Better to Be SAFE Than Sorry?

By Andrew Garcia  |  Posted 2006-07-10 Print this article Print

Tech Analysis: SpectraGuard SAFE (Security Assurance for Endpoints) 2.0 is promising, but there's much work to be done before it can fully deliver.

Wireless clients can easily fall into an insecure state, and, with more people demanding more wireless access, the vulnerabilities are increasing exponentially.

Because it is much more efficient to restrict wireless clients from doing insecure things—rather than trying to clean up the mess after they do them—AirTight Networks has integrated endpoint wireless security into its SpectraGuard Enterprise 5.0 platform in the form of SpectraGuard SAFE (Security Assurance for Endpoints) 2.0. However, while the feature is promising, theres much work to be done before it can fully deliver.

SAFE allows administrators to define policies that dictate the networks to which a client can connect, the minimum encryption level allowed and whether a wired connection can be active at the same time (or whether bridging is allowed). SAFE also lets administrators block Wi-Fi use altogether via policy.

Click here to read a review of SpectraGuard Enterprise 5.0. A dashboard on the client shows whether the machines current wireless security posture is safe, and this information is transferred to the SpectraGuard Server, giving administrators at-a-glance insight into the devices security (or lack thereof).

From the SpectraGuard Enterprise 5.0 management console, we configured policies that had different settings depending on location—work, home or away. When a new SAFE client contacts the SpectraGuard Server (the client needs to be programmed with the SpectraGuard Server IP address and a shared key), SpectraGuard Enterprise automatically assigns and distributes the default policy. Administrators can later organize SAFE clients into groups for more policy options.

While most of SAFEs security functionality could be implemented through the proper configuration of a clients wireless supplicant software via policy (be it Microsoft Windows XPs Wireless Zero Configuration service or a third-party supplicant such as Juniper Networks Odyssey Access Client), SAFE is especially attractive because it is designed to report directly to the wireless IPS, letting administrators in on what a user has been up to with his or her wireless connection in the context of the entire wireless network.

With that said, SAFE and SpectraGuard Enterprise are not there yet. While we could pull up SAFE reports for individual clients from the Administration tab in the SpectraGuard Enterprise 5.0 console, this data is not yet integrated into the SpectraGuard Enterprise database for group analysis or trending. To cull this data, the SAFE client needs to be polled directly when the report is requested—so if the client is offline, theres no report to see.

Adding SAFE support to SpectraGuard Enterprise 5.0 costs $4,995 for the software license. This initial license includes 100 SAFE client licenses; additional client licenses start at $20 apiece, and volume discounts are available.

Technical Analyst Andrew Garcia can be reached at

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel