Senforce enforces client security wisely

Senforce’s EMSM (enterprise mobile security manager) is a centrally managed platform for creating and deploying very granular access control policies to both local and remote users. Like Check Point Integrity and Sygate Secure Enterprise, EMSM goes well beyond checking to see whether the client’s anti-virus is up to date. However, unlike these products, EMSM focuses on enforcing security policies based on location, disabling remote storage devices, wireless adapters, and even specific IP services on the client, based on whether it is connecting wired or wirelessly, or via a trusted or untrusted network.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Return to special report DOWNLOAD PDF Click here to download InfoWorld's special report End point security Senforce Enterprise Mobile Security Management 2.5 Senforce, senforce.com Very Good  7.8 criteria score weight Security 8 30% Management 7 25% Implementation 8 20% Reporting 8 15% Value 8 10% Cost: Starts at $89.95 per seat Platforms: Management system: Windows 2000 and 2003 Server; client: Windows 2000 Pro and Windows XP Pro; requires Microsoft SQL 2000 Bottom Line: Senforce EMSM is a great tool for enforcing security policies on client computers. Its ability to push a specific policy to a client based on its network affiliation is a great way to keep mobile users in check without being too heavy-handed about it. Its reporting engine helps you prove compliancy, and its support for wireless adapters and access points makes EMSM a great choice for users on the move. About our Reviews and Scoring Methodology

The EMSM management server requires Microsoft SQL Server 2000 for its storage needs (not included with EMSM) and the client only runs on Windows 2000 and Windows XP Pro. Nevertheless, at $89.95 per seat, it’s a small price to pay for the level of control available.

The heart of EMSM is the Policy Editor, where administrators define the policies for specific situations, such as whether a PC is connecting via the LAN or a laptop is accessing the corporate network wirelessly. Senforce’s Policy Editor is a powerful tool and allows a fine level of control over users and PC services. I did find the process of creating a policy, however, to be a little confusing but not overly complex. As with many security devices, understanding the problem as well as its remedy is half the battle.

Using Policy Editor, I created a couple of different profiles: one for my test lab and another for a remote user. The first policy enforced some basic global rules, such as silencing the wireless adapter and requiring anti-virus to be running and updated. I allowed all IP services, including e-mail, Web browsing, and Windows networking. The second profile was much like the first, except that I set it to forbid Windows networking and only allow e-mail and Web browsing. In both situations, EMSM correctly identified my laptop’s network addressing and pushed the proper policy to it.

Admins use EMSM’s Network Environments to define network characteristics so as to determine where a client has logged in and consequently which policy to enforce. I was impressed with the level of detail available when describing a network location. Choices include IP addressing, gateway, MAC address, wireless access point SSID (service set identifier), and DNS, DHCP, and WINS (Windows Internet Naming Service) addresses. By using combinations of these parameters, you can deploy a policy for just about any location you can think of, even based on which DNS server was assigned to them via DHCP.

The Adapters and Access Points list provides a fine level of control over dial-up, wired, and wireless adapters. Especially powerful for wireless locations, EMSM allows admins to define a specific access point a laptop can connect to while ignoring all others. This is especially useful when you want to make sure wireless communication only takes place inside your enterprise.

If a client fails some check in a policy, such as its anti-virus signatures being out of date, instead of simply denying access, EMSM puts the client in a “quarantined” state. There, the client can update the signature to comply with the policy, then access the network. EMSM includes a wide range of reports to let IT audit their clients for policy compliance.

The Senforce Mobile Security Client, which runs in the kernel of the host OS, intercepts network traffic at the NDIS layer. Inspecting network traffic from there requires much less CPU time than is required by other client integrity products, such as Sygate and Integrity, which operate higher in the network stack.

For all of its impressive features, EMSM is not a perfect product. Creating your policies is not an intuitive process, although there are some wizards to step you through it. I felt like I was constantly jumping back and forth between settings to get my policy created. Also, the client-side application runs as a service under Windows 2000 and XP. If your users have local administrative rights to their PCs, they can stop the service and thereby circumvent the policy enforcement. Both of these problems are being addressed in an upcoming release of EMSM due early in 2005.

Senforce Enterprise Mobile Security Manager is a great tool for managing your end-point security from a single, centralized location. The level of granularity in the Policy Editor is first rate; I can’t imagine a situation it cannot handle. It is flexible yet ultimately in control of not only which network services a client can use but on which types of network they can use them. Problems with the management interface and client service are already being addressed, so Senforce should be on your short list of end-point integrity tools.