NETWORK ACCESS CONTROL
Safe Access 4.1
Price: Starts at $50 per; typical 5,000-user deployment is about $100,000
|StillSecure's Safe Access 4.1|
With a wide range of security checking and enforcement options, StillSecure's Safe Access 4.1 is strong choice for secure network access control.
StillSecure's Safe Access maintains its position as a strong player in the endpoint security space, making some notable improvements to a solid product since we last looked at version 2.0 in a comparative review (April 2005).
Safe Access has several different modes of operation that make it viable in a range of environments. In addition to the agentless architecture we saw last year, Safe Access can now check endpoint compliance using agents or with ActiveX via a browser, which gives it the ability to check managed and unmanaged devices running both Windows and non-Windows OSes. The agentless option, for example, is useful if a consultant comes to your site for a day; the new system can be scanned and placed in the appropriate portion of your network.
Enforcement mechanisms include inline mode, DHCP, 802.1X and Cisco Systems' NAC. We tested the inline and DHCP enforcement modes--the effect on endpoint compliance is the same. When Safe Access is installed inline, it acts as a gateway to permit or deny access, while the DHCP will prevent the endpoint device from getting an IP address if it's not in compliance. The 802.1X and NAC modes interface directly with your switching and routing infrastructure--if it supports these options--to direct the device to a quarantined area on the network until it is remediated.
The architecture does a nice job of scanning endpoints regardless of whether we selected agentless, agent-based or ActiveX enforcement mechanisms. In our tests, we were unable to get on the network using a spoofed endpoint. For example, could a worm use a fake registry setting to spoof an enabled firewall? The answer is clearly no, as StillSecure hashes registry settings and filenames to fingerprint them.
In terms of policy, you can check for just about anything. There's a good set of canned policies to check for desktop firewalls, antivirus, antispyware and OS patch levels, and you can build a policy for things like registry settings, particular application executables, DLLs and application patches. We tested all of these capabilities successfully.
Safe Access shows some distinct improvements in the administrative GUI from our tests last year. Policy and test script development was much easier and less syntax-driven. The interface is easier to navigate and has improved reporting capabilities, including the dashboard on the main page.
Overall, the Java-based GUI is clean, with a nice dashboard and some wizard-based development for policy creation. The interface still requires some registry syntax for test scripts, and, thus, a wizard would be helpful here. However most policy and test script selections are made by simple check boxes that are easy to understand and use. They offer a wide range of reports on screen that are easy to select and retrieve, and the hardened Linux server (available as software or on a preconfigured box) was one of the most locked down systems we've reviewed to date.
The standard Anaconda-based Linux installation from an ISO image prompts you for initial IP addresses, gateways and DHCP server locations before laying out the image onto the server. Once the basic image is installed and the server restarts, you are prompted to open a Web browser to the administrative console. Safe Access supports Internet Explorer and Firefox.
While Safe Access still has room for improvement in its GUI and support for non-Windows based endpoints, the scanning and enforcement options, combined with the effective endpoint control, better reporting and a smarter interface, make it one of the best in this space.
More information from our sister site SearchSecurity.com
Learn how endpoint security technologies are evolving.
Arm yourself with five strategies for endpoint security from Information Security magazine's technical editor, Tom Bowers.