn’t have a captive-portal option, which is pretty standard across competing products. Company representatives explained that you could implement some restrictive rules placed on the Check Point NG firewall for guest endpoints or direct them to Web page with a custom message from the security administrator telling them how to ready their machines for better access. But this is far from seamless access for guests.

Integrity uses two types of agents. Standard agents provide a universally defined policy option set by IT that can be completely hidden from the user, with all control maintained by the Integrity administrator. Flex agents provide an interface to users letting them create their own personal security policies in addition to the corporate policies.

Some companies will want to maintain full control over network-access-control policies, while others would like to provide some of the functionality to their users. For example, a company may decide to distribute the agent to employees for use on their personal computers at home. They can run their own policy for home network and Internet access most of the time, but would then need to adhere to the company policy if they want to connect the system to the company’s network through remote access.