Product Review: End-point security
Strengths: Versatile client access policies based on location and connection type, swift installation and deployment, tough security measures, good application controls and detailed reporting
Weaknesses: Management interface could be more intuitive and online help improved
Verdict: A comprehensive policy-based end-point security solution that's simple to deploy and versatile enough to suit many business environments.
The problem of end-point security (EPS) has come under the spotlight as businesses strive to protect their networks from the latest security threats. Recent months have seen a wave of EPS solutions come on to the market, but Check Point's Integrity has been around since the firm acquired Zone Labs in 2004.
At its core, Integrity delivers strong personal firewall protection that is centrally managed by policies. However, the system goes way beyond basic duties with measures that include intrusion prevention, spyware detection and removal, application controls, anti-virus software checks and the facilities to manage the use of instant messaging (IM) services.
Installation and deployment was simplicity itself as Integrity only has two components. All management is carried from a central Integrity server, which requires an existing DBL2, SQL or Oracle database, or it can load its own built-in database. We chose the latter and had the server up and running in a few minutes.
The client can be pulled by users from a shared location or it can be deployed automatically using the.MSI package and a suitable network management tool. Integrity works with a wide range of authentication methods, but the only way it can block a system that does not have the client loaded is via 802.1x port-based access controls. Two clients are provided with the standard one designed to foil any attempts at tampering with the system and a Flex version that gives users full control when not connected to the corporate network.
The client is based on the ZoneAlarm firewall, but it has been upgraded to accept policies from the management server that can be based on the client's physical or logical location and type of connection such as a VPN, wired or wireless. Anti-spyware features comprise three components: a TrueVector policy analysis engine service, a user interface and a system driver that protects the client at times during shutdown and boot up and can block threats such as port scans.
We found the administrative interface to be fairly well designed, although not overly intuitive. But it wasn't long before we were creating policies. These can incorporate zones that allow you to decide what to do when a client encounters an unknown network. A trusted zone contains resources such as the corporate network, whereas blocked zones can store information about networks that you don't want users accessing. Any network or host not in these two classes is typically considered to be in Integrity's internet zone.
The client firewall defaults to blocking all inbound unsolicited traffic but it can be customised. Application controls allow you to determine what can be run on the client-system-based on the policy in force. Applications running on the client can be recorded at the server, which also computes and stores a checksum for each executable. We tested this feature with applications including FTP and found that we could easily cause undesirable programs to be terminated the moment a user loaded them.
The anti-spyware feature performed well during testing as we enabled it on one client and allowed it to roam freely over the internet. Within minutes the Integrity client had spotted piles of tracking cookies and deleted them all. The SmartDefense option keeps an eye out for malicious code, and it is simple to set the feature up to merely observe or actively block any dubious web, mail and newsgroup-related traffic. Instant messaging controls are extensive and we used them to stop our clients from sending files or using video with Windows Messenger.
Users can also block specific services, scripts and links and request that all IM traffic is encrypted. Enforcement rules are useful as these can be used to check end points for specific application versions, filenames or service packs. You can add a rule that checks whether you are running the latest Integrity client version. If not, the system can be upgraded automatically or you can be directed to a sandbox web page for remedial services.
Although Integrity has no anti-virus measures of its own, the enforcement rules do have specific options for checking the update files for five providers including Symantec, Sophos and Computer Associates. However, we have been told that integrated anti-virus measures for Integrity clients will soon be available as an option.
A wireless interface control has been added to provide additional protection against the use of unauthorised access points in the enterprise. It can isolate a wireless interface on client systems to prevent users having wired and wireless connections active at the same time. The code is already implemented and should be in action by the time you read this.