Product Spotlight - ENDFORCE™ Enterprise
Description
ENDFORCE Enterprise is compliance enforcement software that automatically protects enterprise networks from threats originating at unsecure Windows devices (i.e., endpoints). Security administrators can define and enforce compliance security policies that consider user roles, the security of endpoints, the availability of remediation services, and the type of network access (e.g. LAN, remote, wireless). With ENDFORCE Enterprise , businesses can track and improve end user security compliance, while reducing the severity and costs of PC-borne network attacks. As new, unforeseen threats emerge, this vendor-neutral, software-only framework will be expanded to work with additional security products and client applications.
Key Features
ENDFORCE Enterprise provides a number of services:
Endpoint Compliance Agent
- A compliance agent is installed on each Windows device (XP/2000/NT/98) by an administrator
- The compliance security policy installed in each agent is updated automatically whenever a user attempts a network connection
- The agent enforces access security policy, reports compliance events, and delivers messages to users
Security Policy Enforcement
- Administrators can tailor compliance security policies to individual user groups.
- Security policies define both the compliance checks that are performed on endpoints before users can access internal networks and the actions taken immediately after the checks are made. Additional compliance checks can be performed on a scheduled basis during a user connection.
- Security policies can check for installed and running client applications, personal security software including signature files, and operating systems and browsers. Versions, paches, and service packs can all be checked.
- Many 3rd party software products are supported out-of-the-box; organizations can define custom checks for any application, file or registery key.
- Enforcement options include allowing or denying access, or directing users to a quarantined server for compliance remediation.
- Both compliance and non-compliance events can be reported along with the identity of the user and the endpoint device.
Compliance Checks
ENDFORCE Enterprise can perform a detailed compliance
check on endpoint software
Out-of-the-box compliance checks are available for the following software:
| Endpoint
Software |
Compliance
Checking |
Out-of-the
Box Support |
| Firewalls (FW) | Version | Zone Labs, ISS, McAfee, Computer Associates, Symantec |
| Anti-virus (AV) | Version | McAfee, Symantec, Trend Micro, Sophos, CA, Norton |
| Malicious Code Protection (MCP) | Version | CA, McAfee, Microsoft |
| Intrusion Detection | Version | Cisco |
| Operating Systems (OS) | Version, Service Pack, Patches, Registery, | |
| Browser (B) | Version, Service Pack, Patches | Internet Explorer Only |
| Client Applications (CA) | Version | |
| Note: ENDFORCE Enterprise does not check for specific OS services, e.g., communication ports, file sharing. | ||
How it Works
Admin Perspective
- An administrator installs and configures the ENDFORCE Policy Manager, Compliance Enforcer and Compliance Reporter on a Windows server and distributes and installs the ENDFORCE Agent on the endpoint device (Note: admin level is required only for the initial install of this client)
- The administrator configures the endpoint compliance security policy for users by groups. User information is retrieved from an existing user database.
User Perspective
- Whenever user enters the URL of the SSL VPN Gaateway they are redirected to the ENDFORCE Enterprise server where they enter their user credentials (two-factor user authentication can be provided via RSA SecureID)
- The Enterprise Policy Manager ensures that the Enforce Agent software on the user device is up-to-date.
- The ENDFORCE Policy Manager validates the users credentials against a user database (e.g., Active Directory) and then sends user-specific, compliance requirements to the ENDFORCER Agent.
- The ENDFORCE Agent checks compliance and then provides an admin-supplied message to the user if the computer is non-compliant. The message can include a link to a remediation server on a quarantined segment of the newtork. For example, a link to the Shavlik™ Technologies web site is provided for patch compliance assessment and remediation.
- If the device passes the compliance checks, the user session is automatically redirected to the SSL VPN gateway where its authentication screen is displayed.
Additional Product Information
Visit the ENDFORCE library