Software tightens loose network endpoints

Software tightens loose network endpoints

If you manage IT for a government organization -- be it federal, state, or local -- you don't have the luxury of waiting to harden your network defenses, unlike IT managers of commercial enterprises. Public agencies are legally accountable for safeguarding the information they have on their computers, so you must protect that information to avoid serious consequences.

Although the mention of security in a government context might spark thoughts of state secrets and national security, the reality is more mundane. All the data that government agencies are charged with protecting -- personal information, personnel actions, contract deliberations and actions, procurement details and proposals, information related to law enforcement and the courts -- is subject to the same problems that affect any other organization, regardless of whether its domain ends in .gov or .com.

Viruses and worms don't discriminate. When successful, they not only tie up your network, they destroy data and even send information to the outside world. As a result, government IT staffs must make sure that users' machines are scanned for viruses, that they're protected against intrusions and exploits, that their security software is regularly maintained, and that their operating systems are kept up to date. You also must be able to prove that you did it in case anyone asks.

Managing the security of your clients can take many forms. Among the product choices are anti-virus solutions that include central management and that will work with a personal firewall if present. Some managed personal firewall solutions will also work with anti-virus. Still other solutions will manage their own anti-virus and firewall clients, and other groups will manage clients from other companies.

All of these approaches are represented by the four products reviewed here. Some of these products will enforce compliance with client security policies by banning users unless their computers are up to date, some will force users to update their machines, and one product allows you to prevent users from running anything at all that you don't approve. Some of these products keep an eye on user e-mail, instant messaging, and Web sites visited.

No single approach covers all potential problems. This means that no matter which solution you choose -- should you choose only one -- you won't be completely protected. On the other hand, because you can manage client security remotely and set policies centrally, at least you'll be consistent and that's half the battle.

Check Point Integrity

When Check Point Software Technologies acquired Zone Labs this year, one of the reasons was to obtain Integrity. This product builds on Zone's already strong firewall technology to provide a centrally managed layer of protection that's both effective and easy to manage. And as a plus for IT managers, the Integrity Agent can be installed so it's invisible to the end-user, reducing the chance of tampering.

Although Zone doesn't provide anti-virus capability, it does work with the major providers of anti-virus software, including Computer Associates International, McAfee, Sophos, Symantec, and Trend Micro. It detects when these products are properly updated and quarantines machines that aren't running properly updated software. Check Point's Integrity also checks for the operating system patch level before granting access to a protected asset.

Integrity Server runs on either Windows 2000 Server or Windows Server 2003 machines. Implementing the server requires little beyond allowing the installer to run. The server installation creates a shared file area, or "sandbox," that's visible to the Apache Web server that's also installed. The standard means of distributing the Integrity client software is to e-mail the link to users and have them click on it to perform the installation. Unfortunately, the default link to the sandbox is very long and complex, and the documentation directs you to write it down so you can install it on clients that don't have e-mail accounts.

You can perform the client installation the way Integrity suggests, of course, but it's error-prone and time-consuming. If you're aware of this need ahead of time, you can also pick a much easier-to-use link. Or better yet, you can use products such as Microsoft's Systems Management Server or Novell Inc.'s ZENWorks and avoid the issue completely. Smaller organizations, unfortunately, are stuck with the Web distribution, so pick an easy URL for the sandbox.

Fortunately, you only install once. After you get everything running, Integrity shines. You can see the security status of the network at a glance, control access easily, and check the status of any client in seconds.

The users get one of two client software packages to use. One, Integrity Agent, can be invisible. IT managers have the option of an icon in Windows' System Tray. The network manager retains complete control over security.

The other client is Integrity Flex, which closely resembles the Zone Alarm personal firewall in appearance and operation. It also gives the user some control over how it works. Flex is designed for users who travel and therefore must be able to control their security while away from the enterprise, even when connected to other corporate or hotel networks.

If there's a downside to Integrity it's the required dedicated server. You shouldn't run it on a machine that's doing anything else. This isn't a major disadvantage -- it's likely you'd want to use a dedicated machine anyway -- but it's something for which you need to plan. You have to turn off IIS, by the way, because Integrity comes with its own copy of Apache, which needs the same resources. Integrity will stop running if it finds IIS in use.

Overall, Integrity is an excellent choice for keeping your clients secure. Like the other products in this roundup, it doesn't do everything. It lacks its own anti-virus client, for example. And although Integrity falls short of Sygate in overall capabilities, it provides support for those things it doesn't do and gives you plenty of control over client security in a way that is also easy to use and manage.

McAfee Active VirusScan and Desktop Firewall

At the center of McAfee's end-point security solution is ePO (ePolicy Orchestrator), a centralized management application that works with a variety of McAfee clients. I tested McAfee's Active VirusScan Suite, which includes ePO, the enterprise version of the company's anti-virus software, and McAfee's Desktop Firewall.

The combination of products allows you to have both virus protection and a personal firewall on your client systems. You can monitor those clients for perils such as a virus outbreak, and you can push virus definition and software updates to your clients as often as you wish. The VirusScan Suite also includes NetShield, a virus scanner for Novell NetWare servers, which I did not test.

McAfee is in the process of releasing other products that can work with ePO. For example, recently acquired Entercept, a host-based intrusion prevention package, will be integrated into ePO in the next release. (Read InfoWorld's review of Entercept 5.0.)

ePO is designed to monitor the network for client systems that are out of compliance with your security policies. This may include clients that don't have up-to-date virus definitions or clients that aren't running McAfee's agent. Most of the time, ePO simply monitors the network, but when it finds a problem, it flags the problem client on the management console so you can take action. ePO can monitor McAfee's own products and can also alert administrators to rogue computers and configuration issues such as noncompliant Windows patch levels.

Getting ePO running and deploying VirusScan and Desktop Firewall to clients is a little more complex than it should be. First you must install everything on the server then perform a number of steps to tell ePO what you want to send out to the clients and to which class of users it should go. After I instructed ePO to deploy, I found that it sometimes took quite a long time before the software was sent out to the clients and installed.

It can take a while to get rid of the McAfee software after deployment. I found that a McAfee client could persist for days after ordering ePO to remove it. Normally, however, deployment or removal started within five minutes of when the action was ordered.

After deployment, setup is very straightforward. The anti-virus product wasted no time in ensuring each client had all the latest protections. I found the Desktop Firewall's lack of default settings surprising. Instead, it arrives in what McAfee calls the "Learn Mode" and questions every attempt to access the network for anything. During this period, even normal activities such as the anti-virus software checking for updates require intervention by the end-user.

You can set such defaults centrally, and you can deploy predefined rules. You can also direct ePO to learn from deployed agents and report back, which in turn eventually builds a set of rules. Employing these options, however, assumes that everything is acceptable for all users, so you'll still have to intervene in at least some cases.

When everything is running and your rules are set, monitoring your network is fairly easy. The management console is easy to use and very flexible. You have granular control over your monitoring, and you can deploy sensors to other network segments to monitor network activity and report back. You can keep tabs on all of this through the console, and force upgrades where needed to keep the clients secure. You can also be proactive in the event of a breakout, dynamically changing rules to isolate clients until you can fix them.

Overall, McAfee's ePO, VirusScan, and Desktop Firewall are an easy-to-use, effective combination of products that go a long way in protecting your enterprise against malicious code, hackers, and the like.

Sygate Secure Enterprise

Enforcement is the focus of SSE (Sygate Secure Enterprise). At its heart, SSE is designed to provide a firewall for every node on the network and to confirm that any other node that attempts to communicate is similarly protected. It goes beyond that, of course. SSE may be set to confirm the levels of anti-virus protection and operating system patches, among others. Any computer that attempts a connection to the network that doesn't meet the required level of protection can be quarantined, either locked out of the network entirely or only permitted to connect to the update site for whatever is out of date.

For remote users connecting to the enterprise network, SSE will check to make sure they're using an approved VPN, that their anti-virus software has been updated recently (admins get to set the number of days since the most recent update), and that they've updated Windows. If clients don't meet all the requirements, Sygate supports flexible and granular ways to enforce policies. For example, if a user hasn't run Symantec Live Update recently enough, he or she could only be allowed to connect to the Symantec site and download updates. The same is true for any other policy you might choose to enforce.

SSE even checks for additional connections to the Internet outside the VPN and compensates for such loopholes. It might check to ensure a user has not only updated the anti-virus signatures, but also run a scan. It might check to see if the user is connecting from inside or outside the company and apply different standards depending on the location.

You can also enforce policies based on such parameters as presence of host-based intrusion prevention, status of file sharing, or method of connection (dial-up or wireless, for example). The standards that must be met are up to the IT staff, but they're easily and effectively enforced.

Sygate requires you to provide a copy of either Microsoft SQL Server running on Windows 2000 Server or Oracle running on Solaris. You can run SSE on the same Windows 2000 server as SQL Server, if you're not concerned about performance. SSE itself will run on Windows Server 2003, but the version of SQL Server that's supported by SSE won't, so if you want to use the more secure Windows Server 2003, you will have to use two servers.

Although SSE's management interface isn't exactly hard to use, it can be confusing, with some buttons placed at seemingly random, unexpected locations. In addition, although there are places in which the interface design seems well-thought-out, for the most part it's disorganized. SSE is not the place you'd manage security on a global basis. It'll show what you ask for, but it won't provide an overall view of your security situation.

Implementation of the SSE server is well-organized, however. The process proceeds smoothly and -- as long as you have your database server and permissions for it set appropriately -- most of the process consists of clicking the "Next" button. Client implementation isn't automated, but it's straightforward. When you install the server, the client software is placed in a shared directory. Client installation requires that users go to the shared directory, choose the proper client (server, desktop, or notebook), copy it to their computers, then run the setup program. You can distribute clients by other means, including e-mail, as well.

SSE doesn't do everything but it doesn't claim to. What it does do, it mostly does very well. And it will work just fine with everything else you need to complete your client security picture. Just don't expect to be wowed by the management interface.

Trend Micro OfficeScan

Like McAfee's offering, Trend Micro's OfficeScan is essentially a centrally managed anti-virus product. Its agent is very easy to deploy, and its firewall works correctly most of the time. Unfortunately, when it goes wrong, you must sometimes find the fix through unmarked pathways and undocumented means.

Implementing OfficeScan seemed very promising at first. The standard installation of the server went without a hitch on a Windows Server 2003 machine. The standard deployment method, however, which involves pushing the client agent out for remote installation, was fraught with difficulty.

One of the test clients, an IBM IntelliStation Z Pro workstation, simply refused to get the remote installation. After several attempts, a call to tech support revealed that this was a known issue that required a counterintuitive change to an obscure setting (I had to turn simple file sharing off). This has to be done manually on machines that won't work with OfficeScan's distribution model. Not a big deal with one machine but apparently common enough that larger enterprises could be burdened with a lot of manual labor.

A more serious issue is that OfficeScan didn't always detect the Eicar test virus that I used in my testing, missing it about half the time. This problem only occurred with OfficeScan. Other anti-virus packages I tried, including McAfee, found it instantly. In fact, copies of Norton AntiVirus elsewhere on the network tracked Eicar down so aggressively that I was limited in my ability to download it.

Unlike the other products in this review, OfficeScan incorporates a vulnerability scanner that's supposed to provide services similar to Sygate, denying access to network nodes that display vulnerabilities. Unfortunately, it only worked well when the rest of the network was also running OfficeScan. A node running McAfee or Norton anti-virus products was considered vulnerable by OfficeScan, resulting in a flood of firewall warnings and attempts to isolate the offending computer.

On a positive note, OfficeScan incorporates the Cisco Trust Agent, allowing it to work with Cisco Systems's Network Admission Control-equipped routers to restrict network access by computers that don't have the latest anti-virus updates. Unfortunately, I wasn't able to obtain a properly equipped Cisco router in time to test this feature.

Trend Micro has included some very good ideas in OfficeScan, but not everything worked as it should have. It's hard to recommend OfficeScan to managers of environments with a variety of security products from different manufacturers. Ideally, Trend Micro would take its best ideas, such as the deployment software and the vulnerability testing, and make them work better.

Although none of these products is a total solution to client security, they are, for the most part, very good. They are also very different. Despite similar goals and methods, Check Point Integrity and Sygate Secure Enterprise take different approaches to accomplish their tasks. Both would serve large networks well, but both require network managers to deploy other centrally managed products, such as an intrusion prevention system and an enterprise anti-virus solution, to fill in the gaps.

Among the choices presented in this review, the best solution would be to combine Integrity or Sygate with McAfee. Those seeking maximum flexibility will like Sygate as McAfee's partner, while those wanting smoother management will like Check Point. Either way, you'll have a pair of solutions you can trust.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Error: Please check your email address.

More about ApacheCA TechnologiesCheck Point Software TechnologiesCheck Point Software TechnologiesCiscoEndPointsIBM AustraliaMcAfee AustraliaMicrosoftNovellOraclePoint Software TechnologiesSophosSymantecTrend Micro AustraliaZone AlarmZone Labs

Show Comments