Rollout: Altiris' ESS

With endpoint security solution, ALtiris has beefed up its management framework and provided protection for computers that access insecure wireless networks and removable storage devices. Its features protect mobile computers against network attacks and data loss.

ESS can lock down CD, DVD and removable storage devices. It also lets you define approved and prohibited wireless access points and change security policies, firewall configuration and endpoint integrity. ESS does an adequate job keeping up with competitors, including those from ISS and Symantec, thanks to its location-awareness, removable storage monitoring and wireless-configuration features.ESS is the result of a partnership between Altiris and Senforce Technologies, which specializes in endpoint-security management. Altiris customers can install, configure and deploy ESS in less than 30 minutes. This package relies on the latest version of Altiris Notification Server (NS 6.0) with Service Pack 3 and the Altiris Agent on all endpoints where ESS will be deployed. We tested ESS within NS on Windows Server 2003 using Windows XP as the endpoints. Installation was simple and quick, with the entire process taking about 20 minutes.

Setting Abilities By Location

ESS's Location Awareness feature lets admins apply necessary protections whether the host is inside the corporate network or in a coffee shop with an insecure wireless connection. This feature is nearly identical to ISS's Proventia Desktop Endpoint Security, a similarly priced competitor. With ESS's Environment Definition, admins can define up to four IP addresses, corresponding to the network gateway, DNS, WINS and DHCP. Location Awareness automatically changes ESS's policies based on network characteristics that match an Environment Definition when the host moves from one network to another.

Based on location, an admin can control communication devices such as Bluetooth, FireWire and serial and parallel ports. This is useful to prevent printing to unauthorized printers, for instance, when your salesforce's laptops are out of the office. Similarly, CD drives, DVD drives and removable storage devices can be allowed, prohibited or set to read-only.We set up two test networks: a typical business and a wireless AP that simulated an insecure airport network. On the corporate network, we let clients print using Bluetooth, placed no restrictions on removable storage devices and permitted wireless connectivity only when a wired connection was not present.

On networks that failed to meet our "corporate network" environment definitions, we prohibited clients from using Bluetooth or writing files to removable storage. As soon as we pulled the Ethernet cable from our test machine, ESS enabled the wireless connection. We then tried printing over Bluetooth without success. All attempts to write data to our Corsair flash drive failed, though we still could read files from that drive.

Altiris continues to do a good job with reporting. ESS includes several predefined reports, and NS 6.0 lets admins tap the underlying SQL server for additional data.

Flimsy Firewall

ESS includes an inbound/outbound stateful firewall--a welcome addition to 2000 and XP hosts that either don't include a firewall or address outbound traffic. Admins can define allowed or denied TCP and UDP ports, trusted or untrusted IP or MAC addresses, and allowed or prohibited apps from network communications.Unfortunately, because ESS has no mechanism to recognize malware, these firewall features didn't prevent us from clicking on a malicious instant message that immediately downloaded new adware, connected to an IRC server and tried to scan hosts on our test network. The checks for trusted applications are based only on file names and can easily be tricked if an attacker knows which applications are allowed to communicate.

Endpoint integrity is a low point for ESS. Admins can define checks for particular running processes and the existence of files that meet certain restrictions based on time stamps. To test the product's ability to verify the presence and currency of specific files, we installed McAfee VirusScan Enterprise 8.0i and made sure the sample check included in ESS saw the program was running. We then uninstalled VirusScan, made four copies of the Windows Notepad executable and renamed them to fit VirusScan's names. ESS could not tell the difference.

Still, any company running Altiris NS 6.0 will do well to perform the $70-per-node upgrade. ESS will help keep data secure, on your network or someone else's.

John H. Sawyer is an IT security engineer at the University of Florida and A Giac Certified Firewall Analyst. Write to him at [email protected].