Senforce Technologies Inc.’s enterprise mobile security manager (EMSM) is a centrally managed platform for creating and deploying very granular access control policies to both local and remote users. EMSM goes well beyond checking to see whether the client’s antivirus is up to date. It focuses on enforcing security policies based on location, disabling remote storage devices, wireless adapters, and even specific IP services on the client, based on whether it is connecting wired or wirelessly, or via a trusted or untrusted network.
The EMSM management server requires Microsoft Corp.’s SQL Server 2000 for its storage needs and the client only runs on Windows 2000 and Windows XP Pro. It is US$89.95 per seat. The heart of EMSM is the Policy Editor, where administrators define the policies for specific situations, such as whether a PC is connecting via the LAN or a laptop is wirelessly accessing the corporate network. Senforce’s Policy Editor is a powerful tool and allows a fine level of control over users and PC services.
I did find the process of creating a policy a little confusing but it was not overly complex. Using Policy Editor, I created a couple of different profiles: one for my test lab and another for a remote user. In both situations, EMSM correctly identified my laptop’s network address and pushed the proper policy to it.
Admins use EMSM’s Network Environments to define network characteristics so they can determine where a client has logged in and which policy to enforce. I was impressed with the level of detail available when describing a network location. Choices include IP addressing, gateway, MAC address and wireless access point SSID (service set identifier), as well as DNS, DHCP, and WINS addresses. By using combinations of these parameters, you can deploy a policy for just about any location you can think of, even based on which DNS server was assigned to them via DHCP.
The Adapters and Access Points list provides a fine level of control over dial-up, wired and wireless adapters. Especially powerful for wireless locations, EMSM allows admins to define a specific access point a laptop can connect to while ignoring all others. This is especially useful when you want to make sure wireless communication only takes place inside your enterprise.
The Senforce Mobile Security Client intercepts network traffic at the NDIS layer. Inspecting network traffic from there requires much less CPU time than is required by other client integrity products, such as Sygate and Integrity. For all of its impressive features, EMSM is not a perfect product. Creating policies is not an intuitive process, although there are some wizards to step you through it. I felt like I was constantly jumping back and forth between settings to get my policy created. Also, the client-side application runs as a service under Windows 2000 and XP. If your users have local administrative rights to their PCs, they can stop the service and thereby circumvent the policy enforcement. Both of these problems are being addressed in an upcoming release of EMSM due early in 2005.
Senforce Enterprise Mobile Security Manager is a great tool for managing your end-point security from a single, centralized location and the level of granularity is first rate. It is flexible yet in control of not only which network services a client can use but on which types of network they can use them.