Keeping your endpoints in line
Setting and enforcing security policy on your network endpoints could be key to making it through your next compliance audit. In our Clear Choice Test of endpoint security products that provide policy enforcement mechanisms, each product was required to identify systems out of policy compliance and take action to remediate that condition.
On a more complex level, we created a wish list of policy enforcement checks the products should offer, including being able to identify missing operating system and application patches and noncompliant system security settings, limiting access to these systems and creating reports to analyze noncompliant clients and the remediation actions taken to get them back in line. (See "How we did it". )
Beyond the basics of policy-based end point security
Keeping endpoint security secure
Radio: Behind the scenes of our test
Archive of Network World tests
Subscribe to the Network Product Test Results newsletter
We made this wish list with the understanding that no one product would meet all of our requirements, but were open to vendors submitting product combinations that collectively did.
Because no security product added to a corporate network should pose a security risk, we also tried to poke holes in the products' own security architecture (see story ).
From a field of 13 vendors invited to participate in the test, Check Point, Cisco , Citadel, InfoExpress, Senforce, Trend Micro and Vernier Networks (in cooperation with PatchLink) agreed to let their products be tested. Elemental Security, EndForce, McAfee, Sygate, SecureWave and StillSecure declined. The Vernier Networks/PatchLink combination came out on top because of its sound performance in all categories. This joint submission excelled in remediation, providing the ability to block network access and automatically fix out-of-compliance systems, and it was among the most resilient of the packages tested.
Senforce was a close second with its strong host-centric approach, using only client software and not an additional in-line network device like many of the other products we tested. Trend Micro performed very well overall, falling down only in its ability to meet all of our policy management requirements where it could use some improved customization functionality.
Citadel is a strong product but needs more focus in the compliance arena, which the company says it has built into Version 4.0, which began shipping after we'd completed testing. Cisco performed well from a technical standpoint but could use improvement in reporting and overall usability. Check Point is a solid performer but needs improvements in reporting and support for more detailed custom policy checks.
Similar to the results of our first round of endpoint security product testing, where we focused on products that took action when the endpoint was under attack (see here ), we also felt this time that while InfoExpress' product has a strong technology base, its usability and documentation still needs vast improvement.
Because we had focused requirements for each product, we were unable to test all of the unique features offered by vendors that fell outside the scope of this test (see Extra Features story ).
Vernier/PatchLink
The Vernier Networks and PatchLink submission comprised the Vernier EdgeWall 7000i - an in-line device that enforces policy compliance - and the PatchLink Update Server and corresponding endpoint agent software that together facilitate compliance checks and provide the means to remediate systems.
Installation went very smoothly, especially considering we were getting two products to interoperate. We ran into only one issue with the EdgeWall 7000i relating to network address translation ( ) being enabled by default, a condition we did not need because we were using the device as a bridge. After easily disabling NAT, everything worked as expected.
The EdgeWall 7000i can do its own vulnerability checks by scanning the endpoints, but we relied primarily on the PatchLink Update Server for our testing checks. PatchLink Update includes checks for a number of anti-virus packages and all Windows security updates out of the box. For spyware detection, the EdgeWall 7000i identifies some malicious traffic - a process that let it spot the spyware we used in our testing. Additionally, PatchLink offers a spyware module that can identify spyware running on endpoint systems, but we did not test that software.
USB access can be disabled with the Vernier/PatchLink combination, and we were able to successfully block and control traffic as dictated in our application control tests with the EdgeWall 7000i product.
The PatchLink Development Kit lets you create your own custom policy and remediation packages, providing the most flexible custom check functionality of all the products we tested.
These products will enforce policy compliance checks over VPN connections, an important consideration if you have a mobile workforce. But this combination does not work if the endpoint is online but not connected to the corporate network.
Because Vernier requires that you set up multiple configuration levels - you have to set up distinct security profiles, identity profiles, connection profiles and access policies - tracking them and mapping them to one another can get confusing. A different process layout in the management GUI might make this more intuitive.
When a system comes online, it is immediately checked and can automatically be placed in a network access policy bucket. For our testing, we set up three access policies -full access for a compliant system; limited access for an out-of-compliance system that includes a line to the Internet for remediation purposes; and a restricted group for systems that did not have the PatchLink agent installed, providing a link to download and install the agent using the EdgeWall 7000i URL redirection functionality.
The PatchLink Update Server provides the ability to immediately remediate issues using the mandatory baseline configurations, while the EdgeWall 7000i covers the network enforcement component. When we brought a system online that did not have the PatchLink agent installed, we opened the browser and were redirected to the link to download and install the PatchLink agent.
Once the agent was installed and running, the missing patches and system security configurations were automatically deployed based on the mandatory baseline settings configured in the PatchLink Update Server. Once the system met the compliance requirements, it was given full access to the test environment, as expected.
Vernier/PatchLink does not provide an alerting mechanism when out-of-compliance systems come online, but it does provide a number of reporting options. Through PatchLink Update Server, you can get a complete history of remediation actions taken for a system, and the EdgeWall 7000i provides reports on the overall compliance status of systems that came online.
Senforce
Senforce Endpoint Security Suite has five main components. The Policy Distribution Service runs on a Windows server and communicates with the clients, deploying policy, and retrieving policy and log data from the distributed clients. The Management Service controls user policies, policy storage and report generation. The Policy Editor is the user interface for policy creation and management. The Client Location Assurance Service cryptographically guarantees a system is actually on the corporate network, making the system less susceptible to spoofing attacks. Finally, the comprehensive Senforce Security Client - which includes a host-based firewall program - is the agent that runs on monitored endpoints to enforce policy and control remediation processes.
We had the most difficulty with this installation process. We first attempted the distributed install but could not get the components communicating properly over SSL. We then ran the single server install but the database became corrupt and was missing critical data for the product to run. Senforce technical support did not have an explanation for this issue but helped resolve the problem quickly. after starting over a third time, we were finally able to get a clean install and move forward with our test. We did not encounter any other server operation issues once installation was completed. Documentation was adequate, but the dual-column newsletter format was difficult to follow at times when reading online.
Policies out of the box dictate how the system can check anti-virus signatures, missing patches and application control (for example, allowing or disallowing certain types of application traffic). The Senforce Security Suite successfully passed all supported policy checks in our test.
Policies can be checked over VPN connections if the product is placed in-line behind the termination point, and enforcement also works when the client is not directly connected to the corporate network. You also have the ability to create custom checks via the product's powerful scripting engine.
Policies are created in the Policy Editor, which has a great interface and was relatively intuitive. When we did run into issues, the documentation filled in the gaps quite well.
We did have issues installing this client software via a network share. Because the program installs Microsoft's Network Driver Interface Specification (NDIS) driver, the network connection is interrupted in the process. Other products that have this configuration warn you not to install the software over the network. Senforce should include a similar warning.
We refer to this as a host-centric solution to the problem we posed in this test because systems identified to be out of compliance then are controlled by the firewall on the agent itself. (Check Point and Citadel function in a similar fashion.) This host-centric approach worked very well in our tests. However, it can cause problems if the host is attacked and the Senforce Security Client is somehow disabled or removed. In our testing, some clients were easily disabled. Even though the Senforce Security Client was not one of them, it is still an issue that should be considered. Without the client, policy checks are no longer performed. With the network device products, attackers still have an additional layer of protection to bypass.
The custom scripting capabilities provided for the policy checks and remediation measures make this product very flexible. These scripts even give you the ability to download and execute programs necessary for remediation. A system that is out of compliance can be set to block all traffic or run a custom quarantine rule set that only allows access to defined locations on the corporate network or the Internet, or within a home network.
The Security Suite does not include alerting features. Reports are viewed through a Web-based system, but you do not have the ability to export them in any manner other than saving the Web page. The default reports included are a combination of graphs and reports, but we would like to see easier customization capabilities. The reports provide a lot of information but not a centralized view of remediation history or detailed status/history of all systems.
Trend Micro
We tested the Trend Micro Network VirusWall 2500 with OfficeScan 7 Corporate Edition Anti-Virus software. VirusWall 2500 is an in-line device that will allow or deny network access as defined by the policy set on the Trend Micro device itself. Systems that attempt access are scanned for vulnerabilities (missing patches, vulnerable services) when they come online. All of these checks and balances worked as advertised in our test.
You do not have the ability to create custom policy checks with this offering nor does the compliance protection work when the endpoint is not directly connected to the corporate network. Trend Micro's combination will work over VPNs and integrates tightly with several of the major VPN gateways for anti-virus checks.
This product was easy to set up and very intuitive to use - one of the best overall experiences we had during testing.
If a system comes online that is out of compliance, the end user can see an error and be redirected to a URL defined by the administrator when he opens a browser. One thing we would like to see is a message in the pop-up that says, "Open your browser for more information," because the end user is not specifically directed to open the browser.
Because VirusWall 2500 and its policy enforcement capabilities are tightly integrated with OfficeScan, missing anti-virus software can be easily linked to and installed. Plus, detected viruses can be automatically removed. Other vulnerabilities, such as missing patches, must be remediated in other ways, such as through Windows Update.
Trend Micro's reporting and alerting capabilities are the best of the products tested. We could easily set up the system to send the administrator e-mail or alerts when an out-of-compliance system came online. We could generate one-time or scheduled remediation reports to see the history of actions taken over time and export them to PDF or other file formats. We also could generate a report that showed online and offline computers with outdated components.
Cisco
Cisco submitted two products. One is Cisco Clean Access server, technology that runs on an in-line device and drives the endpoint policy compliance functions, in conjunction with Cisco Trust Agent (CTA [part of CCA]) software sitting on the client machines.