Strengths: Elegant interface makes complex policies easy to configure.
Weaknesses: Needs much better reporting, and some interface glitches fixed.
Verdict: Interesting take on endpoint network configuration, worth watching.
Despite the name, this is not similar to the endpoint products in this month’s endpoint security group test, hence its inclusion here on its own.
RFprotect Endpoint offers a policy server and Windows agents that control network access on endpoint systems. The product is mainly aimed at mobile users, with the primary goal of enforcing VPNs over unsafe network connections and preventing bridging between segments. This would prevent accidental leakage as well as reduce the vulnerability to unsafe, possibly malware-originated connections like trojan diallers.
The server component installed cleanly, including its bundled SQLite database (Network Chemistry can help customers integrate it into an existing db server if required). The web GUI (on a non-standard port which cannot be changed) starts the process by running through a quick post-install “interview” – a wizard by any other name. The basic config took just five minutes, certificates generated, LDAP configured and the default policies installed.
At which point, strangely, the slick interface came to a crashing halt and we had to trek off to the Windows Control Panel to manually restart the service, a clumsy step that should be automated.
That aside, setup was very quick and easy. Some settings could use some work, but these are relatively minor. Among the configuration options is one to log all admin activity, but it is disabled by default, where you would almost certainly want it switched on. We would also like to see a prompt to change the default admin password.
The central dashboard view is an elegant interface, showing current connections and traffic levels. It works smoothly in non-IE browsers – in fact, the manual recommends Firefox. The manual, a hefty PDF also available as one, gigantic web page via the GUI, is very detailed, but the interface does a good job explaining itself well, and only rarely did we find ourselves resorting to the documentation for help. However, when we did, the lack of context-based help was sorely missed.
We did have a few problems with the GUI in our test environment: a number of generic page errors that do not provide any useful information other than the fact that something has gone wrong, some of which stalled the service so we had to manually restart it. This might have been a problem with the test bed, but more detail in error messages would be very useful.
Other glitches in the interface did appear to be outright bugs. Most were cosmetic, but others, such as a persistent message incorrectly stating that updated policies had yet to be published, could cause problems.
Admin users can be set up in one of two roles: as full administrators or with control limited to only granting override privileges. Network Chemistry is looking at expanding that to a more granular set of roles, but for now the split between full admin and helpdesk-style override request handling seems to work well. All admin activity can be logged, but the log is basic, just a list of who did what.
Actually setting up policies is very easy. The central policy view includes a beautifully designed map of how the process works, with network connections and users/ groups mapping on to policies. Network segments are individually set up for wired, wireless and dialin communications, including whether a VPN is required, is connectivity to the central policy server required (useful for remote users), and which specific WLAN security methods are acceptable.
These profiles are then combined with users (the product supports RADIUS and LDAP as well as locally configured users) to produce policies, which are then published and synced with the desktop agent software. Agents resync policies daily by default, rather than having them pushed down, but this can be changed to any suitable frequency.
The same admin URL can be used as a user portal where users can install the agent software. A tamper-resistant version is available, which cannot be normally uninstalled or halted by even a local admin user – actually disabling it might be possible, but risks damaging the OS. Network Chemistry provides a separate uninstall utility for this.
The agent intercepts traffic and decides whether it matches the current policy. If traffic is blocked, a popup message informs the user, and a tray icon can show a GUI explaining current policy.
The spectre of travelling users caught by a policy exception and locked out is dealt with by a temporary override mechanism. Through a hidden option in the agent UI, a challenge-response process can be initiated with an administrator to allow temporary full access. This is effective until the machine reboots or a specified timeout. Machines going into and coming out of suspend do not count as a reboot, which might be a problem for controlling laptop users who never fully power off their machines.
All user activity is logged, but the log cannot be searched or exported, and some of it could use some translation (protocols are numbered not named, for example).
Overall, RFprotect Endpoint has lots of potential, and we like how it works. It is very useful for controlling network activity on mobile devices. But the reporting needs development and some GUI bugs need ironing out, so wait for a release cycle before buying it.