|
ENDPOINT SECURITY
Sophos Endpoint Security and Control 8.0
REVIEWED BY SANDRA KAY MILLER
Sophos
Price: Starts at $43 per user annually
The comprehensive features in Sophos Endpoint Security and Control can easily replace a number of security individual security products aimed at endpoint protection. In addition to antivirus, it delivers anti-spyware/adware, host intrusion prevention, firewalling, application control, device control, and network access control.
Sophos features centralized management for multiple platforms including Windows, Macintosh, Linux/Unix, Netware and Open VMS.
| Installation/Configuration | B |
Installation of the enterprise console, network access control (NAC) server and both AV and NAC client agents was straightforward. We opted for the advanced over the quick setup option and were still able to quickly step through designating a new Enterprise Management Library, which is the central repository for software and downloads.
Next, we set up the schedule for automated downloads. Moving through the configuration components, we had the option of choosing the specific platform agents needed for our environment. The final step opened the management console dashboard, which offers comprehensive access to managed computers, updates, alerts, policies, protection and errors, as well as a tabbed display for details about AV, firewall, NAC, computers, updates, alerts and application control.
To quickly create and maintain user/computer groups, you can import and synchronize information with Active Directory.
While setting up the enterprise console and NAC server worked flawlessly, we encountered several irritations trying to install the client software directly from the console that required hands-on installation. For example, you need administrative rights to install software to a PC and have to uninstall previous versions of the software on older Windows machines. We also encountered error messages during installation on Vista.
There's plenty of documentation to get past these issues. However, while this might be acceptable in smaller organizations, larger distributed enterprises with multiple versions of Windows as well as different platforms, would definitely be challenged during a rollout.
Also, the NAC agent has to be installed separately--and manually on older Windows PCs as well as Mac and *nix machines. We also had an issue with getting the agent to install on XP machines, requiring us to turn off "Simple File Sharing" (which is different that the File Sharing option found under NIC settings).
From the dashboard in the enterprise console, the policy tree provides instant access to rules for updating, antivirus and HIPS, application control, firewall and NAC.
We were able to set granular polices for different operating systems as well as for different versions of Microsoft Windows.(95 through VISTA) Under AV and HIPS, we quickly set up detailed scanning options and exclusions specific to each platform. The Cleanup tab let us assign specific actions to known viruses and spyware as well as suspicious files. By differentiating between known and unknown threats, the number of false positives can be significantly reduced.
Sophos provides an extensive list of application types that allowed us to move commonly know applications from being authorized to blocked. Within minutes, we were able to effectively prohibit a multitude of games, instant messengers, and file sharing applications, such as LimeWire, Morpheus, Kazaa and FileTopia.
There are also the options to limit the use of devices such as CD/DVDs, floppies and removable USB drives; virtualization apps, popular VoIP clients and even wireless connections including Bluetooth, infrared and WiFi. These are yes/no controls, lacking the granular capabilities of dedicated device control tools.
Host firewall policies were standard fare, including rules for blocking and allowing different types of protocols, applications and processes.
NAC provides separate policies for managed and unmanaged computers, that is, with or without NAC agents. For both, we were able to create conditions under which they were able to connect to the network. For example, a road warrior's managed laptop must have the most recent updates and a completed scan prior to attaching directly to the internal network with full access, while an unmanaged users are directed to a URL where a Web-based agent determines the security state of the machine prior to granting network access. In addition to checking AV status, the NAC component can check for things like OS service packs and patch level.
|
