The only truly secure computer is one that's unplugged and buried in a hole 6 feet deep -- or so it's been said. Unfortunately,
you can't disconnect and bury your servers to keep them safe. You can, however, move access control from the user domain to
the device domain. Anyone can punch in a user name and password and gain access to a secure resource, but if a device must
be checked out and approved in order to connect to a host, you're in control of who accesses your network.
Elemental Compliance System 1.1
Elemental Security, elementalsecurity.com
|
 Excellent 9.3 |
|
| criteria |
score |
weight |
| Policy Enforcement |
10 |
25% |
 |
| Policy Management |
9 |
20% |
|
| Reporting |
9 |
20% |
|
| Scalability |
9 |
15% |
|
| Ease-of-use |
9 |
10% |
|
| Value |
9 |
10% |
|
|
|
Cost:
ECS server and 500 agents, $100,000; bulk pricing available
Platforms:
Server: Oracle 10g and Red Hat Enterprise Linux 2.1/3.0, IE 6.0, Mozilla 1.4, and Firefox 1.0; clients: Windows 2000/XP/2003,
Red Hat 9 and EL 2.1/3.0, and Solaris 8 and 9
Bottom Line:
ECS 1.1 does an exceptional job identifying hosts on the enterprise. Through its powerful policy engine, ECS can enforce connectivity
restrictions based on a large number of criteria. The reporting capabilities are enormous, and the amount of information recorded
is staggering. Although it won’t replace a standard IDS, it does provide a potent platform for discreetly managing all hosts
on the network.
|
|
About our Reviews and Scoring Methodology
|
|
|
|
There are a number of efforts under way to move the security management burden from enterprise resources to the connected
devices. Companies such as Cisco and Sygate have differing methods of accomplishing end-point and network access management,
but neither goes as far as Elementary Security's ECS (Elemental Compliance System).
ECS wraps metered network access control with granular policy management and exceptional reporting. Although ECS relies heavily
on software agents deployed on "known" PCs and servers, it still enforces policies on PCs not running its agent by limiting
or denying connections to hosts that do.
ECS isn't intended for small networks; it's a full-blown enterprise system that requires enterprise-level infrastructure.
It also requires Oracle 10g as its database engine, although the company is considering supporting IBM DB2.
In my test, I was more than impressed by how well ECS does its job. I was able to view the overall security health of some
of my lab servers and to locate ones that weren't up-to-date with Microsoft patches. To test the enforcement aspect of ECS,
I created a directive that blocked access from a host that was found running a particular executable. When the program was
running, I could not connect to any protected servers until I shut down the offending application.
Secret agent man
ECS is an agent-driven system. In this release, ECS manages as many as 4,000 agent-installed hosts and will track as many
as 30,000 unknown hosts.
Agents collect and report to the server very detailed information about the hosts on which they're running. That information
includes OS and patch level, IP and MAC (media access control) addresses, CPU, hardware manufacturer, anti-virus status, whether
the host is a laptop or a wireless device, and even if it's running services such as DNS, mail, or Web. The agents also look
for user-defined attributes such as running processes. Based on all this (and other) information, ECS automatically places
the host into one or more groups, which are collections of hosts that share a common criterion.
Admins bundle policies with groups to create directives, the long arm of the ECS enforcement arm. For example, I created a
policy based on an existing NSA Windows XP security policy and deployed it to my Windows XP hosts group as a new directive.
The system comes with a large list of built-in policies, and administrators can build their own based on existing rules or
policies or from scratch.
The agents have a built-in packet filter, which is key to enforcing directives on the hosts. Depending on the host's group
affiliation and the directives in place, the packet filter prevents communication with other hosts or a specific group of
hosts. For example, a PC in the Accounting group could have a directive that prevents any communication with hosts in the
Wireless group.
It's easy to see how this works with known hosts running agents. This approach becomes interesting in so far as how ECS handles
hosts on which agents are not installed. Hosts with agents report communication with all other hosts -- those with and without
agents -- back to the ECS server. The system places agentless hosts in an "unknown" group. Depending on the current directive,
known hosts can deny connections to these unknown systems not running the agent.
For instance, admins could prevent unauthorized access to the network by installing an agent on a DHCP or DNS server and creating
a directive to deny connections from any unknown PC, locking out the PC by denying it an IP address and DNS information. Additionally,
with an agent on a server, it, too, would deny a connection to any unknown host should an enterprising attacker manually set
his or her IP information.
When a new directive is deployed, there's inherent latency associated with it. The agents periodically check in with ECS,
roughly every three minutes, but if they are turned off or a laptop is out of the office, they may not update for days. ECS
will try to poll all agents every 30 minutes to gather statistics and network traffic.
It's important to note that, because of this, ECS is not a replacement for a good IDS/IPS system. ECS enforces overall enterprise
policy and doesn't try to prevent "point in time" attacks on the network. With the proper directives in place, it will go
a long way toward limiting exposure and vulnerabilities.
Flexible and informative
I like that ECS isn't an all-or-nothing system. You can create and deploy a directive against a group of hosts and just sit
back and collect information. After a few days, or weeks, you can generate a report and see how many hosts might be out of
compliance with the policy. And by drilling down into the report, you can see the exact rule a host is violating. At this
point, IT tech staff can correct the out-of-compliance item, enable packet filtering on the agents, and set up stricter traffic
control on the network.
ECS's reporting module is deep and extensive. Admins can slice and dice views of the enterprise any way they choose. I was
impressed by how much data was stored for each host and by how easy it was to create and view a report. I could view the underlying
data -- such as traffic by protocol or directive compliance -- by clicking the host name in the report.
ECS is a major step toward enterprisewide monitoring and access control. The packet filter-capable agents do the enforcement,
whereas the back-end server handles the data collection, analysis, and policy management. The level of granularity is superb,
and the reporting engine is second to none. I really like the concept of "reverse policy enforcement" to systems not running
the ECS agent. For companies looking to get a handle on network access, ECS is well worth checking out.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
