This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
Endforce Enterprise 2.5
Price: $7,500 per server, $40 per client
|Endforce Enterprise 2.5|
Endforce Enterprise meets organizations' needs for secure network access control, featuring broad application support and enforcement options.
While organizations wrestle with the implications of Cisco Systems' NAC, Microsoft's NAP and Trusted Computing Group's TNC standards, noncompliant devices--particularly mobile ones--are a problem they need to address now. Endforce Enterprise 2.5 provides impressive endpoint checking and enforcement options for companies struggling to enforce network access security policies for their nomadic workforce.
Endforce Enterprise automates the process of defining, assessing, enforcing and reporting endpoint security compliance. Users can be alerted for voluntary compliance, or be denied access and quarantined--either through removal from the network or dynamic reassignment to a sandboxed VLAN.
Endforce Enterprise provides both agent and agentless options, although only the agent provides some of the higher level enforcement functions, such as local blocking whereby no outbound packets are allowed except in a defined quarantine zone. The agents run on Windows devices only (98 through the upcoming Vista).
A clientless ActiveX Web agent can be used to assess other OSes, unmanaged endpoints (a home PC or kiosk computer) and other network devices. Assessments are typically performed at remote login, boot time and periodically thereafter on an admin-defined schedule.
With or without an agent, Endforce Enterprise offers the choice of DHCP- or 802.1X/RADIUS-based enforcement. The DHCP infrastructure can be used to quarantine noncompliant and rogue endpoints, and assign alternate gateways, DNS servers or static routes to the Internet. Endforce Enterprise's utilization of 802.1X is an attractive option for companies that have upgraded their infrastructure.
Out of the box, Endforce Enterprise provides support enforcement for more than 400 applications, including popular security products from Symantec, McAfee, Cisco, CA, Sophos, Trend Micro and, of course, Microsoft. It can check for AV applications and signature files, antispyware, personal firewall applications, OS service packs and OS patches. You can also custom-define elements, including prohibited elements that should not be present. We would like to see more predefined prohibited applications, with set group categories for types of banned items that can be selected en masse.
Endforce Enterprise provides a straightforward Web interface to define policies. You can specify the installed and running versions of software required by policy, the presence of specific files and/or registry keys, and security patches or service packs. Policies can be defined to insist that applications must not only be installed but actually running on the endpoint device.
There are more than 500 point-and-click options, mostly drop-down combo boxes.
This was first published in May 2006