Reining in client security problems
1 April 2005 | 0
Viruses and worms don’t discriminate. When successful, they not only tie up your network, they destroy data and even send information to the outside world. As a result, IT staffs must make sure that users’ machines are scanned for viruses, that they’re protected against intrusions and exploits, that their security software is regularly maintained, and that their operating systems are kept up to date. You also must be able to prove that you did it in case anyone asks.
Managing the security of your clients can take many forms. Among the choices are antivirus products that include central management and that will work with a personal firewall if present. Some managed personal firewall products will also work with antivirus. Still other solutions will manage their own antivirus and firewall clients, and other groups will manage clients from other companies.
All of these approaches are represented by the four products reviewed here. Some of these products will enforce compliance with client security policies by banning users unless their computers are up to date, some will force users to update their machines, and one product allows you to prevent users from running anything at all that you don’t approve. Some of these products keep an eye on user e-mail, instant messaging, and Web sites visited.
No single approach covers all potential problems. This means that no matter which solution you choose—should you choose only one—you won’t be completely protected. On the other hand, because you can manage client security remotely and set policies centrally, at least you’ll be consistent and that’s half the battle.
Check Point Integrity
When Check Point Software Technologies acquired Zone Labs last year, one of the reasons was to obtain Integrity. This product builds on Zone’s already strong firewall technology to provide a centrally managed layer of protection that’s both effective and easy to manage. And as a plus for IT managers, the Integrity Agent can be installed so it’s invisible to the end-user, reducing the chance of tampering.
Although Zone doesn’t provide antivirus capability, it does work with the major providers of antivirus software, including Computer Associates, McAfee, Sophos, Symantec, and Trend Micro. It detects when these products are properly updated and quarantines machines that aren’t running properly updated software. Check Point’s Integrity also checks for the operating system patch level before granting access to a protected asset.
Integrity Server runs on either Windows 2000 Server or Windows Server 2003 machines. Implementing the server requires little beyond allowing the installer to run. The server installation creates a shared file area, or ‘sandbox,’ that’s visible to the Apache Web server that’s also installed. The standard means of distributing the Integrity client software is to e-mail the link to users and have them click on it to perform the installation. Unfortunately, the default link to the sandbox is very long and complex, and the documentation directs you to write it down so you can install it on clients that don’t have e-mail accounts.
You can perform the client installation the way Integrity suggests, of course, but it’s error-prone and time-consuming. If you’re aware of this need ahead of time, you can also pick a much easier-to-use link. Or better yet, you can use products such as Microsoft’s Systems Management Server or Novell’s ZENWorks and avoid the issue completely. Smaller organisations, unfortunately, are stuck with the Web distribution, so pick an easy URL for the sandbox.
Fortunately, you only install once. After you get everything running, Integrity shines. You can see the security status of the network at a glance, control access easily, and check the status of any client in seconds.
The users get one of two client software packages to use. One, Integrity Agent, can be invisible. IT managers have the option of an icon in Windows’ System Tray. The network manager retains complete control over security.
The other client is Integrity Flex, which closely resembles the Zone Alarm personal firewall in appearance and operation. It also gives the user some control over how it works. Flex is designed for users who travel and therefore must be able to control their security while away from the office, even when connected to other corporate or hotel networks.
If there’s a downside to Integrity it’s the required dedicated server. You shouldn’t run it on a machine that’s doing anything else. This isn’t a major disadvantage—it’s likely you’d want to use a dedicated machine anyway—but it’s something for which you need to plan. You have to turn off IIS, by the way, because Integrity comes with its own copy of Apache, which needs the same resources. Integrity will stop running if it finds IIS in use.
Overall, Integrity is an excellent choice for keeping your clients secure. Like the other products in this roundup, it doesn’t do everything. It lacks its own antivirus client, for example. And although Integrity falls short of Sygate in overall capabilities, it provides support for those things it doesn’t do and gives you plenty of control over client security in a way that is also easy to use and manage.
Check Point Integrity 5.0
THE BOTTOM LINE: Very Good
Integrity requires a dedicated server, so you can’;t share the platform with another application. The default client deployment is clunky, although most companies will use SMS or ZenWorks to deploy the software. Either way, Integrity makes heavy use of Zone Lab’s highly regarded firewall technology customised for different platforms and its superior management interface
Contact: Unipalm 01-639 1593
McAfee Active VirusScan and Desktop Firewall
At the centre of McAfee’s end-point security system is ePO (ePolicy Orchestrator), a centralised management application that works with a variety of McAfee clients. We tested McAfee’s Active VirusScan Suite, which includes ePO, the enterprise version of the company’s antivirus software, and McAfee’s Desktop Firewall.
The combination of products allows you to have both virus protection and a personal firewall on your client systems. You can monitor those clients for perils such as a virus outbreak, and you can push virus definition and software updates to your clients as often as you wish. The VirusScan Suite also includes NetShield, a virus scanner for Novell NetWare servers, which we did not test. McAfee is in the process of releasing other products that can work with ePO. For example, recently acquired Entercept, a host-based intrusion prevention package, will be integrated into ePO in the next release.
ePO is designed to monitor the network for client systems that are out of compliance with your security policies. This may include clients that don’t have up-to-date virus definitions or clients that aren’t running McAfee’s agent. Most of the time, ePO simply monitors the network, but when it finds a problem, it flags the problem client on the management console so you can take action. ePO can monitor McAfee’s own products and can also alert administrators to rogue computers and configuration issues such as noncompliant Windows patch levels.
Getting ePO running and deploying VirusScan and Desktop Firewall to clients is a little more complex than it should be. First you must install everything on the server then perform a number of steps to tell ePO what you want to send out to the clients and to which class of users it should go. After we instructed ePO to deploy, we found that it sometimes took quite a long time before the software was sent out to the clients and installed.
It can take a while to get rid of the McAfee software after deployment. We found that a McAfee client could persist for days after ordering ePO to remove it. Normally, however, deployment or removal started within five minutes of when the action was ordered.
After deployment, setup is very straightforward. The antivirus product wasted no time in ensuring each client had all the latest protections. We found the Desktop Firewall’s lack of default settings surprising. Instead, it arrives in what McAfee calls the ‘Learn Mode’ and questions every attempt to access the network for anything. During this period, even normal activities such as the antivirus software checking for updates require intervention by the end-user.
You can set such defaults centrally, and you can deploy predefined rules. You can also direct ePO to learn from deployed agents and report back, which in turn eventually builds a set of rules. Employing these options, however, assumes that everything is acceptable for all users, so you’ll still have to intervene in at least some cases.
When everything is running and your rules are set, monitoring your network is fairly easy. The management console is easy to use and very flexible. You have granular control over your monitoring, and you can deploy sensors to other network segments to monitor network activity and report back. You can keep tabs on all of this through the console, and force upgrades where needed to keep the clients secure. You can also be proactive in the event of a breakout, dynamically changing rules to isolate clients until you can fix them.
Overall, McAfee’s ePO, VirusScan, and Desktop Firewall are an easy-to-use, effective combination of products that go a long way in protecting your enterprise against malicious code, hackers, and the like.
McAfee Active VirusScan Suite and desktop firewall 8.0
THE BOTTOM LINE: Very Good
McAfee provides an effective antivirus and firewall combination for enterprise desktops. The management interface is easy to use but experienced a few glitches. Updates can be slow and policy enforcement is handled by forcing updates rather than quarantine. Additional features are planned that will make this a very well rounded suite of products in the future.
Contact Topsec Technology 01 240 1000
Sygate Secure Enterprise
Enforcement is the focus of SSE (Sygate Secure Enterprise). At its heart, SSE is designed to provide a firewall for every node on the network and to confirm that any other node that attempts to communicate is similarly protected. It goes beyond that, of course. SSE may be set to confirm the levels of antivirus protection and operating system patches, among others. Any computer that attempts a connection to the network that doesn’t meet the required level of protection can be quarantined, either locked out of the network entirely or only permitted to connect to the update site for whatever is out of date.
For remote users connecting to the enterprise network, SSE will check to make sure they’re using an approved VPN, that their antivirus software has been updated recently (admins get to set the number of days since the most recent update), and that they’ve updated Windows. If clients don’t meet all the requirements, Sygate supports flexible and granular ways to enforce policies. For example, if a user hasn’t run Symantec Live Update recently enough, he or she could only be allowed to connect to the Symantec site and download updates. The same is true for any other policy you might choose to enforce.
SSE even checks for additional connections to the Internet outside the VPN and compensates for such loopholes. It might check to ensure a user has not only updated the antivirus signatures, but also run a scan. It might check to see if the user is connecting from inside or outside the company and apply different standards depending on the location.
You can also enforce policies based on such parameters as presence of host-based intrusion prevention, status of file sharing, or method of connection (dial-up or wireless, for example). The standards that must be met are up to the IT staff, but they’re easily and effectively enforced.
Sygate requires you to provide a copy of either Microsoft SQL Server running on Windows 2000 Server or Oracle running on Solaris. You can run SSE on the same Windows 2000 server as SQL Server, if you’re not concerned about performance. SSE itself will run on Windows Server 2003, but the version of SQL Server that’s supported by SSE won’t, so if you want to use the more secure Windows Server 2003, you will have to use two servers.
Although SSE’s management interface isn’t exactly hard to use, it can be confusing, with some buttons placed at seemingly random, unexpected locations. In addition, although there are places in which the interface design seems well-thought-out, for the most part it’s disorganised. SSE is not the place you’d manage security on a global basis. It’ll show what you ask for, but it won’t provide an overall view of your security situation.
Implementation of the SSE server is well-organised, however. The process proceeds smoothly and—as long as you have your database server and permissions for it set appropriately—most of the process consists of clicking the ‘Next’ button. Client implementation isn’t automated, but it’s straightforward. When you install the server, the client software is placed in a shared directory. Client installation requires that users go to the shared directory, choose the proper client (server, desktop, or notebook), copy it to their computers, then run the setup program. You can distribute clients by other means, including e-mail, as well.
SSE doesn’t do everything but it doesn’t claim to. What it does do, it mostly does very well. And it will work just fine with everything else you need to complete your client security picture. Just don’t expect to be wowed by the management interface.
Sygate Secure Enterprise 4.0
THE BOTTOM LINE: Very Good
Secure Enterprise excels at quarantining noncompliant nodes and ensuring clients and other systems meet security and operational requirements. This product includes a client firewall but can also enforce granular and flexible policies governing a wide array of third-party products. The management interface is confusing in places
Contact: Entropy 01-2940199
Trend Micro OfficeScan
Like McAfee’s offering, Trend Micro’s OfficeScan is essentially a centrally managed antivirus product. Its agent is very easy to deploy, and its firewall works correctly most of the time. Unfortunately, when it goes wrong, you must sometimes find the fix through unmarked pathways and undocumented means.
Implementing OfficeScan seemed very promising at first. The standard installation of the server went without a hitch on a Windows Server 2003 machine. The standard deployment method, however, which involves pushing the client agent out for remote installation, was fraught with difficulty.
One of the test clients, an IBM IntelliStation Z Pro workstation, simply refused to get the remote installation. After several attempts, a call to tech support revealed that this was a known issue that required a counterintuitive change to an obscure setting (we had to turn simple file sharing off). This has to be done manually on machines that won’t work with OfficeScan’s distribution model. Not a big deal with one machine but apparently common enough that larger enterprises could be burdened with a lot of manual labour.
A more serious issue is that OfficeScan didn’t always detect the Eicar test virus that we used in our testing, missing it about half the time. This problem only occurred with OfficeScan. Other antivirus packages we tried, including McAfee, found it instantly. In fact, copies of Norton AntiVirus elsewhere on the network tracked Eicar down so aggressively that We were limited in our ability to download it.
Unlike the other products in this review, OfficeScan incorporates a vulnerability scanner that’s supposed to provide services similar to Sygate, denying access to network nodes that display vulnerabilities. Unfortunately, it only worked well when the rest of the network was also running OfficeScan. A node running McAfee or Norton antivirus products was considered vulnerable by OfficeScan, resulting in a flood of firewall warnings and attempts to isolate the offending computer.
On a positive note, OfficeScan incorporates the Cisco Trust Agent, allowing it to work with Cisco Systems’ Network Admission Control-equipped routers to restrict network access by computers that don’t have the latest antivirus updates. Unfortunately, we weren’t able to obtain a properly equipped Cisco router in time to test this feature.
Trend Micro has included some very good ideas in OfficeScan, but not everything worked as it should have. It’s hard to recommend OfficeScan to managers of environments with a variety of security products from different manufacturers. Ideally, Trend Micro would take its best ideas, such as the deployment software and the vulnerability testing, and make them work better.
Trend Micro OfficeScan Corporate Edition 6.5
THE BOTTOM LINE: Very good
OfficeScan has some excellent features, including its own deployment engine and vulnerability scanner, but it is not without problems. Deploying software to clients didn’t always work without tweaks to individual settings that aren’t documented, and the antivirus module didn’t always detect our test virus. Capabilities are limited compared to competitors.
Contact: Entropy 01-2940199
Although none of these products is a total solution to client security, they are, for the most part, very good. They are also very different. Despite similar goals and methods, Check Point Integrity and Sygate Secure Enterprise take different approaches to accomplish their tasks. Both would serve large networks well, but both require network managers to deploy other centrally managed products, such as an intrusion prevention system and an enterprise antivirus solution, to fill in the gaps.
Among the choices presented in this review, the best solution would be to combine Integrity or Sygate with McAfee. Those seeking maximum flexibility will like Sygate as McAfee’s partner, while those wanting smoother management will like Check Point. Either way, you’ll have a pair of solutions you can trust.
Trapped! Your future in quarantine
A new feature in centrally managed client-security products provides the ability to cut off offending clients, or even entire LAN segments, from the rest of the network. On one hand, this feature implies that computers or groups of computers would undergo a sort of constant triage to determine whether they were too sick to survive on the enterprise network. On the other hand, it suggests that an automated system would be deciding whether an entire group of users might be cut off from the world because it thought there was a security violation.
You can see the obvious issue. How do you isolate computers infected with viruses or worms, or that simply aren’t sufficiently protected, without preventing people from getting their work done and affecting the productivity of the organisation? That’s the conundrum of quarantine and it’s a puzzle that will be with us for a while. In case you wondered, the future is firmly on the side of increased network access control. If offending machines aren’t removed from the network, it’s clear that the whole network will suffer. And suppliers of the endpoint products we reviewed, each of which is trying by one means or another to lock out offending machines, aren’t the only heavyweights addressing the problem.
Cisco’s NAC (Network Admission Control) initiative—which includes McAfee and Trend Micro as partners, among others—is a means by which a security monitor can alert a router that there’s a badly behaved computer on the network. The problem might be anything from out-of-date antivirus software to an active outbreak of Slammer worms. In any case, the management software will direct the router to isolate the segment with the problem, protecting the rest of the network.
Software to support this capability is spreading rapidly. Trend Micro already included it in this test. It’s a safe bet the others will by this time next year, especially considering that Microsoft has signed on to support NAC, promising that its own policy enforcement architecture, called NAP (Network Access Protection), will be compatible with the efforts of Cisco and its partners. According to Microsoft, NAP will arrive in the Longhorn edition of Windows Server due in 2007.
Meanwhile, for security-conscious organisations, point solutions aren’t a luxury but a necessity. The risks of letting malicious code run amok through your network are simply too great. This year, only two of the four products we tested have truly effective quarantines. You can assume that they’ll all have it next year. And you can assume that it’ll be standard the year after that.