Keeping clients honest remains a struggle

Regardless of the size of their enterprise, administrators worry whether the clients on their network comply with mandatory policies, which include having properly set permissions and meeting requirements for firewalls, spyware, spam filtering, and the like. Administrators must also ensure that required applications are loaded, up-to-date, and properly licensed. And, of course, they must make sure that users aren’t running prohibited software, such as MP3-sharing applications and video games.

If that sounds like a lot of work, it is. Fortunately, there are products available that help with these tasks. Among them are InfoExpress CyberGatekeeper LAN 2.0 and StillSecure Safe Access V2.0, which we recently had a chance to put to the test. Both security solutions provide audit capabilities and move clients to a quarantine network as necessary. Furthermore, each has a rich reporting structure and performs deep registry inspection.

Unfortunately, these two products are, at best, incomplete. CyberGatekeeper’s most significant shortcoming is its short list of supported core network gear. Safe Access, meanwhile, is insecure enough to give any administrator pause. To be truly useful, both products need to be complemented by a common switch infrastructure, such as Cisco’s NAC (Network Admission Control), for essential enterprise network access and audit controls.

InfoExpress CyberGatekeeper LAN 2.0

CyberGatekeeper tests clients as they attempt to enter the network to determine whether they meet configuration requirements. Clients that are compliant are allowed access to the network. Those that do not pass the test are switched to a restricted VLAN and can be sent to a patch/update server to be fixed. When the patch or update has been applied and the client has been reaudited, the client is automatically switched to the production VLAN where it has access to the enterprise.

The solution determines whether a client is properly configured via an agent that runs in the background on the machine. We tested the Windows client for CyberGatekeeper. The company also sells versions of the client for Linux, with other OSes on the horizon.

Admins set the policies in CyberGatekeeper using the included Policy Manager, which is the heart of the product. The Policy Manager is a Windows-based service, the management connections of which are via SSH or SSL. An enterprise network can support multiple CyberGatekeeper appliances, so you can place them where they make sense, and they all communicate back to the central Policy Manager.

Setting up CyberGatekeeper is fairly straightforward and easiest if you’re already running Microsoft Active Directory in EAP (Extensible Authentication Protocol) mode. The product comes with predefined conditions and default settings, and you can add your own. You can be as detailed as you want with file names, registry keys, and other criteria, but the process can get as complex as your auditing requirements.

Due to its ActiveX roots, the management Web interface starts only under Internet Explorer. Screen organization begins with a list of currently defined policies. From there, you can drill down deeper into each policy by clicking on simple logic buttons — When, When Not, Required, Prohibit, Desire, and so on — that are combined with an Explorer-like interface. You may choose settings such as operating system, version (down to the build level, if you wish), patch levels, age of programs, or actual registry keys. You can even confirm through MD5sum values whether a file has been modified.

Each policy action can be set up as specifically as you wish, allowing you to reuse and combine the Basic Policies in different orders, depending on the situation. Agents can then take either informational actions or required actions. In our test we set up CyberGatekeeper to pop up a window on a user’s screen if he or she was playing Freecell, warning the user not to play games. Alternatively, we could have just as easily kept the user on the quarantine network.

As audits are performed, they’re logged to the required back-end Microsoft SQL server for reporting in the FRAMD (Flexible Reports for Managed Devices) server for automated reporting, which can be pushed to e-mail, file, syslog, or SNMP trap collection. Ad hoc reporting is also supported.

In our tests, CyberGatekeeper worked as advertised. Attempts to connect to the network with an inappropriate configuration resulted in being shunted to the update server. Similarly, attempts to run a prohibited program resulted in a shunt and a message to shut down the offending software.

In terms of network-infrastructure support, InfoExpress has limited itself by going for the easy targets first. It supports switches only from Cisco and Nortel; wireless clients use Airespace’s ACLs (access control lists); and VPNs are handled through Juniper SSL. So unless you can afford to run all Cisco switches, all your wireless is 802.1x-capable or from Airespace, and your VPNs are provided through Juniper, you may need to consider another solution. Although CyberGatekeeper does what InfoExpress says it will, it does it only if you run your network the way the company wants it to run.

StillSecure Safe Access V2.0

Taking a different approach than CyberGatekeeper does in ensuring policy compliance, Safe Access doesn’t rely on software agents. Instead, when a client attempts to access the network, Safe Access acts as a DHCP server and sends the client to an authentication server for a series of tests. One test installs a service for full-time auditing, another installs an ActiveX plug-in for a quick one-time check, and a third runs an RPC script, just to get bare-bones system information. When one test is passed, the client is assigned an IP address that gives it access to the production network. Clients that fail the tests are redirected to a quarantine server and update portal.

Although this IP-address-based approach adds flexibility, it also opens a gaping security hole. Users with unaudited machines can easily have their way with the network with some very basic network tools and a randomly picked static address on the production network.

Currently, Safe Access’ audits support only recent versions of Windows, although other operating systems will be available in the near future. For the time being, Linux and Mac clients should be able to go with a static IP address to get to the production network. Machines running those platforms won’t be audited, but those OSes themselves offer a much smaller security risk.

Safe Access’ management interface is bound to IE. Policies are defined in a check-box list displayed in groupings of Operating System Checks, Software Checks (anti-virus, personal firewalls), and Security Settings, for individual programs. So if you require the latest Microsoft patches, you can check off which ones in a group are mandatory. The logic behind this setup is that each organization may not be willing to make all current patches required until its quality assurance group has confirmed their worth.

You can also specify the retest interval for individual clients or groups of clients that can be defined through IP Address, Windows Workgroup names, Windows Domain names, or LDAP. There is also a Python scripting tool that allows admins to create custom audit requirements for unforeseen situations.

Also, noncompliant machines are listed in a window beneath a stoplight icon. Administrators have the ability to drill down to determine which portions of each policy are causing alerts.

Interestingly, reporting is where the two products differ the most. CyberGatekeeper is more of a back-end system that pushes alerts to other consoles or via e-mail. StillSecure Safe Access feels more like a minimal help-desk system that can automatically assign alerts to admins based on the type or category of alert.

As opposed to CyberGatekeeper, Safe Access will work with nearly any network infrastructure. We tried it with an ancient 3Com 10Base-T switch and Cisco router. As long as you use DHCP and Windows the process works well. Our attempts to gain access to the network with a machine that was not updated kept us going back to the update site until all required updates from either the virus update service or Microsoft Windows Update had been applied.

Safe Access is also more open in terms of its support than CyberGatekeeper is. You can use a variety of LDAP servers, including Microsoft Active Directory. In addition, although Microsoft SQL Server works, so does Oracle and MySQL. Even user authentication can be as simple as a local administrator Windows workstation log-on or as complex as an enterprise LDAP server, as long as that account allows Safe Access to inspect the registry.

Although Safe Access has the advantage of being network-hardware-agnostic, its security shortcomings should give pause.

Indeed, neither product in its current incarnation should be used as a stand-alone solution. Despite pretensions of enhancing security by ensuring policy compliance, neither accomplishes that end. But when used with other security solutions — security and vulnerability testing, remediation management, client security, and appropriate network design — they can be useful.