Configurationweaknesses and missing patches for servers, workstations and networkdevices continue to make their way into the information securityheadlines on a daily basis. Like many other well-publicized events thattend to whip people into action, IT and security stakeholders areinundated with reactive mandates to patch quicker without breakingapplications, deploy faster with less resources, and to provide moreprotection without impacting productivity.
Ascompanies experience growth, acquisition or even expansion to differentlines of business, the configuration of workstation, server, networkand security devices becomes more difficult to manage. Changes in theregulatory landscape and ever-evolving threats to information assetshave put a burden on managers and administrators. Today, it's no longeracceptable to avoid developing configuration standards, nor is itacceptable to throw everything at the patching process in hopes thateverything remain secure. Many organizations are moving toward arisk-based model that manages assets using methods that make sense.
Justa few of the items that have piqued the interest of decision-makerswith regards to helping them manage hosts and achieve their policyenforcement goals, include network access control, anti-malware,operating system patches, registry settings, router and switchconfigurations, rule base management, access control lists, hostintegrity applications, encryption, logs and disparate systems.Regulatory requirements, especially in the financial sector, havemandated that businesses have reasonable protections and control overtheir technology infrastructure. Regulators don't sympathize with adisparate environment, and it's an issue that taxes resources anddrains effectiveness for many organizations. Relying on administratorsand teams of IT personnel to manage so many different components withintheir respective silos is no longer cost effective, nor is it goodbusiness. By no means is implementing technology to help you managepolicies a panacea, but some of the features that are creeping into thepolicy management space can help alleviate some of the pain pointsassociated with these daunting tasks.
In this review
Weexamined two general classes of products: solutions that help manageworkstations/servers and solutions that help manage network devices(firewalls, routers, VPNs, IPs, etc.). We did not review any tools thathad the capabilities to perform both functions. Both classes ofproducts can help with particular issues that an organization may bestruggling with. The decision is left to the individual business withregards to what side of the infrastructure warrants a capitalexpenditure to mitigate configuration, policy and change managementrisks.
How we tested
Allof the products in our group review were installed on either Windows XPProfessional SP2, Red Hat host machines or Windows 2003 SP2 serverswith MS SQL 2005 and MySQL databases. Networking configuration testingwas run against multiple vendors, including Juniper and Cisco. We ranour configuration management against firewalls, VPN devices, routers,switches and even some security devices.
We deployed agents to Windows and Linux devices for ourworkstation/server policy management tools and added devices to ournetwork configuration management inventories. Surprisingly, we did nothave any issues with installing agents and deploying configuration andpolicy for any of our Windows or Linux machines. In all fairness, weexpected some Windows agent problems, but were pleasantly surprisedwhen we didn't encounter any.
Froma reporting perspective, some products produced better reports thanothers. Those with a risk-based approach or compliance templates andreports scored highest. We feel these features are very important,rather than simply focusing on a gap analysis and whether you're incompliance or not.
Eventhough the products performed as we would expect, decision-makers willhave their work cut out for them when deciding how many devices shouldbe managed. Some of our products suffered from a bit of an identitycrisis in their branding and even product names. Customers may want tosteer clear of solutions that have changed hands several times in thepast couple of years.
