Product Group Tests

Policy Management (2007)

by Justin Peltier March 01, 2007
products

GROUP SUMMARY:

If you are looking for a desktop policy management program for Windows users that will not introduce needless administrative overhead, FullArmor GPAnywhere is a product to look into. This one gets our best buy.

The BigFix Enterprise Suite is long on features and supports more desktop operating systems than any other product. BigFix Enterprise Suite is our Recommended product for its features and value for the money.

Enforcing organisational and legislative rules while monitoring mobile devices is a challenging and constantly changing task. Justin Peltier looks at some solutions offering to make life easier.

System configurations are getting more complex as devices such as smart phones, wireless access points and printers, along with traditional workstations, are all capable of storing a security configuration. Another common feature these pieces of hardware share is the potential to introduce vulnerabilities or other security weaknesses into an environment. When new clients or endpoints are combined with the constantly moving target of fresh vulnerabilities and additional organisational directives being released, ensuring policy compliance can become a challenge for organisations.

Policy compliance is a wide-ranging area, in terms of the different tasks it requires as well as in relation to the types of configuration that may need to be performed. Common device configurations can include network settings such as IP address, subnet mask, and virtual local area network membership. Devices may also use security settings such as encryption keys, firewall rule sets, registry settings and permissible network locations for access. In addition, there may even be peripheral configurations regarding which types of devices may be accessed via a device's USB ports.

However, configuration management is just part of the whole process. Policy management also includes tasks such as vulnerability assessment, device audit and inventory, configuration reset, centralised logging and reporting functions.

Many of the products we reviewed used unique approaches to tackle the problem of device policy management. Some focused on specific types of hardware, such as firewalls or routers, while others were geared towards more traditional systems, for example workstations and servers. We also looked at solutions that examined the type of network traffic generated from a device to ensure configuration compliance.

Compliance is a big topic for most security administrators, so many products draw attention to their ability to comply with current legislation. A number of entries in this group featured pre-existing templates to help an enterprise ensure compliance with many standards and common pieces of legislation.

The two appliance-based products we looked at in this category monitored a network segment for non-compliant traffic, while most of the software-based offerings made use of proprietary network communication to ensure compliance.

Solutions also differed in the approach of how to manage the clients. Most products created a client application that would reside on the device to be managed while other appliance devices used VLANs and 802.1X-like functionality to remove the offending devices from the normal network flow. Regardless of the mechanism used to look for anomalies, support for many different types of operating systems were apparent. Most software-based tools included support for Windows-based devices, as well as Linux, Unix, Mac and, in the case of NetIQ's Security Configuration Manager product, even AS/400 devices.

How we tested
For the software-only product distributions, we tested using Windows 2003 Advanced Server Service Pack 1 with IIS, .net, and ASP installed. We varied the installation to include Active Directory for the product that required it. The server hardware we used was an Intel Pentium 4 3.00 GHz machine with 512 MB of RAM and a 100 GB hard drive installed. All of the latest hotfixes were applied and several Microsoft components were present to facilitate the installation of the software packages.

For the client we used a Windows XP Professional machine with Service Pack 2 installed and the latest hotfixes deployed. The client machine was a desktop model with an AMD 64 3300+ processor with 768 MB of RAM.

The same hardware was used for the Linux client for products that offered Linux client solutions. For Mac product testing, we used a MacBook dual core 1.8 GHz machine with 512 MB of RAM and an 80 GB hard drive. We tested the performance impact on the client machine by using the PassMark Performance Test version 6.0 on the Windows machine.

In all performance tests a difference of less than two per cent was classified as no impact on performance. The network was based on gigabit switches with differing configurations based on the need of the product being tested.

For the testing of the SolSoft product, a Check Point NGX firewall was used as well as Cisco router with the Firewall IOS.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US