Check Point Integrity shines in NAC policy management

Check Point Integrity NGX brings to fruition the integration of the endpoint- security technology purchased with Check Point's ZoneLabs acquisition and Check Point’s signature firewall product line.

Check Point Integrity

Cost: $37,000 for a 1000-user license

Score: 3.7

Check Point Integrity NGX brings to fruition the integration of the endpoint-security technology purchased with Check Point's ZoneLabs acquisition and Check Point’s signature firewall-product line.

You’ve got some options with this product. In both cases the Integrity client conducts all of your endpoint assessment. From there, you can then have the Integrity client do the NAC enforcement by perhaps putting in desktop firewall rules to block network access.

This is not ideal, however, because you likely don’t want all your security blocking capabilities sitting out on an endpoint that could be compromised. To that end, Check Point offers what it calls “cooperative enforcement” (all other vendors just refer to this process as plain, old enforcement). Check Point's scheme means that the Integrity client software can combine with network-access devices, such as an enterprise firewall, a remote-access VPN concentrator or an 802.1X-supported switch to block physical network access if the endpoint is not in compliance.

For testing, we opted for cooperative enforcement and installed Integrity on a Windows 2003 server and integrated it with a Check Point NG firewall for LAN access. We also tested Integrity’s integration with the Cisco’s IPSec VPN connections for remote-access ties. While you can tell from the relatively clean management interface that CheckPoint is pushing to manage all these necessary NAC pieces in an integrated fashion, but the company in not fully there yet. All of the Juniper NAC work together more completely to provide more NAC functionality as well a granularity for setting and maintaining policies.

For guest access, CheckPoint doesn’t have a captive-portal option, which is pretty standard across competing products. Company representatives explained that you could implement some restrictive rules placed on the Check Point NG firewall for guest endpoints or direct them to Web page with a custom message from the security administrator telling them how to ready their machines for better access. But this is far from seamless access for guests.

Integrity uses two types of agents. Standard agents provide a universally defined policy option set by IT that can be completely hidden from the user, with all control maintained by the Integrity administrator. Flex agents provide an interface to users letting them create their own personal security policies in addition to the corporate policies.

Some companies will want to maintain full control over network-access-control policies, while others would like to provide some of the functionality to their users. For example, a company may decide to distribute the agent to employees for use on their personal computers at home. They can run their own policy for home network and Internet access most of the time, but would then need to adhere to the company policy if they want to connect the system to the company’s network through remote access.

The Flex agent provides this dual functionality. We used the Flex agent during testing to see how the two sets of policies integrated and make sure the personal policy did not override the policy set by the Integrity administrator. It’s not clear why two agents are required here instead of implementing some kind of switch that can be flipped to enable the personal policy on the agent when the administrator wants users to use it.

Integrity integrates with Active Directory, Lightweight Directory Access Protocol, NT Domains and RADIUS for authentication purposes. The user authentication is integrated with Windows to provide single sign-on process for machine and network access.

We configured integration with Active Directory over LDAP, performing an initial import of users and groups into Integrity and scheduled a nightly synchronization without issue. This nightly synchronization is scheduled to pull into the Integrity updated user and group information from the enterprise directory for use in policy assignment.

Should a new user try to authenticate before the information is synchronized, Integrity will apply the configured default policy, as defined by the administrator.

Either agent collects a good amount of client information, including general system information, such as MAC address and operating system, associated user and IP address, compliance state and the details of most recent issues causing a negative compliance state.

Within Integrity, minimal endpoint assessment is available. Out of the box, five major antivirus products are supported. Check Point also offers its Malicious Code Protection, a component of the Integrity client that helps identify active infection for six major protocols, such as HTTP and FTP. Integrity also can check for its own status.

The ability to assess patch status, desktop firewall status and general endpoint-vulnerability information is not supported by default. Custom checks can be created to look for certain registry keys and file properties.

For enforcement – which Check Point generally refers to as “remediation” -- the options include restricting network access based on the policy set by the administrator or completely terminating the network connection.

The timing of health checks is ongoing, but network restriction and complete connection termination are based on number of concurrent heartbeats passed betgween the agents and the central server. If an endpoint is out of compliance, it is initially placed in restriction (basically, a quarantine). That means access can be configured to limit the endpoint to specific network locations, such as where to download the software needed to put the endpoint into compliance. If after a set period, denoted in Integrity management as the number of heartbeats passed between the agent and the server, the endpoint is not brought into compliance, it is completely blocked from network access. This is a unique feature, because it provides the user with the opportunity to remediate the compliance issue in the restricted state, but does not leave the user there forever.

Other remediation options include providing a message from the network administrator, a URL pointing to information on how get your system up to snuff or pushing a file upload and execution..

We configured checks, for Sophos AV, registry keys and identifying a keystroke logger. Integrity identified the endpoint characteristics correctly, implemented the correct enforcement policies and notified the users of the necessary remediation measures as expected.

Integrity also has an application-identification service called Program Advisor to help recognize malicious applications running on the endpoint as well a detailed instant-messaging security tools that encrypt IM traffic, block executable links and potentially dangerous scripts. We tested the instant-messaging security tools with Yahoo Messenger and the links were blocked as expected.

Integrity is managed through a Web GUI that is intuitive to use and easy to navigate. The policy-definition pane has all major components broken down by tab and detailed options with descriptions. There is a lot of flexibility as well complexity, but Check Point makes is easy to understand. Administration of Integrity product and the firewall rules was split with the product Check Point sent for testing. However, during the course of the test, CheckPoint released a new, combined NAC and firewall-management components into one application called SmartCenter. We did not test this integrated view.

Integrity contains some built-in reports and graphs, but while you can print them, they cannot be exported. You can’t define custom reports or schedule standard report runs unless you purchase Eventia Reporter, Check Point’s centralized reporting tool. However, Integrity logs can be integrated into Check Point’s free SmartView Tracker log viewer. The ability to get an immediate status on the risk of connected endpoints is minimal. Reports provide summary details on what endpoints are connected and what policies are applied, but no summary on how many failed integrity checks.

Overall, Integrity is a good fit for an organization already running the Check Point firewall infrastructure, because minimal infrastructure changes will be required.


< Previous story: Bradford Networks | Next story: Cisco >

Learn more about this topic

Buyer's Guide: Network Access Control

Check Point firewall becomes policy engine for post-admission NAC

03/06/07

Check Point adds new NAC capabilities

03/05/07

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.