Check Point and Sygate corral end points
Similarly strong network access control solutions make for a hard choiceFollow @infoworld
Like the Sygate agent, Integrity Client checks for compliance upon connection and during sessions, and it provides self-enforcement and auto-remediation capabilities. Check Point also provides an on-demand client, called Integrity Clientless Security, which uses ActiveX to deploy the Integrity Secure Browser to unmanaged systems. The Secure Browser creates a captive portal via connection to a Check Point or partner SSL VPN, also encrypting session data, blocking browser-cache copying and keystroke logging, and removing all traces when the session is terminated.
In both solutions, effective network access control starts with strong client security. The Sygate and Check Point clients incorporate stateful, application-centric firewalls and buffer overflow protection. Sygate uses Determina’s memory firewall technology to protect Windows servers, whereas Check Point’s firewall and Malicious Code Protector (the product’s name for buffer overflow protection) protects Windows clients. Additionally, Check Point has native anti-spyware, anti-trojan, and instant messaging protection. Sygate provides anti-trojan protection natively, and the version I tested used Lavasoft Ad-Aware SE Professional to detect and remove spyware. Going forward, Sygate will use Symantec technologies to combat spyware. Both Check Point and Sygate currently lack an embedded virus-scan capability.
During testing, while logged in as a normal end-user without admin privileges, I tried tampering with both clients to see if I could shut them down. While the Check Point agent managed to resist all my attempts to disable it, which included stopping services and deleting integral files, I found I could kill the Sygate agent by deleting files. Although the agent could be killed, however, Sygate’s policy options allow you to quarantine or isolate any end point on which the agent is not running. Both Check Point and Sygate also allow you to hide agents from users, and even shield them from port scans and probes.
Policy Creation and Enforcement
For management of policies and SEAs, Sygate uses a Java-based front end. Like all Java-based consoles, it can sometimes be slow to respond, but it proved snappy enough during my testing. Check Point uses an SSL-secured Web front end to manage Integrity clients. The management interfaces of both products are split into a Table of Contents-style left pane and a tabbed main window, and both make administrative tasks, from client deployment to firewall and policy configuration, similarly straightforward. A nice extra in the Sygate console is the Change History that sits at the bottom of the screen, providing useful historical and administrative information. In general, I preferred Sygate’s more polished interface to Check Point’s, although Sygate still has a way to go before it reaches perfection. While Check Point does a good job of hiding complexity, the power that Sygate readily exposes to administrators can sometimes be daunting.
For large environments, Sygate allows you to assign an administrator per functional domain group, and provides a decent amount of granularity in administrative permissions (from read-only to only-view logs and such). Check Point supports multidomain administration, which makes managing large organizations easier by creating domains for admins and zones for end-point clients. Additionally, Check Point has multitiered administration with logging to monitor end-point client changes by different administrators. As in Sygate, domains are isolated so as not to share unnecessary information with unauthorized administrators.