This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."
Download it now to read this article plus other related content.
Our tests found that endpoint security products will enforce policy and manage network access. Their differences are in the details.
|Test Bed: About This Bakeoff|
Endpoint security policies are only as good as your ability to enforce them. Maintaining up-to-date AV signatures, patches, configuration settings and application versions is tough enough on static network desktops and servers, let alone on transient and remote devices like home PCs and employee laptops. Each noncompliant device has the potential to infect the entire enterprise.
Endpoint security products address this problem by automating security policy compliance monitoring and enforcement, and quarantining or denying network access to noncompliant devices until they're resolved.
We tested six products--Check Point Software Technologies' Check Point Integrity 5.0, ENDFORCE's ENDFORCE Enterprise 1.5, InfoExpress' CyberGatekeeper 3.0, Senforce's Endpoint Security Suite 3.0, StillSecure's StillSecure Safe Access 2.0 and Sygate's Sygate Secure Enterprise 4.1. We found that each will effectively enforce policy compliance and access to network resources.
It's the other factors--installation, configuration, management, scalability and system security--that ultimately determine if they're a good enterprise investment.
There's an ancient saying: There are many ways to the top of the mountain, but they all arrive at the same point.
Such is the case with these six endpoint solutions. They all employ a wide range of architectures that assure only secure devices get on the network. InfoExpress (Linux server) and ENDFORCE (Windows Server 2003) are client/server products that use an agent-based approach. These products don't incorporate a personal firewall in their agent, but will check to ensure your endpoint is using a third-party firewall.
Check Point, Sygate and Senforce use an agent model that includes an inseparable desktop firewall, which could cause conflicts for enterprises using third-party products.
In all cases, the agent scans the client machine based on the parameters set on the policy server. As instructed, it will check for things like registry strings and running processes and files, such as executables and DLLs. For files, ENDFORCE checks only names, but the others use an MD5 hash to guard against file spoofing.
StillSecure employs an agentless architecture. Its central server uses Windows' NetBIOS to scan endpoints for registry settings, running processes, up-to-date signatures and patches, etc., during the normal network logon--but it supports only Windows devices. (Its newest release, which wasn't available for testing, offers agent technology as an option.) The server may be either placed in an inline gateway mode using its built-in firewall to block access, or used in front of the DHCP servers to control access to the IP address range.
Every product tested--except InfoExpress--uses either the agent or the central policy server to control network access or quarantine the endpoint until the policies have been met. InfoExpress uses the router and switching infrastructure (Cisco or Nortel) to quarantine noncompliant clients into a segregated VLAN until they've been remediated. All of these solutions allow the security manager to send a noncompliant client to a Web server or other delivery mechanism that contains required patches, AV up-dates, configuration changes and software upgrades.
This was first published in March 2005