Product Reviews

Last Line of Defense

You set the policy, Endforce ensures that it's followed.

• By Erik Westgard
• 09/01/2006

The headlines were ablaze recently with a widely publicized story about the apparent theft of a vast store of personal data from the Veteran Affairs agency. A laptop with names, addresses and social security numbers of thousands of former military personnel was stolen from an agency employee who had brought the computer home. Thankfully, this turned out to be nothing more than a hardware theft. (At press time, two teenagers had been arrested in connection with the theft.)

REDMOND RATING Documentation 10% 6 Installation 10% 5 Feature Set 20% 10 Performance 40% 9 Management 20% 10 Overall Rating: 8.7 —————————————— Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional

Could better security tools and hardware have prevented this situation, or was this a breakdown of policy? Having a good security policy is indeed a key factor in minimizing data loss from theft and misuse, but you do still need tools to help develop, implement, report and ultimately enforce your organization's policies.

Phishing attacks, distributed denial-of-service attacks, worms and viruses target known vulnerabilities, but preventive measures can effectively address these threats. Mobile computing assets and those belonging to visitors, contractors and business partners present a greater security challenge. You really can't enforce software standards or patch management policies on every system brought into your facility for a one-hour meeting, for example.

Endforce Enterprise addresses this loophole by taking a server-based approach to patch management and enforcing security policies. Endforce Application Server runs on Windows 2003, and uses Active Directory for developing and enforcing policy. It stores policies and reports in a separate SQL Server 2000 database system, which provides excellent scalability.

You can have the actual client-system assessment done by an installed software client or a clientless Web agent. The Endforce Enterprise agent and client software supports Windows 98 SE, Windows NT, Windows 2000, Windows XP and Windows 2003, and will support the forthcoming Windows Vista.

There's also a DHCP Enforcement module that can quarantine or deny access to non-compliant workstations. One of the helpful industry trends in this space is the emergence of policy enforcement standards from Cisco (NAC), and Microsoft (NAP), and a cross-industry consortium called Trusted Network Connect. Endforce participates in all these programs.

Protect and Serve
Given the complexity of the process and how many network and software elements the packages touch, Endforce provides onsite installation support for every customer. (As our review process rates ease of installation, I insisted on installing the packages myself.)

The documentation introduces a lot of new terminology and concepts, but doesn't have a basic sample configuration or case study you could use to get a lab up and running. References to the built-in help screens were helpful, but I prefer to not jump around.

The application server is essentially a series of Web sites. The main user interface Web site installs easily, as does the database server. The registration, policy and reporting Web sites are designed to use HTTPS and a Web certificate.

[Click on image for larger view.]

Figure 1. There is a list of more than 500 applications and patches from which you can choose.

There's an undocumented workaround to turn off this requirement for the three major Web sites. To get this working in my lab, I had to make the change to each of the Web sites and by trial and error to all of the related modules. Endforce uses IAS and Radius for authentication services.

One of the first steps to get up and running is to create a user group that maps AD or Windows NT security groups. You need to come up with 32-character authentication codes. You also need to create remote-access policies for LAN and VPN users.

The steps to create the elements, agent templates and policies were a bit confusing. The basic idea is to create an agent template, and then build an agent file and download it to an .MSI file, which is then installed on the targeted clients. The process for doing this for the Web client was somewhat confusing. You had to find the option for a Web file creation in one of the drop down boxes.

Then you create a policy and add the elements. You have to hit the copy button to "grab" elements you'd like to include in the policy. Make sure that you update or save the policy after each change so nothing is lost.

One of Endforce's strengths is the sheer number of options you have for selecting "elements" or software patches (see Figure 1). The ability to give users messages based on policy findings, and the option to specify the exact versions and releases for each application is important. You can even create custom elements.

Under Quarantine
Quarantine is a cool feature, which you activate or enforce in the DHCP module. If you're out of compliance (with an out-of-date virus definition, for example), the system would direct you to a "quarantine" area via DHCP, where you can only download the needed patches. Once patched, you could go back to your normal work. This solves the problem and saves a help-desk call.

Endforce tech support suggested the following steps for a test installation of the quarantine functionality:

• Set your agent template/ agent configuration to quarantine
• Configure an agent file using the above template and save the agent .MSI file
• Create a resource, select policy manager and add the IP of your app server
• Create resources for any servers the quarantined endpoint will need access to
• Create quarantine and add resources (app server is added by default). This specifies access for quarantined endpoints
• Create a basic policy (check for Endforce agent version 2.5), set it as default and select the quarantine definition created above
• Install the agent on endpoint and authenticate using your AD password and user name
• You should receive any messages you've added to your policy and not be quarantined
• Change your policy (both access condition and message tabs) to check for Endforce agent 3.0
• Right click the agent icon (in tray) and check compliance

You should now get the default "out of compliance" message. Then you should be quarantined (unable to ping any device that isn't specified in the quarantine definition).

[Click on image for larger view.]

Figure 2. When a system is listed as being out of compliance, Endforce will suggest an action (or actions).

The main Web interface gives you a range of policy creation tools, reporting tools and an audit function. From here, you can check on recent changes to policy databases, like recently created or updated accounts.

Alerts are another management tool. You can use these to generate e-mails or event log entries for a range of possible conditions, including the appearance of a misplaced or improperly inventoried laptop or one known to have issues that require immediate action. There are 17 different report sections, ranging from tracking current agent sessions to application usage reports. Endforce Enterprise is worth a look. It's a comprehensive, standards-based solution that should be effective in a long-term security infrastructure.