Keeping your endpoints in line

1 2 3 Page 2
Page 2 of 3

The other is Cisco Secure Agent (CSA), which comprises management server software and client-side code, a host-based agent technology that monitors the system for malicious activity.

Installation of CCA was complicated. We wanted the in-line device running in bridge mode, just passing traffic and not performing any NAT. The documentation was a bit confusing regarding this particular setup, which required that the management server reside on a different subnet. Calls to support helped us iron out these architecture issues, as well as a few smaller implementation issues we encountered.

For our policy enforcement checks, CCA could correctly identify anti-virus signatures, including default profiles for the three major anti-virus providers, and missing operating system patches. Network traffic was controlled according to our defined policies. Operating system security settings are checked via Nessus scans launched from the CCA appliance at the time the endpoint device comes online.

Custom checks, which allow for monitoring of registry keys, files and processes, can be built via the CCA management console. Overall, these custom checks were very easy to set up.

One of our policy checks was to make sure the endpoint was running the defined personal firewall program, usually achieved by making sure a certain application or process was running on the system in most of the products. Cisco supports this policy check and provides out-of-the-box policies written for the CSA agent. The use of other personal firewalls can be enforced using custom checks in CCA. However, Cisco policy check customization could be improved with the addition of a more detailed scripting engine.

This Cisco combination also can identify spyware, control USB thumb drives, and enforce more application, registry and process security, providing protection while the endpoint is on and off the corporate network.

The CCA can conveniently be used as a VPN termination point. Future releases will integrate closely with the Cisco VPN Concentrator.

Compliance is enforced by defined policies, which reside on the CCA appliance. Using the CCA management interface, you can set up a number of remediation or enforcement policies based on status such as authenticated user, unauthenticated user, vulnerabilities in scan results and failed compliance checks.

If a user is not authenticated to the network through the CCA appliance, you can limit access only to the specific areas of the network. Authenticated users then can undergo more strenuous checks and be granted wider access to network resources. The CTA software sitting on each endpoint provides access to the host, and the ability to look at files, processes and registry keys. If CCA identifies a problem, the out-of-compliance system can have an installation file uploaded to the system, receive an alert message or be sent to a URL.

The end user must manually initiate the installation of software that would bring the endpoint back into compliance. While the endpoint machine in question is waiting to be put in compliance, the server blocks all network traffic except that which is specifically allowed, such as to Windows Update to get missing security patches.

Reporting could be vastly improved in both CCA and CSA. With CCA, you can view the system logs on the server to view key events, but the system itself does not generate reports. You can view scan results and compliance check results by individual endpoint system. Failed scans can have entries sent to the CCA event log, but you cannot generate reports to show current status of all computers online, history or trends.


Citadel's software-based answer to our test case was to put its Hercules agents on the endpoint machines to detect vulnerabilities and use its ConnectGuard module - which has client and server components - to force remediation. The Hercules agent running on each endpoint system performs its own analysis based on vulnerability information collected by its own scan. Out-of-the-box checks include identifying if several of the major anti-virus products are running, spyware, missing patches and operating system security settings.

An appliance version of the product also began shipping with Hercules 4.0 earlier this month.

The Hercules installation went very well, and we did not encounter any issues. Documentation is excellent, and the management interface is intuitive and easy to use.

With the version of the product we tested, Citadel provides remedies for thousands of known vulnerabilities, but you also have the ability to define your own vulnerability checks and custom remediation actions in the management.

The ConnectGuard module provides the enforcement mechanism for noncompliant systems, blocking outbound traffic using the Citadel client running on the endpoint until it is configured back into compliance. In the version we tested, remediation had to occur at the time of compliance check. In Hercules Version 4.0, administrators will have the option to receive a report on a system's compliance and schedule remediation tasks to occur at a later time.

For reporting, Hercules uses a Web-based Crystal reports engine, so you can export to numerous formats. The product contains one of the strongest reporting modules, including full remediation history and out-of-compliance status. Additional reporting functionality is expected to be added in Version 4.0. Hercules does not provide an alerting mechanism.

Check Point

Check Point's Integrity 6.0 is a software-based offering that expanded beyond its early days as a personal firewall to encompass policy checks and enforcement mechanisms.

Installation went smoothly. We created a default install package for the client and generated our own security policy and enforcement checks. By default, Integrity includes checks for major anti-virus providers.

You also can create custom enforcement checks using the management interface to check for things such as registry keys, rogue files or disallowed processes. Missing patches and operating system updates are not covered by default, but you can add custom checks to cover them.

Application access is controlled through standard firewall rules and application control mechanisms. Spyware can be alerted on using Check Point's SmartDefense Program Advisor service. USB checks are not supported.

All tests of supported policy checks were successful.

Integrity does provide protection when not connected to the corporate network and works over VPN connections.

Non-compliant systems can be observed, warned or restricted to connections except those explicitly allowed. Administrators can provide links to necessary files or upload files to the system to be executed by the user to remediate identified issues. In our test of these features, we were appropriately redirected to the network sites defined in our policy check. For example, we were redirected to the Windows Update site when the missing Windows patch was detected on the system.

Similar to our comments in our first round of testing, Integrity reporting could be improved. Basic reports are provided through the Web-based reporting engine but cannot be exported. You can get a report for out-of-compliance systems and can view an enforcement graph for remediation history, but not a full report. Integrity does not provide any alerting functionality.


The InfoExpress CyberGatekeeper server is the central communication point of this appliance-based product, providing the policies to the CyberGatekeeper agents running on the endpoint systems and generating reports through its Web-based engine. The server handles the policy enforcement through one of the many modules the product supports, which includes LAN (puts switch ports in a remediation virtual LAN) bridge (allows/blocks traffic as defined by policy), and RADIUS Extensible Authentication Protocol (authenticates users).

To create and modify policy, administrators use Policy Manager, which runs on a computer separate from the server. Administrators publish new policies to the central server for distribution to the clients. For our testing, we used the server in LAN and bridge compliance mode. Setup was straightforward as soon as we received updated documentation that matched the product, but there still were significant errors in the documentation.

The CyberGatekeeper's primary focus is on audit and compliance checks. Unlike many of the other products we tested, this agent does not have a built-in firewall, but it is designed to be flexible and accommodating in its checks so you can run any anti-virus or host-based security protection you want in your environment.

Subsequently, it did not pass many of our host-based compliance checks, such as USB thumb drive access, spyware infection and operating system security checks (although these can be created manually). We were able to control application compliance by executable or process name.

Enforcement can be set to work over VPN connections, which works best with the server setup in bridge mode. Enforcement does not work when not connected to the network. The policy manager provides a lot of flexibility but could be more intuitive, especially the screen used to upload new policies to the server.

Once a non-compliant system is identified, a message can be displayed to the end user, he can be redirected to a URL, or the system can be placed in a different VLAN depending on which enforcement module you are running. Users can be redirected to a URL that launches a download of missing software, but the installation process is manual.

Reporting could be improved. Some basic reports are available on the Web-based reporting server, which are exportable to CSV files for offline processing. A remediation history report is not available, nor is any alerting for compliance issues. You can get a report of system status, why a system is in a deny policy state, but this is not easy to read and does not provide trending information to view status over time in a single report.


While most of the endpoint policy enforcement products we tested cover the basics, they still have a long way to go to become core components of a company's security infrastructure. It will be interesting to watch these products evolve to address the expanding compliance needs and the requirement to fit into a current security and network infrastructure.

One common area we can point to is the surprising lack of alerting capabilities and the ever-present need for improved reporting techniques. These components are especially key in compliance products, as the audit trail is critical.

Additionally, many of the products also contain the ability to perform compliance checks based on file or process name. These checks easily could be bypassed with a file or process name change. We'd like to see these products be based on some sort of checksum to prevent this from occurring. We also would like to see improved end-user communications to make them aware when a system is out of compliance. Most products provide redirects within the Web browser, but this is not available if the user is accessing the network through a different application.

EdgeWall 7000i; Patchlink Update Server 6.1OVERALL RATING
Company: Vernier Networks and PatchLink Cost: EdgeWall 7000i is $23,000. PatchLink Update starts at $1,500, with an annual subscription of $20 per Windows node and $77 per non-Windows node. Pros: Widest array of policy enforcement options; very flexible in terms of policy definition, enforce-ment, remediation; detailed remediation history available. Con: Vernier policy creation/manage-ment is confusing.
Senforce Endpoint Security Suite 3.0OVERALL RATING
Company: Senforce Technologies Cost: Starts at $69 per client. Pros: Flexible custom policy scripting facility; strong client resiliency; provides crypto-graphy-based assur-ance that a system actually resides on a trusted network. Cons: Customized reports could be simplified.
Network VirusWall 2500, OfficeScan 7OVERALL RATING
Company: Trend Micro Cost: Network VirusWall 2500 is $8,000 per unit plus $40 per seat. Vulnerability assess-ment is $50 per seat. OfficeScan 7 is $30 per seat. Pro: Excellent reporting. Con: No custom policy checks.
Cisco Clean Access 3.4, Cisco Secure Agent 4.5OVERALL RATING
Company: Cisco Cost: CCA starts at $6,000 for 100 users; CSA is $995 for a server agent and $1,625 for a 25-desktop agent bundle. Pros: Wide selection of security protection and policy options; good compliance communication to end users. Cons: Lacks centralized reporting/trending for compliance.
Citadel Hercules 3.5.1OVERALL RATING
Company: Citadel Security Software Cost: $1,000 per month for the appliance plus 10 cents per compli-ance check and 75 cents per remedi-ation action. Pros: Strong reporting engine; supports remediation for thousands of vulnerabilities. Con: No support for systems that are not running agents.
Company: Check Point Cost: Starts at $1,750. Pros: Good integration with VPN gateways; easy-to-use. Cons: Reporting needs improvement; limited remediation actions.
CyberGatekeeper 3.0OVERALL RATING
Company: Starts at $55 per seat and $6,500 per server appliance. Pro: Multiple enforcement modules available. Cons: Poor documentation; difficult to create/ update policies; needs improved reporting.
1 2 3 Page 2
Page 2 of 3