System configurations are getting more complex, and systems no longer are defined as just workstations. Devices such as smart phones, wireless access points and printers are all devices that are capable of storing a security configuration, but they are are also devices capable of introducing vulnerabilities or other security weaknesses into an environment. When new clients or endpoints are combined with the constantly moving target of new vulnerabilities being released and new organizational directives, the task of ensuring policy compliance is often a quickly evolving one.
Policy compliance can encompass many tasks and many different types of configurations. Common device configurations can include network settings, such as IP address, subnet mask and virtual local area network membership. Devices may also use security settings, such as encryption keys, firewall rule sets, registry settings and permissible network locations for access.
However, configuration management is just part of policy management. Policy management also includes other tasks, such as vulnerability or configuration assessment, device audit and inventory, configuration reset, centralized logging and centralized reporting functions. This month we reviewed products that strived to achieve policy management in an enterprise.
Many of the products that we reviewed used unique approaches to tackle the problem of device policy management. Some products focused on specific types of devices, such as firewalls or routers, while other clients focused on more traditional systems, such as workstations and servers, and still other products focused on the type of network traffic generated from a device to ensure configuration compliance.
Compliance was also an often-used word by products in the review. With the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley Act on the tip of most security administrators’ tongues, many products called for a specific focus in their ability to comply with current legislation. Many products in this group had pre-existing templates created to help enterprises ensure compliance with many standards and also the common pieces of legislation.
As well, the policy management products differed not only by the type of devices managed. The appliance-based products monitored a network segment for non-compliant traffic, while most of the software based offerings made use of proprietary network communication to ensure compliance. Products also differed in how they managed the clients. Most products created a client application that would reside on the device to be managed, while other appliance devices used VLANs and 802.1x-like functionality to remove the offending devices from the normal network flow. Regardless of the mechanism used to look for anomalies, support for many different types of operating systems were apparent. Most software-based products included support for Windows-based devices, as well as Linux, Unix and Mac.
How we tested
For the software-only product distributions, we tested using Windows 2003 Advanced Server Service Pack 1 with IIS, .net and ASP installed. We varied the installation to include Active Directory for the products which required Active Directory, but left the installs, which did not need Active Directory. The server hardware used was an Intel Pentium 4 3.00 GHz machine with 512 MB of RAM and a 100 GB hard drive installed. The latest hotfixes were applied and several Microsoft components were installed to facilitate the installation of the software packages.
For the client, we used a Windows XP Professional Machine with Service Pack 2 installed with the latest hotfixes. The client machine was desktop with an AMD 64 3300+ processor with 768 MB of RAM. The same hardware was also used for the Linux client for products which offered Linux client solutions. For Mac product testing, we used a MacBook dual core 1.8 GHz machine with 512 MB of RAM and an 80 GB hard drive. We tested the performance impact on the client machine by using the PassMark Performance Test version 6.0 on the Windows machine. In all performance tests, a difference of less than two percent was categorized at no performance impact. The network was based on gigabit switches with differing configurations based on the need of the product being tested. For the testing of the SolSoft product, a Check Point NGX firewall was used, as well as a Cisco router with the Firewall IOS.