Check Point and Sygate corral end points

At their core, Check Point Integrity and Sygate Enterprise Protection are effectively policy-based firewalls. That’s the cake. The icing is their capability to monitor other applications for compliance with configuration requirements and send errant machines to quarantine until they can be updated with the latest anti-virus definitions, Windows patches, or other necessities.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Both solutions rely on an end-point client closely coupled to a policy-management server, supporting a variety of mechanisms for quarantining noncompliant systems, including 802.1x authentication and integration with partner switches, routers, wireless APs, and VPNs.

Combining strong client security and flexible policy management, both Check Point Integrity 6.0 and Sygate Enterprise Protection 5.0 help prevent spyware, worms, trojans, and viruses from getting to the enterprise network from infected clients. In addition to ensuring that end points are secure and updated, both products can enforce policies governing which client-side applications can access the network based on almost any criteria you might want to apply.

Twin Towers of Access Control

Sygate’s Policy Manager has policy templates for common security patch deployments, personal firewalls, and anti-virus and anti-spyware software to help ease deployment. Depending on what type of adapter is being used to connect to the network (Ethernet, Wi-Fi, VPN, or the like) Sygate can apply appropriately restrictive access controls.

Between the Sygate Enforcement Agent (SEA) and the company network is the Enforcer, which applies access controls that the Policy Manager lays down. Noncompliant systems are placed into a quarantined network segment, where they can download the software needed to meet security requirements.

The SEA performs policy compliance checks during the initial connection and periodically via a timer or during a change in network location. Additionally, the SEA enforces policies when disconnected from the enterprise network, and it will automatically connect to your remediation download site to bring itself into compliance with or without user intervention.

For enforcing security policies on unmanaged end points, Sygate provides the ODA (On-Demand Agent). A Java applet that is downloaded to the client upon connection, ODA creates an encrypted virtual desktop with updated anti-virus software, anti-virus definitions, an anti-keystroke logger, and a personal firewall. After the session, ODA deletes all traces and removes itself from the system.

Check Point Integrity provides much of the same functionality. Instead of providing an enforcement gateway of its own, however, Integrity works with Check Point’s VPN-1, Connectra SSL VPN, and InterSpect IPS, as well as 802.1x-enabled gear, to quarantine noncompliant clients. Integrity works with switches from Cisco Systems, Enterasys, Extreme Networks, Foundry, HP, and other vendors, and counts Aventail, Cisco, Juniper, Microsoft, and Nortel among its SSL VPN partners. Sygate has partners of its own, including many of the same names, and its Enforcer gives customers who may not have an 802.1x infrastructure the option of implementing NAC without buying additional gear.

Like the Sygate agent, Integrity Client checks for compliance upon connection and during sessions, and it provides self-enforcement and auto-remediation capabilities. Check Point also provides an on-demand client, called Integrity Clientless Security, which uses ActiveX to deploy the Integrity Secure Browser to unmanaged systems. The Secure Browser creates a captive portal via connection to a Check Point or partner SSL VPN, also encrypting session data, blocking browser-cache copying and keystroke logging, and removing all traces when the session is terminated.