Check Point and Sygate corral end points

Firewalls combine strong client security and flexible policy management

At their core, Check Point Integrity and Sygate Enterprise Protection are effectively policy-based firewalls. That's the cake. The icing is their capability to monitor other applications for compliance with configuration requirements and send errant machines to quarantine until they can be updated with the latest anti-virus definitions, Windows patches, or other necessities.

Both solutions rely on an end-point client closely coupled to a policy-management server, supporting a variety of mechanisms for quarantining noncompliant systems, including 802.1x authentication and integration with partner switches, routers, wireless APs, and VPNs.

Combining strong client security and flexible policy management, both Check Point Integrity 6.0 and Sygate Enterprise Protection 5.0 help prevent spyware, worms, trojans, and viruses from getting to the enterprise network from infected clients. In addition to ensuring that end points are secure and updated, both products can enforce policies governing which client-side applications can access the network based on almost any criteria you might want to apply.

Twin Towers of Access Control

Sygate's Policy Manager has policy templates for common security patch deployments, personal firewalls, and anti-virus and anti-spyware software to help ease deployment. Depending on what type of adapter is being used to connect to the network (Ethernet, Wi-Fi, VPN, or the like) Sygate can apply appropriately restrictive access controls.

Between the Sygate Enforcement Agent (SEA) and the company network is the Enforcer, which applies access controls that the Policy Manager lays down. Noncompliant systems are placed into a quarantined network segment, where they can download the software needed to meet security requirements.

The SEA performs policy compliance checks during the initial connection and periodically via a timer or during a change in network location. Additionally, the SEA enforces policies when disconnected from the enterprise network, and it will automatically connect to your remediation download site to bring itself into compliance with or without user intervention.

For enforcing security policies on unmanaged end points, Sygate provides the ODA (On-Demand Agent). A Java applet that is downloaded to the client upon connection, ODA creates an encrypted virtual desktop with updated anti-virus software, anti-virus definitions, an anti-keystroke logger, and a personal firewall. After the session, ODA deletes all traces and removes itself from the system.

Check Point Integrity provides much of the same functionality. Instead of providing an enforcement gateway of its own, however, Integrity works with Check Point's VPN-1, Connectra SSL VPN, and InterSpect IPS, as well as 802.1x-enabled gear, to quarantine noncompliant clients. Integrity works with switches from Cisco Systems, Enterasys, Extreme Networks, Foundry, HP, and other vendors, and counts Aventail, Cisco, Juniper, Microsoft, and Nortel among its SSL VPN partners. Sygate has partners of its own, including many of the same names, and its Enforcer gives customers who may not have an 802.1x infrastructure the option of implementing NAC without buying additional gear.

Like the Sygate agent, Integrity Client checks for compliance upon connection and during sessions, and it provides self-enforcement and auto-remediation capabilities. Check Point also provides an on-demand client, called Integrity Clientless Security, which uses ActiveX to deploy the Integrity Secure Browser to unmanaged systems. The Secure Browser creates a captive portal via connection to a Check Point or partner SSL VPN, also encrypting session data, blocking browser-cache copying and keystroke logging, and removing all traces when the session is terminated.

In both solutions, effective network access control starts with strong client security. The Sygate and Check Point clients incorporate stateful, application-centric firewalls and buffer overflow protection. Sygate uses Determina's memory firewall technology to protect Windows servers, whereas Check Point's firewall and Malicious Code Protector (the product's name for buffer overflow protection) protects Windows clients. Additionally, Check Point has native anti-spyware, anti-trojan, and instant messaging protection. Sygate provides anti-trojan protection natively, and the version I tested used Lavasoft Ad-Aware SE Professional to detect and remove spyware. Going forward, Sygate will use Symantec technologies to combat spyware. Both Check Point and Sygate currently lack an embedded virus-scan capability.

During testing, while logged in as a normal end-user without admin privileges, I tried tampering with both clients to see if I could shut them down. While the Check Point agent managed to resist all my attempts to disable it, which included stopping services and deleting integral files, I found I could kill the Sygate agent by deleting files. Although the agent could be killed, however, Sygate's policy options allow you to quarantine or isolate any end point on which the agent is not running. Both Check Point and Sygate also allow you to hide agents from users, and even shield them from port scans and probes.

Policy Creation and Enforcement

For management of policies and SEAs, Sygate uses a Java-based front end. Like all Java-based consoles, it can sometimes be slow to respond, but it proved snappy enough during my testing. Check Point uses an SSL-secured Web front end to manage Integrity clients. The management interfaces of both products are split into a Table of Contents-style left pane and a tabbed main window, and both make administrative tasks, from client deployment to firewall and policy configuration, similarly straightforward. A nice extra in the Sygate console is the Change History that sits at the bottom of the screen, providing useful historical and administrative information. In general, I preferred Sygate's more polished interface to Check Point's, although Sygate still has a way to go before it reaches perfection. While Check Point does a good job of hiding complexity, the power that Sygate readily exposes to administrators can sometimes be daunting.

For large environments, Sygate allows you to assign an administrator per functional domain group, and provides a decent amount of granularity in administrative permissions (from read-only to only-view logs and such). Check Point supports multidomain administration, which makes managing large organizations easier by creating domains for admins and zones for end-point clients. Additionally, Check Point has multitiered administration with logging to monitor end-point client changes by different administrators. As in Sygate, domains are isolated so as not to share unnecessary information with unauthorized administrators.

One big advantage that Sygate has over Check Point is that an administrator can manage the use of USB devices and other peripherals, especially important to organizations concerned about the movement of sensitive data via USB storage media. SEA can block reads, writes, and code execution from specific devices and several types of portable and nonportable drives.

Both Sygate and Check Point allow you to create a white list of applications from reference sources such as desktop or laptop image files. In Check Point's case, when an unknown program attempts network access, Integrity asks the Program Advisor database for an access policy, automatically allowing or denying network access based on the Program Advisor response, or recommending policy for admin approval.

Check Point's Program Advisor includes white list and black list information that has been gathered from Zone Alarm clients running on consumer desktops. Check Point states that Program Advisor has rules for more than 100,000 apps. Additionally, if Integrity Client detects malicious software, it takes control and automatically shuts down the offending application.

Not to be outdone, Sygate has OS Protection, in which the SEA monitors application behavior and blocks malicious or unapproved program actions, preventing applications from modifying or creating particular registry keys, for example. SEA also has Application Learning, which enables an administrator to learn the behavior of users and computers and then easily create enterprise security policy to fit the behavior.

Both Sygate and Check Point allow you to easily create policies based on user, group, and source IP address. Each also has support for separate policies depending on whether the user is connecting via wired Ethernet or wireless LAN or entering the network via VPN or remote access server. This flexibility is especially critical as it pertains to mobile workers. Again, creating and editing policies in both products is straightforward.

You also won't find significant differences in these products' reporting capabilities. Reporting has been updated considerably since the previous version of the Integrity product, and is now quite extensive, with succinct graphs that complement presented data. Event notification is via SNMP, text, SYSLOG, and JDAC. Sygate likewise offers detailed records of network activity, including applications, date, time, and SEA information. Reporting statistics can be e-mailed on a daily or weekly basis.

All considered, either of these end- point security and access control products will serve you well. A few differences, as well as compatibility with your current network and VPN infrastructure, may lead you to choose one over the other. Sygate includes an enforcement gateway in the asking price, and it goes beyond the Check Point solution to provide control over the use of peripheral devices. Check Point's advantages include a more robust agent, a longer list of switch and VPN partners, and integration with Check Point's network security products.

Symantec's recent purchase of Sygate and WholeSecurity holds promise for Sygate's client-side security capabilities. It's also reasonable to expect that the Sygate solution will integrate with Symantec's IPS and other products, and that partnerships with network infrastructure vendors will get a boost.

In short, where these products are headed may be even more important than where they are now. If you're in the market for policy-based network access control, keep your eye on developments. Things are moving quickly.

Show Comments