Better to Be SAFE Than Sorry?

Tech Analysis: SpectraGuard SAFE (Security Assurance for Endpoints) 2.0 is promising, but there's much work to be done before it can fully deliver.

Wireless clients can easily fall into an insecure state, and, with more people demanding more wireless access, the vulnerabilities are increasing exponentially.

Because it is much more efficient to restrict wireless clients from doing insecure things—rather than trying to clean up the mess after they do them—AirTight Networks has integrated endpoint wireless security into its SpectraGuard Enterprise 5.0 platform in the form of SpectraGuard SAFE (Security Assurance for Endpoints) 2.0. However, while the feature is promising, theres much work to be done before it can fully deliver.

SAFE allows administrators to define policies that dictate the networks to which a client can connect, the minimum encryption level allowed and whether a wired connection can be active at the same time (or whether bridging is allowed). SAFE also lets administrators block Wi-Fi use altogether via policy.

/zimages/1/28571.gifClick here to read a review of SpectraGuard Enterprise 5.0.

A dashboard on the client shows whether the machines current wireless security posture is safe, and this information is transferred to the SpectraGuard Server, giving administrators at-a-glance insight into the devices security (or lack thereof).

From the SpectraGuard Enterprise 5.0 management console, we configured policies that had different settings depending on location—work, home or away.

When a new SAFE client contacts the SpectraGuard Server (the client needs to be programmed with the SpectraGuard Server IP address and a shared key), SpectraGuard Enterprise automatically assigns and distributes the default policy. Administrators can later organize SAFE clients into groups for more policy options.

While most of SAFEs security functionality could be implemented through the proper configuration of a clients wireless supplicant software via policy (be it Microsoft Windows XPs Wireless Zero Configuration service or a third-party supplicant such as Juniper Networks Odyssey Access Client), SAFE is especially attractive because it is designed to report directly to the wireless IPS, letting administrators in on what a user has been up to with his or her wireless connection in the context of the entire wireless network.

With that said, SAFE and SpectraGuard Enterprise are not there yet. While we could pull up SAFE reports for individual clients from the Administration tab in the SpectraGuard Enterprise 5.0 console, this data is not yet integrated into the SpectraGuard Enterprise database for group analysis or trending. To cull this data, the SAFE client needs to be polled directly when the report is requested—so if the client is offline, theres no report to see.

Adding SAFE support to SpectraGuard Enterprise 5.0 costs $4,995 for the software license. This initial license includes 100 SAFE client licenses; additional client licenses start at $20 apiece, and volume discounts are available.

Technical Analyst Andrew Garcia can be reached at

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.