Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."

Download it now to read this article plus other related content.

BAKEOFF
Our tests found that endpoint security products will enforce policy and manage network access. Their differences are in the details.

    Requires Free Membership to View

Test Bed: About This Bakeoff
We tested Check Point Software Technologies' Check Point Integrity 5.0, ENDFORCE's ENDFORCE Enterprise 1.5, InfoExpress' CyberGatekeeper 3.0, Senforce's Endpoint Security Suite 3.0, StillSecure's StillSecure Safe Access 2.0 and Sygate's Sygate Secure Enterprise 4.1.

Our test network included a Windows Server 2003, two Windows XP Professional workstations, two Fedora Core 2 Linux workstations, and the latest versions of SQL server and IIS. The latest OS and application patches were applied. The entire network was placed on a Cisco 2924 XL-EN managed switch.

The central policy server's installation was attempted using only the vendor-provided documentation. We conducted a complete security assessment of each policy server and workstation for agent-based products using a variety of tools, including but not limited to Nessus, BlackWidow, N-Stealth and Winhex. Compliance tests were performed with a variety of AV and personal firewalls including McAfee AV and personal firewall, Symantec AV, and Sygate and Kerio personal firewalls.

Endpoint security policies are only as good as your ability to enforce them. Maintaining up-to-date AV signatures, patches, configuration settings and application versions is tough enough on static network desktops and servers, let alone on transient and remote devices like home PCs and employee laptops. Each noncompliant device has the potential to infect the entire enterprise.

Endpoint security products address this problem by automating security policy compliance monitoring and enforcement, and quarantining or denying network access to noncompliant devices until they're resolved.

We tested six products--Check Point Software Technologies' Check Point Integrity 5.0, ENDFORCE's ENDFORCE Enterprise 1.5, InfoExpress' CyberGatekeeper 3.0, Senforce's Endpoint Security Suite 3.0, StillSecure's StillSecure Safe Access 2.0 and Sygate's Sygate Secure Enterprise 4.1. We found that each will effectively enforce policy compliance and access to network resources.

It's the other factors--installation, configuration, management, scalability and system security--that ultimately determine if they're a good enterprise investment.

Parallel Paths
There's an ancient saying: There are many ways to the top of the mountain, but they all arrive at the same point.

Such is the case with these six endpoint solutions. They all employ a wide range of architectures that assure only secure devices get on the network. InfoExpress (Linux server) and ENDFORCE (Windows Server 2003) are client/server products that use an agent-based approach. These products don't incorporate a personal firewall in their agent, but will check to ensure your endpoint is using a third-party firewall.

Check Point, Sygate and Senforce use an agent model that includes an inseparable desktop firewall, which could cause conflicts for enterprises using third-party products.

In all cases, the agent scans the client machine based on the parameters set on the policy server. As instructed, it will check for things like registry strings and running processes and files, such as executables and DLLs. For files, ENDFORCE checks only names, but the others use an MD5 hash to guard against file spoofing.

StillSecure employs an agentless architecture. Its central server uses Windows' NetBIOS to scan endpoints for registry settings, running processes, up-to-date signatures and patches, etc., during the normal network logon--but it supports only Windows devices. (Its newest release, which wasn't available for testing, offers agent technology as an option.) The server may be either placed in an inline gateway mode using its built-in firewall to block access, or used in front of the DHCP servers to control access to the IP address range.

Every product tested--except InfoExpress--uses either the agent or the central policy server to control network access or quarantine the endpoint until the policies have been met. InfoExpress uses the router and switching infrastructure (Cisco or Nortel) to quarantine noncompliant clients into a segregated VLAN until they've been remediated. All of these solutions allow the security manager to send a noncompliant client to a Web server or other delivery mechanism that contains required patches, AV up-dates, configuration changes and software upgrades.

This was first published in March 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: