If you manage IT for a government organization -- be it federal, state, or local -- you don't have the luxury of waiting to
harden your network defenses, unlike IT managers of commercial enterprises. Public agencies are legally accountable for safeguarding
the information they have on their computers, so you must protect that information to avoid serious consequences.
Although the mention of security in a government context might spark thoughts of state secrets and national security, the
reality is more mundane. All the data that government agencies are charged with protecting -- personal information, personnel
actions, contract deliberations and actions, procurement details and proposals, information related to law enforcement and
the courts -- is subject to the same problems that affect any other organization, regardless of whether its domain ends in
.gov or .com.
Viruses and worms don't discriminate. When successful, they not only tie up your network, they destroy data and even send
information to the outside world. As a result, government IT staffs must make sure that users' machines are scanned for viruses,
that they're protected against intrusions and exploits, that their security software is regularly maintained, and that their
operating systems are kept up to date. You also must be able to prove that you did it in case anyone asks.
Managing the security of your clients can take many forms. Among the product choices are anti-virus solutions that include
central management and that will work with a personal firewall if present. Some managed personal firewall solutions will also
work with anti-virus. Still other solutions will manage their own anti-virus and firewall clients, and other groups will manage
clients from other companies.
All of these approaches are represented by the four products reviewed here. Some of these products will enforce compliance
with client security policies by banning users unless their computers are up to date, some will force users to update their
machines, and one product allows you to prevent users from running anything at all that you don't approve. Some of these products
keep an eye on user e-mail, instant messaging, and Web sites visited.
No single approach covers all potential problems. This means that no matter which solution you choose -- should you choose
only one -- you won't be completely protected. On the other hand, because you can manage client security remotely and set
policies centrally, at least you'll be consistent and that's half the battle.
Check Point Integrity
When Check Point Software Technologies acquired Zone Labs this year, one of the reasons was to obtain Integrity. This product
builds on Zone's already strong firewall technology to provide a centrally managed layer of protection that's both effective
and easy to manage. And as a plus for IT managers, the Integrity Agent can be installed so it's invisible to the end-user,
reducing the chance of tampering.
Although Zone doesn't provide anti-virus capability, it does work with the major providers of anti-virus software, including
Computer Associates, McAfee, Sophos, Symantec, and Trend Micro. It detects when these products are properly updated and quarantines
machines that aren't running properly updated software. Check Point's Integrity also checks for the operating system patch
level before granting access to a protected asset.
Integrity Server runs on either Windows 2000 Server or Windows Server 2003 machines. Implementing the server requires little
beyond allowing the installer to run. The server installation creates a shared file area, or "sandbox," that's visible to
the Apache Web server that's also installed. The standard means of distributing the Integrity client software is to e-mail
the link to users and have them click on it to perform the installation. Unfortunately, the default link to the sandbox is
very long and complex, and the documentation directs you to write it down so you can install it on clients that don't have
e-mail accounts.
You can perform the client installation the way Integrity suggests, of course, but it's error-prone and time-consuming. If
you're aware of this need ahead of time, you can also pick a much easier-to-use link. Or better yet, you can use products
such as Microsoft's Systems Management Server or Novell's ZENWorks and avoid the issue completely. Smaller organizations,
unfortunately, are stuck with the Web distribution, so pick an easy URL for the sandbox.
Fortunately, you only install once. After you get everything running, Integrity shines. You can see the security status of
the network at a glance, control access easily, and check the status of any client in seconds.
The users get one of two client software packages to use. One, Integrity Agent, can be invisible. IT managers have the option
of an icon in Windows' System Tray. The network manager retains complete control over security.
The other client is Integrity Flex, which closely resembles the Zone Alarm personal firewall in appearance and operation.
It also gives the user some control over how it works. Flex is designed for users who travel and therefore must be able to
control their security while away from the enterprise, even when connected to other corporate or hotel networks.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
