Alone among the seven vendors, Citadel uses third-party VA scanners (supporting all major commercial scanners and Nessus) to assess device vulnerabilities, in combination with agents that communicate between clients and the server and deliver remediation. Hercules can aggregate and analyze data from multiple scanners, addressing the problem of different—sometimes inaccurate—reports from particular scanners.
This raises the obvious question of whether a scanner-dependent product is the right answer for our company, particularly given its numerous branch and tiny satellite offices. Citadel suggested scans of remote offices, which is impractical for this situation. Citadel also did a poor job explaining its agent functionality—client software is first mentioned (very briefly) seven pages into their response. It was only in follow-up questions that we understood "compliance checking" is a script-based check that determines whether remediation is needed.
Citadel offers an attractive endpoint security component, ConnectGuard, for an additional cost. But it's absolutely essential for our scenario because it would assure that our remote and satellite office users are compliant before they're allowed on the network. Products like BigFix, for example, rely on the agent to report missing patches to the server when users connect, triggering automated remediation.
Like BigFix's BES and Configuresoft's Enterprise Configuration Manager, Hercules offers a wide range of non-patch remediations, such as configuration settings, unauthorized services and unsecured accounts, but relies heavily on AssetGuard, an optional inventory tool that detects devices and gathers and stores remediation data.
This was first published in May 2005