Exclusive: ESP 2.0 boosts your network perception

System admins used to only dream about knowing exactly which devices were on their network and controlling what resources those devices were accessing. There has been an explosion of products announced and released during the past few months aimed at providing this highly sought view of traffic flows and hosts, as well as tools to enforce network policies. One of the more mature solutions is ESP (Elemental Security Platform) 2.0.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld Elemental Security Platform 2.0 Elemental Security, elementalsecurity.com Excellent  9.3 criteria score weight Policy Enforcement 10 25% Policy Management 9 20% Reporting 9 20% Scalability 9 15% Ease-of-use 9 10% Value 9 10% Cost: Server starts at $35,000; agents: approximately $600 per Enterprise (server) agent, $60 per Standard (desktop/laptop) agent Platforms: Server: Solaris, RHEL; clients: Windows, RHEL, Solaris, AIX, HP-UX, and Mac OS X Bottom Line: Elemental Security Platform 2.0 does an excellent job of identifying the devices attached to your network and placing them in separate groups. Policy deployment is easier than in the previous release, and the new regulatory polices — for HIPAA, Sarbanes-Oxley, and PCI — are well-rounded. Reporting has seen a massive overhaul with nearly four times as many reports as before, and the ESP server can now scale to 10,000 managed agents. About our Reviews and Scoring Methodology

ESP takes all of the good features in the previous release and adds more scalability and platform support, simpler policy deployment, and an even longer list of built-in reports. The entire system is very dynamic, constantly providing IT with updated information on known and unknown hosts. ESP still requires a software agent to be installed on all managed hosts, but as in the previous release, it allows for granular control even over unmanaged devices.

The latest Elemental version comes with a new name but the same laser-sharp focus. The name change from Elemental Compliance System  to Elemental Security Platform is not by chance. Version 2.0 is poised to be more of an underlying security infrastructure, providing host assessment and policy information to other systems.

Elemental has a strategic partnership with Cisco that allows it to work with NAC (Network Admission Control)-enabled policies and to define the compliance threshold for network admittance. ESP doesn’t take control of the wire, as does Cisco’s NAC, but it does control everything that runs on it.

Also new, ESP can now handle as many as 10,000 agents on a single ESP server, up from 4,000 in the previous release. The server now also runs on Solaris 8/9/10 and RHEL (Red Hat Enterprise Linux) 4.0. Admins will still have to supply their own Oracle 9i or 10g Enterprise Edition database to handle information storage and retrieval. A dual-processor server with 2GB of RAM and 200GB of disk space is a good starting point for the ESP server.

Agent up

Admins install software agents on the servers and host devices they want to actively manage. These agents can either be pushed out using a software distribution system or be installed from a network share or CD. Once installed, the agents “phone home” to the ESP server, reporting back information such as host name, IP and MAC (media access control) address, OS version and service pack level, network configuration, CPU and other hardware information, as well as what hosts the client is connected to.

All the data gathered by the agents is used to dynamically place the device in any number of groups. Admins can create different security policies to apply to hosts based on their group membership. Even in my simple test scenario, each server and client ended up in four or five different groups. Elemental provides a large number of predefined groups, and admins can create custom group definitions to meet specific needs.

The latency I saw in the previous release associated with policy deployment and enforcement is nearly erased in 2.0, now that policies are pushed out to the agents.

The agent also has a built-in packet-filter engine that allows ESP to enforce “no connection” policies to hosts. For example, I had a policy that forbade hosts in the accounting group from having any connection with hosts in other groups. No special network hardware is needed; the agent handles everything.

ESP’s capability of handling agentless hosts is still one of its most intriguing aspects. Based on information gleaned from hosts with the agent, ESP passively monitors unmanaged devices and places them into various groups. For one of my Microsoft SBS (Small Business Server) 2003 servers not running an agent, ESP categorized it as Inside (part of my locally defined network), Observed (a broad group of detected systems), and Active. ESP also recognized it is a DNS and DHCP server and a Windows system. Based on this information, I could craft a policy that either allowed agent-installed clients to connect to the SBS 2003 server, or, conversely, deny access to any managed host from the server.

Policies for everyone

Gone in the new release is the Directive structure -- an intermediary step in policy creation -- used in 1.1. Policy creation is now a two-step process: Select the necessary policy and choose the group of hosts to deploy it to. This change allows for a much faster, smoother, and intuitive process.

New policy rules cover regulatory compliance, with HIPAA and PCI (Payment Card Industry) joining Sarbanes-Oxley; running processes; installed files; hardware devices, such as USB thumb drives; and CIS (Center for Internet Security) benchmarks. ESP can also check for anti-spyware -- Computer Associates, Lavasoft, McAfee, and Webroot -- and now supports Trend Micro Antivirus in addition to Symantec and McAfee.

Admins can now grant policy exceptions to specific users or groups of users on demand, or they can schedule the exceptions. This allows for more strict enforcement settings after-hours, for instance, denying all traffic to secure database servers. ESP also now comes with delegated administration (read/write/deploy) and can make use of user information stored in LDAP and LDAP-enabled directories, such as Active Directory, and RADIUS as the source of local user log-ins.

The reporting capabilities in Version 1.1 were very impressive, but that wasn’t enough for Elemental. This release boasts nearly four times as many predefined reports as before, allowing quick access to compliance reports for a specific group of hosts as well as various traffic statistics. Other reports cover inventory -- hardware, software, patch level -- and remediation. A new feature allows you to schedule reports automatically -- nice for the busy admin. I found the reporting system to be straightforward to use, but figuring out how to slice the data sometimes took a while.

Last year, Elemental set the standard for providing hosts compliancy checks and insight into network traffic patterns. Now, ESP broadens its reach to include more client and server platforms and increases the number of agents a single ESP server can handle. Still impressive is the granular policy deployment and the amount of raw information the agents report back to the server. Although ESP doesn’t control access to the wire, it does handle all other aspects of network traffic smoothly and gracefully. Elemental Security Platform 2.0 has just raised the bar a little higher.