Last Line of Defense
You set the policy, Endforce ensures that it's followed.
- By Erik Westgard
The headlines were ablaze recently with a widely publicized story about the apparent theft of a vast store of personal data from the Veteran Affairs agency. A laptop with names, addresses and social security numbers of thousands of former military personnel was stolen from an agency employee who had brought the computer home. Thankfully, this turned out to be nothing more than a hardware theft. (At press time, two teenagers had been arrested in connection with the theft.)
1: Virtually inoperable or nonexistent
5: Average, performs adequately
Could better security tools and hardware have prevented this situation, or
was this a breakdown of policy? Having a good security policy is indeed a key
factor in minimizing data loss from theft and misuse, but you do still need
tools to help develop, implement, report and ultimately enforce your organization's
Phishing attacks, distributed denial-of-service attacks, worms and viruses target known vulnerabilities, but preventive measures can effectively address these threats. Mobile computing assets and those belonging to visitors, contractors and business partners present a greater security challenge. You really can't enforce software standards or patch management policies on every system brought into your facility for a one-hour meeting, for example.
Endforce Enterprise addresses this loophole by taking a server-based approach to patch management and enforcing security policies. Endforce Application Server runs on Windows 2003, and uses Active Directory for developing and enforcing policy. It stores policies and reports in a separate SQL Server 2000 database system, which provides excellent scalability.
You can have the actual client-system assessment done by an installed software client or a clientless Web agent. The Endforce Enterprise agent and client software supports Windows 98 SE, Windows NT, Windows 2000, Windows XP and Windows 2003, and will
support the forthcoming Windows Vista.
There's also a DHCP Enforcement module that can quarantine or deny access to non-compliant workstations. One of the helpful industry trends in this space is the emergence of policy enforcement standards from Cisco (NAC), and Microsoft (NAP), and a cross-industry consortium called Trusted Network Connect. Endforce participates in all these programs.
Protect and Serve
Given the complexity of the process and how many network and software elements
the packages touch, Endforce provides onsite installation support for every customer.
(As our review process rates ease of installation, I insisted on installing the
The documentation introduces a lot of new terminology and concepts, but doesn't have a basic sample configuration or case study you could use to get a lab up and running. References to the built-in help screens were helpful, but I prefer to not jump around.
The application server is essentially a series of Web sites. The main user
interface Web site installs easily, as does the database server. The registration,
policy and reporting Web sites are designed to use HTTPS and a Web certificate.
[Click on image for larger view.]
|Figure 1. There is a list
of more than 500 applications and patches from which you can choose.
There's an undocumented workaround to turn off this requirement for the three
major Web sites. To get this working in my lab, I had to make the change to
each of the Web sites and by trial and error to all of the related modules.
Endforce uses IAS and Radius for authentication services.
One of the first steps to get up and running is to create a user group that maps AD or Windows NT security groups. You need to come up with 32-character authentication codes. You also need to create remote-access policies for LAN and VPN users.
The steps to create the elements, agent templates and policies were a bit confusing. The basic idea is to create an agent template, and then build an agent file and download it to an .MSI file, which is then installed on the targeted clients. The process for doing this for the Web client was somewhat confusing. You had to find the option for a Web file creation in one of the drop down boxes.
Then you create a policy and add the elements. You have to hit the copy button to "grab" elements you'd like to include in the policy. Make sure that you update or save the policy after each change so nothing is lost.
One of Endforce's strengths is the sheer number of options you have for selecting
"elements" or software patches (see Figure 1). The ability to give
users messages based on policy findings, and the option to specify the exact
versions and releases for each application is important. You can even create
Quarantine is a cool feature, which you activate or enforce in the DHCP module.
If you're out of compliance (with an out-of-date virus definition, for example),
the system would direct you to a "quarantine" area via DHCP, where you
can only download the needed patches. Once patched, you could go back to your
normal work. This solves the problem and saves a help-desk call.
Endforce tech support suggested the following steps for a test installation of the quarantine functionality:
- Set your agent template/ agent configuration to quarantine
- Configure an agent file using the above template and save the agent .MSI
- Create a resource, select policy manager and add the IP of your app server
- Create resources for any servers the quarantined endpoint will need access
- Create quarantine and add resources (app server is added by default).
This specifies access for quarantined endpoints
- Create a basic policy (check for Endforce agent version 2.5), set it as
default and select the quarantine definition created above
- Install the agent on endpoint and authenticate using your AD password
and user name
- You should receive any messages you've added to your policy and not be
- Change your policy (both access condition and message tabs) to check for
Endforce agent 3.0
- Right click the agent icon (in tray) and check compliance
You should now get the default "out of compliance" message. Then
you should be quarantined (unable to ping any device that isn't specified in
the quarantine definition).
[Click on image for larger view.]
|Figure 2. When a system is
listed as being out of compliance, Endforce will suggest an action (or actions).
The main Web interface gives you a range of policy creation tools, reporting
tools and an audit function. From here, you can check on recent changes to policy
databases, like recently created or updated accounts.
Alerts are another management tool. You can use these to generate e-mails or
event log entries for a range of possible conditions, including the appearance
of a misplaced or improperly inventoried laptop or one known to have issues
that require immediate action. There are 17 different report sections, ranging
from tracking current agent sessions to application usage reports. Endforce
Enterprise is worth a look. It's a comprehensive, standards-based solution that
should be effective in a long-term security infrastructure.
Erik Westgard, CCSP, MCSE, is a Convergence Consultant at a major ISP. At work
he spends a lot of time on next-generation VPN architectures for voice and data,
ITIL and solutions for health care. In his spare time, he's active in amateur
radio, emergency communications and sailing. Erik may be reached at firstname.lastname@example.org.