Integrity Lays Down the Law in Security

Zone labs end-point security system ensures adherence to current policies.

Zone Labs Inc.s Integrity 4.0 end-point security system for Windows PCs is well worth adding to corporate computers.

Zone Labs is well-known for its consumer-oriented products, but this version of Integrity builds on the ability of earlier versions to centrally manage policies and adds cooperative enforcement integration with Cisco Systems Inc., Nortel Networks Inc. and Check Point Software Technologies Ltd. VPN (virtual private network) systems. During eWEEK Labs tests, cooperative enforcement, where Integrity 4.0 end-point agents ensured that the most current security policies were being followed, allowed only secure clients to access our test network.

Integrity 4.0

Zone Labs Integrity 4.0 is effective enterprise security software that implements firewall and other centrally managed security policies on Windows PCs. The Zone Labs software is competitively priced, and it should fit within most IT managers budgets for long-term maintenance. However, plan on having a team of skilled network and application engineers design the policies that Integrity 4.0 dishes out to end-point systems.
















  • PRO: Firewall rules and streamlined policy development tools effectively enforce security policy; cooperative enforcement adds neat integration with VPN gateways.
  • CON: Needs more reports on policy changes.

• Sygates Secure Enterprise • Network Associates Technologys McAfee System Protection ePolicy Orchestrator • Cisco Systems Policy Management Solution

Integrity 4.0, which started shipping last month, costs $65 per end-point license. The Integrity 4.0 server license is provided at no additional charge. Integrity is competitively priced against offerings from Sygate Inc., Network Associates Technology Inc. and Cisco Systems.

eWEEK Labs recommends that IT administrators take a comprehensive approach to determining the best value when buying an end-point security system. Based on our tests of Integrity 4.0, ongoing administration costs should figure heavily in the buying decision.

For example, Integrity 4.0 worked well when monitoring relatively small numbers of systems in our test environment. But Integrity 4.0 should also deal neatly with even larger environments because it has a built-in filter to show only systems that are in violation of a security policy. This allowed us to quickly zero in on problem machines without having to repeatedly click "next" to wade through a cumbersome list of hundreds of client systems.

New in this version of Integrity is what Zone Labs calls "classic firewall rules," and we think this is a good addition to the product (even if Microsoft Corp. follows through with its plans, announced in the wake of the Blaster worm, to include firewall capabilities with default settings to prevent easy access to Windows systems). Integrity allowed us to set firewall rules from a central location without having to go from machine to machine to enforce security policies.

IT managers should still plan on spending at least several weeks training operations staff in best practices for using Integrity 4.0 classic firewall rules. During our tests, we used Integrity 4.0 agents, which are deployed on each of the protected end points, to monitor which applications were used by test users. We used the results of this monitoring period to create groups of programs, then used firewall rules to govern how PCs running various applications were able to access the Internet.

We used several PCs and laptops to create Integrity 4.0 reference sources to streamline the administration of applications on our end points. This proved to be a necessary facility for developing efficient application management rules because it allowed us to treat application components as a single unit. In our tests, we defined a short list of applications, including Microsofts Internet Explorer.

The Integrity 4.0 agent used information about approved programs in the reference sources to effectively permit or deny application activities on our client systems. Because Integrity 4.0 agents receive updated policy information whenever they connect to the network—and use these policy rules until a new policy is available—policies are enforced even if the Integrity 4.0 server becomes unavailable.

Although Zone Labs has gone a long way toward streamlining the process of creating reference sources and policy rules, it is still highly involved. Skilled administrators with detailed knowledge of network and application behavior will need to work together to create the initial Integrity 4.0 policies. Even after the initial policies are in place, high-level staff will need to be involved in tuning or adding new policies.

And these changes will need to be checked against rules in perimeter firewalls and VPN gateways to ensure they are not in conflict. Integrity 4.0 does provide limited reports that show what changes were made to the overall system, but wed like to see more reports that show detailed changes made to policies. This change-auditing information would be beneficial not only for checking policy but also as a training tool to reduce ramp-up time if a new Integrity administrator is needed.

Integrity 4.0 has improved its integration with several important enterprise building blocks. This version of Integrity now supports LDAP user directories, including Novell Inc.s eDirectory, along with Remote Authentication Dial-In User Service and Windows NT Domain authentication services, such as Microsofts Active Directory. Integrity also uses either Microsofts SQL Server 2000 or Oracle Corp.s Oracle9i database, providing the kind of installation flexibility we like to see. We were easily able to integrate Integrity 4.0 with our Active Directory and SQL Server 2000 components.

We had no problems deploying the Integrity 4.0 agent to our PC systems. At less than 4MB, the agent is one of the smallest weve seen, which made it easy to send over the network to our systems. More important, the Integrity 4.0 agent could operate silently or with information such as warning messages provided to our end users.

Updating Integrity 4.0 agents with new policies was a simple process that we could accomplish from the Web-based central console with just a few clicks of the mouse.

Senior Analyst Cameron Sturdevant can be contacted at cameron_sturdevant@