This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."
Download it now to read this article plus other related content.
Guarding the Guardians
Insecure security products can open new holes in your defense as they try to close others. A number of these products have security issues, such as Web server vulnerabilities, generally due to their host OS. We used a number of vulnerability scanners, Web crawlers, password crackers and disk editors to smoke out potential problems. In all cases, the vendor had already issued patches to correct the situation.
StillSecure and Sygate showed fairly standard Web server holes--directory traversal, directory listing disclosure and information disclosure--that allow unauthorized access to data. Check Point and InfoExpress provided the best security of the products; we couldn't penetrate their policy servers or subvert their endpoints. Each vendor responded quickly to the discovered vulnerabilities.
Our tests revealed some serious security weaknesses in ENDFORCE. For example, its RADIUS secret key was in plaintext on the server. More disconcerting was its staff's attitude that server security was a platform OS issue--not their problem, end of story. ENDFORCE does nothing to secure its policy server, although it provides a substantial documentation for securing Windows-based installation.
Senforce has similar problems with its database passwords being in plaintext and only provides documentation for its application security. But, at least it was responsive and said it would address these issues.
The other four vendors have active
Almost Ready for Prime Time
Overall, endpoint security remains a promising technology that will continue to draw attention. All six tested products provide effective compliance monitoring and control; the differentiators are in the details. How easy are they to manage? What client OSes do they support? Can they thwart zero-day attacks? Do their installation and management capabilities lower TOC? For remote access protection, the answer is most assuredly yes. This is a controllable area of the network and usually fairly small.
Check Point's Integrity had a clear edge in a relatively tight field, scoring solidly almost across the board. Sygate's Secure Enterprise is a mature and solid product. InfoExpress, with CyberGatekeeper's switch-based enforcement, may be in the best position of any of the vendors to integrate with the various network-based admission control initiatives. StillSecure's SafeAccess, with its clientless architecture and addition of an agent option, is also a sound choice. Senforce's Endpoint Security Suite has some work to do to stand toe-to-toe with competing products. But all will effectively monitor and enforce endpoint security policy compliance, including ENDFORCE's ENDFORCE Enterprise, despite its obvious growing pains.
Once they smooth out the rough edges in design, WAN link communications, administration and reporting, these tools will be ready for wide-scale deployments. They're tantalizingly close to the mark and, within two years, should become nearly as ubiquitous as antivirus software.
This was first published in March 2005