This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."
Download it now to read this article plus other related content.
Price: Starts at $43 per user annually
The comprehensive features in Sophos Endpoint Security and Control can easily replace a number of security individual security products aimed at endpoint protection. In addition to antivirus, it delivers anti-spyware/adware, host intrusion prevention, firewalling, application control, device control, and network access control.
Sophos features centralized management for multiple platforms including Windows, Macintosh, Linux/Unix, Netware and Open VMS.
Installation of the enterprise console, network access control (NAC) server and both AV and NAC client agents was straightforward. We opted for the advanced over the quick setup option and were still able to quickly step through designating a new Enterprise Management Library, which is the central repository for software and downloads.
Next, we set up the schedule for automated downloads. Moving through the configuration components, we had the option of choosing the specific platform agents needed for our environment. The final step opened the management console dashboard, which offers comprehensive access to managed computers, updates, alerts, policies, protection and errors, as well as a tabbed display for details about AV, firewall, NAC, computers, updates, alerts and application control.
To quickly create and maintain user/computer groups, you can import and synchronize information with Active Directory.
While setting up the enterprise console and NAC server worked flawlessly, we encountered several irritations trying to install the client software directly from the console that required hands-on installation. For example, you need administrative rights to install software to a PC and have to uninstall previous versions of the software on older Windows machines. We also encountered error messages during installation on Vista.
There's plenty of documentation to get past these issues. However, while this might be acceptable in smaller organizations, larger distributed enterprises with multiple versions of Windows as well as different platforms, would definitely be challenged during a rollout.
Also, the NAC agent has to be installed separately--and manually on older Windows PCs as well as Mac and *nix machines. We also had an issue with getting the agent to install on XP machines, requiring us to turn off "Simple File Sharing" (which is different that the File Sharing option found under NIC settings).
From the dashboard in the enterprise console, the policy tree provides instant access to rules for updating, antivirus and HIPS, application control, firewall and NAC.
We were able to set granular polices for different operating systems as well as for different versions of Microsoft Windows.(95 through VISTA) Under AV and HIPS, we quickly set up detailed scanning options and exclusions specific to each platform. The Cleanup tab let us assign specific actions to known viruses and spyware as well as suspicious files. By differentiating between known and unknown threats, the number of false positives can be significantly reduced.
Sophos provides an extensive list of application types that allowed us to move commonly know applications from being authorized to blocked. Within minutes, we were able to effectively prohibit a multitude of games, instant messengers, and file sharing applications, such as LimeWire, Morpheus, Kazaa and FileTopia.
There are also the options to limit the use of devices such as CD/DVDs, floppies and removable USB drives; virtualization apps, popular VoIP clients and even wireless connections including Bluetooth, infrared and WiFi. These are yes/no controls, lacking the granular capabilities of dedicated device control tools.
Host firewall policies were standard fare, including rules for blocking and allowing different types of protocols, applications and processes.
NAC provides separate policies for managed and unmanaged computers, that is, with or without NAC agents. For both, we were able to create conditions under which they were able to connect to the network. For example, a road warrior's managed laptop must have the most recent updates and a completed scan prior to attaching directly to the internal network with full access, while an unmanaged users are directed to a URL where a Web-based agent determines the security state of the machine prior to granting network access. In addition to checking AV status, the NAC component can check for things like OS service packs and patch level.
With few options for customization, we felt this was the weakest aspect overall of the product.
Event logs and alerts are set up individually under each feature policy, but we found them to be inconsistent--excellent for AV and HIPS, and weak for application control and firewall.
Under AV and HIPS, we were able to set up alerting for multiple events, including virus/spyware detection and cleanup, suspicious behavior, suspicious files, adware and PAUs (potentially unwanted applications) as well as scanning and program errors such as failed updates. These alerts could be sent to a log, the desktop, through email or to an SNMP trap.
However, both the application control and firewall lack specific event notification and had weak logging.
Reporting was limited to generic reports generated through drop-down menus and radio buttons.
While the reports could be printed or exported into a number of formats, including PDF, HTML, Microsoft Excel and Word, RTF, CSV and XML, there were no options for automated reports or having them disseminated via email.
Sophos has long been a leader in the antimalware space, with superior scanning engines and a research division that stays on top of emerging threats. With the added functionalities of firewall, NAC, HIPS, and device control, all centrally managed, Sophos has set a new bar for endpoint security.
We were particularly pleased with the way Sophos goes beyond traditional signatures and basic heuristics to identify both unidentified malware and unwanted files, code and behaviors on endpoints. Suspicious File detection examines characteristics, such as how the file was packed, if it's making any calls to specific HTTP sites and if there are embedded URLs in the code. Depending on the number of triggers, files can be tagged as suspect or malware. Sophos allowed us to designate various actions based upon not just suspicious files, but also for adware and PUAs, which pose more of an irritation than a threat.
As networks become more heterogeneous, support for multiple platforms included in centralized management is also a big plus.
Overall, Sophos passed all of our security tests, thwarting malware, spyware, exploits, intrusion attempts and the installation of unauthorized applications and devices.
We found Sophos Endpoint and Security Control to effectively cover all the bases of security on endpoint devices traditionally offered by multiple products.
Testing methodology: We installed the Enterprise Console and NAC Server on a Windows Server 2003 machine and tested with a variety of client endpoints, including multiple versions of Windows, Mac OS and Linux using a variety of active malicious code and adware/spyware.
This was first published in September 2008