The host security with the most

One vexing problem in today’s enterprise is how to secure each and every host connected to the network while IT resources continue to be cut. Two words may answer that question: host security. But securing every individual host in the enterprise conjures nightmares of efficiently managing each host component. Sygate Secure Enterprise Version 3.5, though not perfect, may very well offer the means to be continually vigilant when it comes to securing the enterprise.

Sygate isn’t the first company to tackle end-point security. For example, I’ve have had a chance to play with Symantec’s Client Security Versions 1.0 and 1.1, a software solution that’s bound to the NIC in my hosts. But Symantec’s solution is a Hummer H2 compared to the Sygate M1-A1 Abrams tank: impressive, but not really in the same league. What Symantec lacks, Sygate offers: a robust, centralized policy and management server with a configurable agent that resides on the host.

When I think about security I primarily think AV (anti-virus) software, firewalls, intrusion detection, and the management servers and disparate logs that go along with each. Sygate’s solution incorporates several of these components into a centrally managed, host-based system, consisting of a Sygate Management Server, optional Enforcement Server, and the Sygate Security Agent.

Any security plan should start with a well-thought-out policy. I was pleased to find Sygate practices this, but in a roundabout way. By default, Sygate’s policy isn’t locked down; it’s wide open and it learns from each individual host Agent what applications are run on a regular basis and how those applications are used. The administrator then can decide what applications to allow or disallow based on feedback from the real-world clients running those host applications. I thought this approach a bit unusual at first, but I see the benefit, and it seems to work for the product.

The Sygate Management Server I tested consisted of three components: the management server, used to manage policies, users, groups, and client agents; a SQL server, used by the management server to store all of the security policies; and a Web server, used to serve up the Java-based management and reporting interface. While the secure Java-based management and reporting was nice for transportability, the Sygate implementation seemed to be slightly clunky at times and had some very minor problems with screen refresh after a window resize (although Sygate always recommends always running full screen). Overall, I thought that the pros of the Java-based interface far outweighed the cons.

The Sygate Management Server can also be distributed to allow for regional and high-availabity control of Agents. I was glad to see that the Management Server supports a variety of directory types for importing users and groups, including a built-in database, NT Domain, Active Directory, and LDAP.

The optional Sygate Enforcer, compatible with Windows or Linux, sits in-line behind an entry point to the enterprise network (as a bridge device would) and serves as a sentry to allow or disallow access from a wireless access point, VPN, or RAS. The Enforcer effectively challenges any host requesting entry to the network to ensure that the host is running a security Agent (with a private key) and that the policies on the Agent are correct, up to date, and being enforced.

The Sygate Security Agents are deployed on laptops and other hosts to be secured. The server communicates with all the Sygate Agents on a regular, administrator-defined interval. The Security Agent learns the communication behavior on each individual host system and relays that back to the management server. The management server aggregates all that information so that the administrator can see what policies best fit the organization.

The Sygate Agent has three primary components; the firewall, the intrusion-prevention engine, and host integrity. I found Sygate’s application-centric firewall extremely granular and configurable. The firewall applies a policy based on rules that can link a specific user to a host system. Based on what user and what network (LAN, WLAN, and so on) that host is on, the firewall can determine the location (such as office or airport hotspot) of the user and host. The Agent firewall component changes the policy based on these parameters, which are predefined and passed down from the Sygate Management Server.

The Agent’s intrusion-prevention engine analyzes any packet that makes it past the firewall for patterns. Custom signatures can also be created to look for a specific string of content within packets. Additionally, a signature can be linked to an application, such as Telnet, so that only traffic using the Telnet protocol will be scanned for a specific exploit signature. A number of advanced anti-spoofing and anti-attack parameters can also be set above and beyond simple pattern recognition to foil attackers.

Sygate’s Host Integrity component is rules-based and determines whether all the security applications and parameters of an individual system, such as AV and OS, are properly configured and up to date. For example, if I shut off the AV software and then tried to connect to the enterprise network, Host Integrity would sandbox the host and prevent me from connecting.

Along with the management server, Sygate has a Java-based reporting component that uses Crystal Reports to generate charts and graphs of numerous events. While the Java reporting applet does have several report types, it isn’t very deep and sometimes doesn’t seem very polished. The Management Server also monitors and reports on client status, attacks, and logs.

While the Sygate Security Agent doesn’t have its own VPN or anti-virus components, it is certified to work with both from various vendors.

While not a panacea, the Sygate Agent can significantly enhance the security of any host, especially those using a VPN tunnel or wireless connection on a laptop. I especially liked that the Sygate System will detect that a Trojan is a non-authorized application and block traffic from the Trojan, log the event, and alert an administrator. Sygate can also completely secure a VPN tunnel endpoint from compromise by negating even a denial-of-service attack.

Although Sygate’s management and reporting server has a few rough spots — thanks primarily to using Java — with propagation of worms still on the rise, Sygate’s triple-strike combination of firewall, intrusion detection, and application-integrity checking makes Sygate a solution to implement for enterprises interested in securing vulnerable hosts.