Published: 29 Mar 2005
Our tests found that endpoint security products will enforce policy and manage network access. Their differences are in the details.
|Test Bed: About This Bakeoff|
Endpoint security policies are only as good as your ability to enforce them. Maintaining up-to-date AV signatures, patches, configuration settings and application versions is tough enough on static network desktops and servers, let alone on transient and remote devices like home PCs and employee laptops. Each noncompliant device has the potential to infect the entire enterprise.
Endpoint security products address this problem by automating security policy compliance monitoring and enforcement, and quarantining or denying network access to noncompliant devices until they're resolved.
We tested six products--Check Point Software Technologies' Check Point Integrity 5.0, ENDFORCE's ENDFORCE Enterprise 1.5, InfoExpress' CyberGatekeeper 3.0, Senforce's Endpoint Security Suite 3.0, StillSecure's StillSecure Safe Access 2.0 and Sygate's Sygate Secure Enterprise 4.1. We found that each will effectively enforce policy compliance and access to network resources.
It's the other factors--installation, configuration, management, scalability and system security--that ultimately determine if they're a good enterprise investment.
There's an ancient saying: There are many ways to the top of the mountain, but they all arrive at the same point.
Such is the case with these six endpoint solutions. They all employ a wide range of architectures that assure only secure devices get on the network. InfoExpress (Linux server) and ENDFORCE (Windows Server 2003) are client/server products that use an agent-based approach. These products don't incorporate a personal firewall in their agent, but will check to ensure your endpoint is using a third-party firewall.
Check Point, Sygate and Senforce use an agent model that includes an inseparable desktop firewall, which could cause conflicts for enterprises using third-party products.
In all cases, the agent scans the client machine based on the parameters set on the policy server. As instructed, it will check for things like registry strings and running processes and files, such as executables and DLLs. For files, ENDFORCE checks only names, but the others use an MD5 hash to guard against file spoofing.
StillSecure employs an agentless architecture. Its central server uses Windows' NetBIOS to scan endpoints for registry settings, running processes, up-to-date signatures and patches, etc., during the normal network logon--but it supports only Windows devices. (Its newest release, which wasn't available for testing, offers agent technology as an option.) The server may be either placed in an inline gateway mode using its built-in firewall to block access, or used in front of the DHCP servers to control access to the IP address range.
Every product tested--except InfoExpress--uses either the agent or the central policy server to control network access or quarantine the endpoint until the policies have been met. InfoExpress uses the router and switching infrastructure (Cisco or Nortel) to quarantine noncompliant clients into a segregated VLAN until they've been remediated. All of these solutions allow the security manager to send a noncompliant client to a Web server or other delivery mechanism that contains required patches, AV up-dates, configuration changes and software upgrades.
We tested the products for ease of installation; our goal was to get them up and running quickly without tech support. ENDFORCE, Senforce, Sygate and Check Point run on Windows Server 2003, and required SQL Server (Sygate supports Oracle as well), IIS and an SSL certificate.
Sygate's documentation and wizards made for the smoothest installation; we were basically able to install the product by answering a series of on-screen questions.
Check Point's documentation and wizards were almost as sharp, helping us install the policy server without incident. However, the agent installation caused an XP Pro workstation to crash during the reboot. Check Point hasn't received similar reports, and its tech support was unable to reproduce the error.
StillSecure's agentless system was easy to install and used a Linux-based script to build the policy server.
Although it comes packaged on a hardened Linux server, InfoExpress' CyberGatekeeper was the most challenging installation, requiring professional support because of its unique architecture; the technical staff deftly walked us through the installation over the phone. The complexity lies in InfoExpress' server working directly with switches and routers. Setting up VLANs manually on switches and mapping them to the production and quarantine areas of a network are painstaking processes. If your infrastructure supports 802.1X, the job becomes substantially easier; the InfoExpress agent simply communicates to the 802.1X infrastructure, letting the switching intelligence determine the configuration.
ENDFORCE's poor documentation made installation quite difficult. At some points, we had five different documents open. It was easy to miss important steps, such as Web certificate installation, because the instructions were buried inside a paragraph. As a result, we made good use of its knowledgeable technical support staff.
Senforce's quick start guide was insufficient, but the combination of tutorials on the installation CD and the admin guide enabled us to complete the installation without technical support.
The scalability and flexibility of these products varied with their host OS and depended on whether they used an agent or agentless architecture. StillSecure's agentless design makes it highly scalable, particularly if it's deployed in front of DHCP servers, enforcing access by preventing the workstation from obtaining an IP address to the production network; it's a much more efficient network access control method than relying on an agent. StillSecure can also be deployed as an inline gateway, using its firewall to control network access.
All of the tested products except Senforce have a failover capability to assure 24/7 uptime. All provide LDAP support, which enhances enterprise scalability.
InfoExpress' wide range of client support offers a distinct advantage for heterogeneous environments.
Given the similarity of the products' monitoring and enforcement capabilities, we felt the ability to easily create and modify security policies was the most important evaluation criterion.
The more checks that are available out of the box, the fewer you have to create. This becomes even more important depending on how easy it is to create or modify additional compliance settings. Check Point, StillSecure and Sygate provide the widest range of default applications and registry setting checks, while ENDFORCE has the fewest.
Check Point and Sygate's custom compliance settings were easy to create, giving them rich functionality when combined with their default elements. The bottom line is reduced administrative cost.
In contrast, ENDFORCE trailed the field with a lack of wizard or guided process, combined with its paucity of defaults.
The policy creation/modification interfaces varied considerably, with Check Point and Sygate standing above the rest. Check Point had the only wizard-based policy creation/modification--a big time-saver. Sygate's Java-based interface provides flexible access options, but, in our testing, we saw some response lag typical of Java.
In addition to their Web-based interfaces, StillSecure and InfoExpress--both Linux-based--require some command-line administration. This proved a little tedious. InfoExpress' console is highly functional, but needs policy creation/modification wizards to step up.
We evaluated each product's ability to generate reports to maintain the system, respond to events and inform senior management. A good engine should produce a wide range of information (agent communications, firewall events if the agent contained a firewall, noncompliance and policy violations), be easy to use and customize, and export reports in various formats.
Sygate has outstanding reporting capabilities using Crystal Reports. The SygateReports module can export a wide range of reports, including attacks on agents, in a variety of file formats, such as HTML and PDF. It provides graphical reports that you can drill down on. For example, you can view a graph showing all workstations not using the latest AV DAT file and click to examine individual workstations.
Running a close second, Check Point's robust reporting includes the number and type of attacks received on the workstation agent/firewall.
Senforce's Reporting Server comes with reports on client check-in based on enterprise, group and user. The server also integrates with Crystal Reports, but doesn't provide the same valuable attack information as Check Point and Sygate.
InfoExpress' reporting structure isn't as broad, in part because it records events in a MSDE database with a 2 GB storage capacity.
ENDFORCE and StillSecure have the weakest reporting capabilities. ENDFORCE provides no agent check-in information, only compliance reports. Knowing if and how often the agents are communicating is an important test of architecture health. StillSecure doesn't support any third-party tools, such as Crystal Reports.
The good news is that all these tools perform their primary function--policy-compliance based access control--quite well.
Each checks for running and up-to-date AV, personal firewalls, patches and configurations. They all provide custom policies for additional applications, such as checking for the latest antispyware definition files. These solutions are configurable for what they monitor and how they remediate.
During testing, we looked for false positives and negatives, as well as true compliance checks. We also looked at whether a zero-day worm using a new exploit could shut down the AV, personal firewall or OS patch, and fool the system into thinking that the device was still compliant. We used a number of AV and personal firewall products (if the solution didn't provide one) to test the endpoint security products' effectiveness. We found no false positives or negatives, and every compliance check we conducted was detected correctly.
These endpoint products used a combination of file and registry checks to verify policy compliance, and MD5-hashing to detect spoofing. InfoExpress goes one step further by looking at the dependent DLLs of an executable just in case a worm attempts to replace a file with one with the same name. This makes for much stronger security and more difficultly in spoofing a registry setting or file to bypass the endpoint monitor.
Guarding the Guardians
Insecure security products can open new holes in your defense as they try to close others. A number of these products have security issues, such as Web server vulnerabilities, generally due to their host OS. We used a number of vulnerability scanners, Web crawlers, password crackers and disk editors to smoke out potential problems. In all cases, the vendor had already issued patches to correct the situation.
StillSecure and Sygate showed fairly standard Web server holes--directory traversal, directory listing disclosure and information disclosure--that allow unauthorized access to data. Check Point and InfoExpress provided the best security of the products; we couldn't penetrate their policy servers or subvert their endpoints. Each vendor responded quickly to the discovered vulnerabilities.
Our tests revealed some serious security weaknesses in ENDFORCE. For example, its RADIUS secret key was in plaintext on the server. More disconcerting was its staff's attitude that server security was a platform OS issue--not their problem, end of story. ENDFORCE does nothing to secure its policy server, although it provides a substantial documentation for securing Windows-based installation.
Senforce has similar problems with its database passwords being in plaintext and only provides documentation for its application security. But, at least it was responsive and said it would address these issues.
The other four vendors have active security testing programs. They use tools such as Nessus and Nmap to scan their products for vulnerabilities, and they make a conscious effort to secure their own architecture, regardless of server platform.
Almost Ready for Prime Time
Overall, endpoint security remains a promising technology that will continue to draw attention. All six tested products provide effective compliance monitoring and control; the differentiators are in the details. How easy are they to manage? What client OSes do they support? Can they thwart zero-day attacks? Do their installation and management capabilities lower TOC? For remote access protection, the answer is most assuredly yes. This is a controllable area of the network and usually fairly small.
Check Point's Integrity had a clear edge in a relatively tight field, scoring solidly almost across the board. Sygate's Secure Enterprise is a mature and solid product. InfoExpress, with CyberGatekeeper's switch-based enforcement, may be in the best position of any of the vendors to integrate with the various network-based admission control initiatives. StillSecure's SafeAccess, with its clientless architecture and addition of an agent option, is also a sound choice. Senforce's Endpoint Security Suite has some work to do to stand toe-to-toe with competing products. But all will effectively monitor and enforce endpoint security policy compliance, including ENDFORCE's ENDFORCE Enterprise, despite its obvious growing pains.
Once they smooth out the rough edges in design, WAN link communications, administration and reporting, these tools will be ready for wide-scale deployments. They're tantalizingly close to the mark and, within two years, should become nearly as ubiquitous as antivirus software.