Product Group Tests
Policy management (2010)
For its vast amount of configuration options and its value for money, Promisec INNERspace is our Best Buy this month.
We rate BigFix Enterprise Suite Recommended for its strong performance and feature set.
Full Group Summary
Managing policy is a multi-faceted task due to the number of internetworking devices organisations have. By Peter Stephenson
Managing policy used to be a manual process. System administrators translated written policy into device configurations and hoped that they had not missed anything. Networks and the devices that make them up are no longer simple enough to depend upon that approach.
For example, the National Security Agency, in its NSA/SNAC Router Security Configuration Guide, has five top-level recommendations: create and maintain a written router security policy; comment and organise offline master editions of router configuration files; implement access lists that allow only those protocols, ports and IP addresses that are required and deny all else; run the latest version of internet operating system; and test configurations regularly.
In an organisation with a few routers or switches (switches have approximately the same requirements) that is not a particularly big deal, but most of today's enterprises have dozens, if not hundreds, of internetworking devices. Also, switches or routers are not the only devices on the enterprises with configuration maintenance challenges. Add very rigid regulatory requirements and the heavy penalties attached for lack of compliance and you have a very serious set of business and technology drivers.
The only reasonable answer to the challenges of compliance, security and configuration management is to automate the tasks. That is what this group review is all about.
We saw a very wide variety of capabilities among the products reviewed. Some did very little but did it very well. This posed a real challenge because we do not compare products to each other in our group reviews. What we do is to compare a product against its own claims and against the general expectations in the marketplace. That is difficult because even vendors do not agree on a common definition of policy management. More confusing yet is that there is a difference between policy management and policy enforcement. Some products do one or the other and some do both.
Generally speaking we agree that policy management, at a minimum, should manage the security aspects of the network from the perspective of consistency with written policies. Those policies could be explicit (specifically dictated by a written policy document) or implicit (derived from the configuration standards themselves). So a product that is not comprehensive, for example one that manages only one aspect of policy such as being restricted to internetworking devices or manages only a single or suite of applications, would be slightly deficient in our view since comprehensive enterprise policy management is the goal.
We would also expect that a complete policy management product would address compliance reporting in some manner. We gave extra consideration to products that did both compliance reporting and policy enforcement. While these are different functions, in the context of compliance they should go together in the same tool. True policy enforcement really is not common since it requires some explicit enforcement mechanism. For example, a port found to be misconfigured on a router should be reconfigured, or at least should be reported to a trouble ticketing system.
Buying policy management tools
This depends on what you are trying to do and what your enterprise looks like. If you have an enterprise that is heavily based upon hundreds of internetworking devices that is where you should put your emphasis. However, there are some consistencies you should look for no matter what your system looks like.
The product you buy should have robust reporting, preferably in the context of reports designed specifically for compliance reporting. It should facilitate remediation in some manner or other and the method should be manageable within the context of your enterprise architecture. Finally, it should address the entire enterprise. That means that it should be easy to manage centrally, should have a robust, easy-to-use policy engine and if there are agents they should be easy to deploy.
This is a difficult category of security tools because the functionality is not universally well defined. However there are some great products. In fact we found that several products were so close together in capability that picking a clear winner was very tough.
The best advice is to look closely at your network and compliance reporting requirements and select the two or three products that fit the best and are within your budget. Then you should test them in your environment and make your selection.