Senforce enforces client security wisely
Enterprise Mobile Security Manager arms admins with flexibility to tailor group policies
Senforce’s EMSM (enterprise mobile security manager) is a centrally managed platform for creating and deploying very granular access control policies to both local and remote users. Like Check Point Integrity and Sygate Secure Enterprise, EMSM goes well beyond checking to see whether the client’s anti-virus is up to date. However, unlike these products, EMSM focuses on enforcing security policies based on location, disabling remote storage devices, wireless adapters, and even specific IP services on the client, based on whether it is connecting wired or wirelessly, or via a trusted or untrusted network.
The EMSM management server requires Microsoft SQL Server 2000 for its storage needs (not included with EMSM) and the client only runs on Windows 2000 and Windows XP Pro. Nevertheless, at $89.95 per seat, it’s a small price to pay for the level of control available.
The heart of EMSM is the Policy Editor, where administrators define the policies for specific situations, such as whether a PC is connecting via the LAN or a laptop is accessing the corporate network wirelessly. Senforce’s Policy Editor is a powerful tool and allows a fine level of control over users and PC services. I did find the process of creating a policy, however, to be a little confusing but not overly complex. As with many security devices, understanding the problem as well as its remedy is half the battle.
Using Policy Editor, I created a couple of different profiles: one for my test lab and another for a remote user. The first policy enforced some basic global rules, such as silencing the wireless adapter and requiring anti-virus to be running and updated. I allowed all IP services, including e-mail, Web browsing, and Windows networking. The second profile was much like the first, except that I set it to forbid Windows networking and only allow e-mail and Web browsing. In both situations, EMSM correctly identified my laptop’s network addressing and pushed the proper policy to it.
Admins use EMSM’s Network Environments to define network characteristics so as to determine where a client has logged in and consequently which policy to enforce. I was impressed with the level of detail available when describing a network location. Choices include IP addressing, gateway, MAC address, wireless access point SSID (service set identifier), and DNS, DHCP, and WINS (Windows Internet Naming Service) addresses. By using combinations of these parameters, you can deploy a policy for just about any location you can think of, even based on which DNS server was assigned to them via DHCP.
The Adapters and Access Points list provides a fine level of control over dial-up, wired, and wireless adapters. Especially powerful for wireless locations, EMSM allows admins to define a specific access point a laptop can connect to while ignoring all others. This is especially useful when you want to make sure wireless communication only takes place inside your enterprise.
If a client fails some check in a policy, such as its anti-virus signatures being out of date, instead of simply denying access, EMSM puts the client in a “quarantined” state. There, the client can update the signature to comply with the policy, then access the network. EMSM includes a wide range of reports to let IT audit their clients for policy compliance.
The Senforce Mobile Security Client, which runs in the kernel of the host OS, intercepts network traffic at the NDIS layer. Inspecting network traffic from there requires much less CPU time than is required by other client integrity products, such as Sygate and Integrity, which operate higher in the network stack.