Keeping clients honest remains a struggle

Regardless of the size of their enterprises, administrators worry whether the clients on their network comply with mandatory policies, which include having properly set permissions and meeting requirements for firewalls, spyware, spam filtering and the like.

Administrators must also ensure required applications are loaded, up-to-date and properly licensed. And, of course, they must make sure users aren’t running prohibited software, such as MP3-sharing applications and video games.

Fortunately, there are products available that help with these tasks. Among them are InfoExpress CyberGatekeeper LAN 2.0 and StillSecure Safe Access V2.0. Both security solutions provide audit capabilities and move clients to a quarantine network as necessary. Furthermore, each has a rich reporting structure and performs deep registry inspection.

Unfortunately, these two products are, at best, incomplete. CyberGatekeeper’s most significant shortcoming is its short list of supported core network gear. Safe Access, meanwhile, is insecure enough to give any administrator pause.

To be useful, both products need to be complemented by a common switch infrastructure, such as Cisco’s Network Admission Control (NAC), for essential enterprise network access and audit controls.

CyberGatekeeper tests clients as they attempt to enter the network to determine whether they meet configuration requirements. Clients that are compliant are allowed access to the network. Those that do not pass the test are switched to a restricted VLAN and can be sent to a patch/update server to be fixed. When the patch or update has been applied and the client has been re-audited, the client is automatically switched to the production VLAN.

CyberGatekeeper works via an agent that runs in the background on the machine. We tested the Windows client for CyberGateKeeper. Administrators set the policies in CyberGatekeeper using the included Policy Manager, which is a Windows-based service, with SSH or SSL management connections. An enterprise network can support multiple CyberGatekeeper appliances and they all communicate back to the central Policy Manager.

Setting up CyberGatekeeper is fairly straightforward and easiest if you’re already running Microsoft Active Directory in Extensible Authentication Protocol (EAP) mode. It comes with predefined conditions and default settings, plus you can add your own. You can be as detailed as you want with file names, registry keys and other criteria, but the process can get as complex as your auditing requirements.

The management Web interface starts only under Internet Explorer, and screen organization begins with a list of currently defined policies. From there, you can drill down deeper into each policy by clicking on simple logic buttons — When, When Not, Required, Prohibit, Desire, and so on — that are combined with an Explorer-like interface. You may choose settings such as operating system, version, patch levels, age of programs or actual registry keys. You can even confirm whether a file has been modified.

Each policy action can be set up as specifically as you wish, allowing you to reuse and combine the Basic Policies in different orders. Agents can then take either informational actions or required actions.

As audits are performed, they’re logged to the back-end Microsoft SQL server in the Flexible Reports for Managed Devices (FRAMD) server for automated reporting, which can be pushed to e-mail, file, syslog, or SNMP trap collection. Ad hoc reporting is also supported.

In our tests, CyberGatekeeper worked as advertised. Attempts to connect to the network with an inappropriate configuration resulted in being shunted to the update server. Similarly, attempts to run a prohibited program resulted in a shunt and a message to shut down the offending software.

In terms of network-infrastructure support, InfoExpress has limited itself by going for the easy targets first. It supports switches only from Cisco and Nortel; wireless clients use Airespace’s access control lists (ACLs); and VPNs are handled through Juniper SSL. CyberGatekeeper does what it claims but only if you run your network the way InfoExpress wants it to run.

In contrast to CyberGatekeeper, Safe Access doesn’t rely on software agents. When a client tries to access the network, Safe Access acts as a DHCP server and sends the client to an authentication server for a series of tests. One test installs a service for full-time auditing, another installs an ActiveX plug-in for a quick one-time check and a third runs an RPC script. When one test is passed, the client is assigned an IP address giving it access to the production network. Clients that fail the tests are redirected to a quarantine server and update portal.

Although this IP-address-based approach adds flexibility, it opens a gaping security hole. Users with unaudited machines can have their way with the network with some basic network tools and a randomly picked static address. Currently, Safe Access’ audits support only recent versions of Windows. For now, Linux and Mac clients should be able to go with a static IP address to get to the production network.

Safe Access’ management interface is bound to IE. Policies are defined in a check-box list displayed in groupings of Operating System Checks, Software Checks (anti-virus, personal firewalls) and Security Settings, for individual programs. So if you require the latest Microsoft patches, you can check off which ones in a group are mandatory.

The logic behind this setup is that each organization may not be willing to make all current patches required until their worth has been confirmed. You can also specify retest intervals for individual and groups of clients through IP Address, Windows Workgroup names, Windows Domain names or LDAP. Plus, a Python scripting tool lets admins create custom audit requirements. Non-compliant machines are listed in a window beneath a stoplight icon. Administrators can drill down to see which parts of each policy are causing alerts.

Interestingly, reporting is where the two products differ the most. CyberGatekeeper is more of a back-end system that pushes alerts to other consoles or via e-mail. Safe Access feels more like a minimal help-desk system that automatically assigns alerts to admins based on the type or category of alert.

As opposed to CyberGatekeeper, Safe Access will work with nearly any network infrastructure. We tried it with an ancient 3Com 10Base-T switch and Cisco router. As long as you use DHCP and Windows, the process works well. Our attempts to access the network with a machine that was not updated kept us going back to the update site until the updates from either the virus update service or Microsoft Windows Update had been applied.

Safe Access is also more open in terms of its support than CyberGatekeeper is. You can use a variety of LDAP servers, and, although Microsoft SQL Server works, so does Oracle and MySQL. User authentication can be as simple as a local administrator Windows workstation log-on or as complex as an enterprise LDAP server, as long as Safe Access can inspect the registry.

Although Safe Access has the advantage of being network-hardware-agnostic, its security shortcomings should give pause. Neither product in its current incarnation should be used as a stand-alone solution. Despite pretensions of enhancing security by ensuring policy compliance, neither accomplishes that end. But when used with other security solutions — security and vulnerability testing — they can be useful.


Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now