Endforce Enterprise 2.5
Price: $7,500 per server, $40 per client
|Endforce Enterprise 2.5|
Endforce Enterprise meets organizations' needs for secure network access control, featuring broad application support and enforcement options.
While organizations wrestle with the implications of Cisco Systems' NAC, Microsoft's NAP and Trusted Computing Group's TNC standards, noncompliant devices--particularly mobile ones--are a problem they need to address now. Endforce Enterprise 2.5 provides impressive endpoint checking and enforcement options for companies struggling to enforce network access security policies for their nomadic workforce.
Endforce Enterprise automates the process of defining, assessing, enforcing and reporting endpoint security compliance. Users can be alerted for voluntary compliance, or be denied access and quarantined--either through removal from the network or dynamic reassignment to a sandboxed VLAN.
Endforce Enterprise provides both agent and agentless options, although only the agent provides some of the higher level enforcement functions, such as local blocking whereby no outbound packets are allowed except in a defined quarantine zone. The agents run on Windows devices only (98 through the upcoming Vista).
A clientless ActiveX Web agent can be used to assess other OSes, unmanaged endpoints (a home PC or kiosk computer) and other network devices. Assessments are typically performed at remote login, boot time and periodically thereafter on an admin-defined schedule.
With or without an agent, Endforce Enterprise offers the choice of DHCP- or 802.1X/RADIUS-based enforcement. The DHCP infrastructure can be used to quarantine noncompliant and rogue endpoints, and assign alternate gateways, DNS servers or static routes to the Internet. Endforce Enterprise's utilization of 802.1X is an attractive option for companies that have upgraded their infrastructure.
Out of the box, Endforce Enterprise provides support enforcement for more than 400 applications, including popular security products from Symantec, McAfee, Cisco, CA, Sophos, Trend Micro and, of course, Microsoft. It can check for AV applications and signature files, antispyware, personal firewall applications, OS service packs and OS patches. You can also custom-define elements, including prohibited elements that should not be present. We would like to see more predefined prohibited applications, with set group categories for types of banned items that can be selected en masse.
Endforce Enterprise provides a straightforward Web interface to define policies. You can specify the installed and running versions of software required by policy, the presence of specific files and/or registry keys, and security patches or service packs. Policies can be defined to insist that applications must not only be installed but actually running on the endpoint device.
There are more than 500 point-and-click options, mostly drop-down combo boxes.
Policies can be saved and used as templates for different organizational groups within Active Directory, Windows NT user groups, RADIUS and LDAP.
The application server requires Windows 2003 and uses Microsoft SQL Server 2000 for its database. Installation is well-documented; the documentation includes sections covering specific SQL Server, IIS, Internet authentication and optional RADIUS proxy settings. Agents are installed and distributed via .msi. A helpful troubleshooting guide is included.
Endforce offers several prepackaged reports; we easily customized reports to show which hosts within our test bed were problematic.
In this still-young market, with a number of independent players and acquisitions by heavy hitters like Check Point Software Technolo- gies (Zone Labs) and Symantec (Sygate), Endforce Enterprise is a viable choice, offering widening application support and enforcement options that anticipate how the NAC/NAP/TNC scenarios will play out.