More and more corporate endpoint devices need to be protected against an increasing number of threats. Many of the suites designed to offer protection began life simply as antivirus or firewall applications. New functionality–such as application, data and device control–has been added to address new threats, but so has complexity. So, it’s nice to find a full-featured endpoint security suite that is as sleek and easy to configure and manage as Sophos Endpoint Security and Data Protection 9.
Sophos Endpoint Security and Data Protection 9 is a solid contender in the enterprise endpoint security market. Deployment and management are strong points, with a streamlined and straightforward management GUI. Pricing starts at $40 per client, and volume licensing discounts are available.
I installed Sophos Enterprise Console on a Windows Server 2003 SE SP2 system that was already configured as a primary domain controller in Active Directory. I used three Windows XP Pro SP3 workstations as test clients. All ran as virtual machines under VMware Workstation 6.5 on Windows Vista 64 with a 3GHz Intel Core 2 Quad Q6600, 8GB RAM and a 1.5TB hard drive. Installation went smoother than usual for an enterprise security software product.
When Sophos Enterprise Console launches, it displays a Dashboard containing alerts, errors and the update status of computers under management.
I found the Dashboard to be of limited value. It does a great job of showing summary information that you can drill down into to take action. For example, I could click the link for the number of firewall events over a threshold and be taken directly into the interface to see all firewall events for that computer.
However, I found that once I checked the Dashboard and put out any fires, it made more sense to ditch it and use the full screen for the management interface.
There is a graphical indicator of overall system status in the lower right-hand corner of the Enterprise Console. The indicator is a green check if all is well, and a red exclamation point if there is trouble. During tests, when the indicator turned into an exclamation point, I double clicked it and the dashboard popped up allowing me to see how the error affected my network as a whole. I could then drill down to address issues on individual computers.
When implementing the suite, the first major task is to develop policy in its major security areas: anti-virus, HIPS (host-based IPS), firewall, NAC (network access control), application control, data control and device control.
However, a word of caution is necessary: Always test a new policy before widespread deployment to avoid deploying a policy that causes disruption of network, application and data services, such as a “block all” firewall rule or a NAC rule that would completely isolate a computer. This is largely a caution with all products in this class, but with Sophos, you get no warning that something could be broken if you take a particular action.
The basic interface of Sophos Enterprise Console is divided into three areas. Groups and policies are organized along the left, and the main pane shows computers. Clicking on a computer brings up more info, either in a new pane below or a pop-up showing details down to the individual log events, which is a fantastic help in troubleshooting.
I could also right-click a group or computer and order an immediate full scan. Being able to make changes, deploy policy, scan and check for errors also streamlines troubleshooting.
By clicking the Find New Computers button at the upper left, I imported my test machines into a new group called “Testmachines.” (An organization could create groups based on location or department.) Computers go in groups, and policy gets applied to groups. The whole process took only a few right-clicks in tests, after which everything was neat and tidy. I could also use Find New Computers to scan my network for computers that were not being managed in ActiveDirectory.
I deployed a reasonable bunch of policies for computers connected to an internal network. Speaking of which, all network rules have the ability to be configured for multiple locations, so a laptop could be configured to allow Windows file sharing in the office but block it everywhere else.
I used pretty standard settings for AV and HIPS policy. I configured the firewall to inspect and log exceptions to policy, but not to block. This way, I could review logs and tweak firewall policy before blocking real traffic.
Application, Data Control
Application, Data Control
Application control is where it starts to get interesting. Applications and categories of applications can be blocked from installation and execution, or just logged. On the authorization tab of the Application Control Policy editor, I could select application groups that have no reason to be on a workstation, such as file sharing and games. The message a user sees when he or she tries to access one of these unauthorized applications can be customized, and events can be reported via SNMP and e-mail. I could also enforce software update policy by, for example, allowing Firefox 3, but not Firefox 1 or 2. Updating policy to block an app not listed by Sophos is not done here, but rather under firewall settings.
A new addition in this version of the suite is data control. Sophos adapted its malware scanning and recognition engines to search for specific words and/or patterns in documents or Web forms. Transfer can then be blocked or logged. Data Control rules search for patterns or content and then take appropriate action by either warning the user (in case of an authorized and intentional transfer), or warning and blocking the user.
Reporting is quite flexible, and Sophos does a great job streamlining the process of generating reports. Nine common reports come with the product to serve as templates for customization.
The Alert and Event History report was helpful to me, as it highlighted the security events found on my test network. This made it very easy to see, for example, which computer was used to attempt a transfer of sensitive corporate data.
Reports open on top of the console. I found this frustrating because I would have liked to run the report, close it to check a setting, and run the report again. Any report can be scheduled to run regularly and e-mailed to recipients. In addition, e-mail and SNMP alerts can be issued when error thresholds are surpassed for many different factors.
After pushing out policy, I examined my tests workstations to verify that they had been secured.
In short, everything worked much as it should.
In AV and HIPS testing, nine of 15 malware items were blocked from download. One of the six that were not blocked from download were blocked from installation, while four were blocked from execution.
Application control blocked me from running peer-to-peer apps and games. Device control worked as configured, and users are notified with a popup message that Sophos blocked the drive.
Data control also worked very well. I was able to block uploads of various file types containing different types of information. For example, I blocked the word “eweek” in a text file and 10 or more Social Security numbers in an Excel file.
Matthew D. Sarrel is executive director of Sarrel Group, an IT test lab, editorial services and consulting firm in New York.