Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."

Download it now to read this article plus other related content.

Policy Management
Given the similarity of the products' monitoring and enforcement capabilities, we felt the ability to easily create and modify security policies was the most important evaluation criterion.

The more checks that are available out of the box, the fewer you have to create. This becomes even more important depending on how easy it is to create or modify additional compliance settings. Check Point, StillSecure and Sygate provide the widest range of default applications and registry setting checks, while ENDFORCE has the fewest.

Check Point and Sygate's custom compliance settings were easy to create, giving them rich functionality when combined with their default elements. The bottom line is reduced administrative cost.

In contrast, ENDFORCE trailed the field with a lack of wizard or guided process, combined with its paucity of defaults.

The policy creation/modification interfaces varied considerably, with Check Point and Sygate standing above the rest. Check Point had the only wizard-based policy creation/modification--a big time-saver. Sygate's Java-based interface provides flexible access options, but, in our testing, we saw some response lag typical of Java.

In addition to their Web-based interfaces, StillSecure and InfoExpress--both Linux-based--require some command-line administration. This proved a little tedious. InfoExpress' console is highly functional, but needs policy creation/modification wizards

    Requires Free Membership to View

to step up.

Useful Information
We evaluated each product's ability to generate reports to maintain the system, respond to events and inform senior management. A good engine should produce a wide range of information (agent communications, firewall events if the agent contained a firewall, noncompliance and policy violations), be easy to use and customize, and export reports in various formats.

Sygate has outstanding reporting capabilities using Crystal Reports. The SygateReports module can export a wide range of reports, including attacks on agents, in a variety of file formats, such as HTML and PDF. It provides graphical reports that you can drill down on. For example, you can view a graph showing all workstations not using the latest AV DAT file and click to examine individual workstations.

Running a close second, Check Point's robust reporting includes the number and type of attacks received on the workstation agent/firewall.

Senforce's Reporting Server comes with reports on client check-in based on enterprise, group and user. The server also integrates with Crystal Reports, but doesn't provide the same valuable attack information as Check Point and Sygate.

InfoExpress' reporting structure isn't as broad, in part because it records events in a MSDE database with a 2 GB storage capacity.

ENDFORCE and StillSecure have the weakest reporting capabilities. ENDFORCE provides no agent check-in information, only compliance reports. Knowing if and how often the agents are communicating is an important test of architecture health. StillSecure doesn't support any third-party tools, such as Crystal Reports.

On Guard
The good news is that all these tools perform their primary function--policy-compliance based access control--quite well.

Each checks for running and up-to-date AV, personal firewalls, patches and configurations. They all provide custom policies for additional applications, such as checking for the latest antispyware definition files. These solutions are configurable for what they monitor and how they remediate.

During testing, we looked for false positives and negatives, as well as true compliance checks. We also looked at whether a zero-day worm using a new exploit could shut down the AV, personal firewall or OS patch, and fool the system into thinking that the device was still compliant. We used a number of AV and personal firewall products (if the solution didn't provide one) to test the endpoint security products' effectiveness. We found no false positives or negatives, and every compliance check we conducted was detected correctly.

These endpoint products used a combination of file and registry checks to verify policy compliance, and MD5-hashing to detect spoofing. InfoExpress goes one step further by looking at the dependent DLLs of an executable just in case a worm attempts to replace a file with one with the same name. This makes for much stronger security and more difficultly in spoofing a registry setting or file to bypass the endpoint monitor.

Comparison Endpoint Security

This was first published in March 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: