Senforce’s EMSM (enterprise mobile security manager) is a centrally-managed platform for creating and deploying very granular access control policies to both local and remote users. Like Check Point Integrity and Sygate Secure Enterprise, EMSM goes well beyond checking to see whether the client’s anti-virus is up to date. However, unlike these products, EMSM focuses on enforcing security policies based on location, disabling remote storage devices, wireless adapters, and even specific IP services on the client, based on whether it is connecting wired or wirelessly, or via a trusted or untrusted network.
The EMSM management server requires Microsoft SQL Server 2000 for its storage needs (not included with EMSM) and the client only runs on Windows 2000 and Windows XP Pro. Nevertheless, at US$89.95 per seat, it’s a small price to pay for the level of control available.
The heart of EMSM is the Policy Editor, where administrators define the policies for specific situations, such as whether a PC is connecting via the LAN or a laptop is accessing the corporate network wirelessly. Senforce’s Policy Editor is a powerful tool and allows a fine level of control over users and PC services. I did find the process of creating a policy, however, to be a little confusing but not overly complex. As with many security devices, understanding the problem as well as its remedy is half the battle.
Using Policy Editor, I created a couple of different profiles: one for my test lab and another for a remote user. The first policy enforced some basic global rules, such as silencing the wireless adapter and requiring anti-virus to be running and updated. I allowed all IP services, including e-mail, Web browsing, and Windows networking. The second profile was much like the first, except that I set it to forbid Windows networking and only allow e-mail and Web browsing. In both situations, EMSM correctly identified my laptop’s network addressing and pushed the proper policy to it.
Security based on where you are
Admins use EMSM’s Network Environments to define network characteristics so as to determine where a client has logged in and consequently which policy to enforce. I was impressed with the level of detail available when describing a network location. Choices include IP addressing, gateway, MAC address, wireless access point SSID (service set identifier), and DNS, DHCP, and WINS (Windows Internet Naming Service) addresses. By using combinations of these parameters, you can deploy a policy for just about any location you can think of, even based on which DNS server was assigned to them via DHCP.
The Adapters and Access Points list provides a fine level of control over dial-up, wired, and wireless adapters. Especially powerful for wireless locations, EMSM allows admins to define a specific access point a laptop can connect to while ignoring all others. This is especially useful when you want to make sure wireless communication only takes place inside your enterprise.
If a client fails some check in a policy, such as its anti-virus signatures being out of date, instead of simply denying access, EMSM puts the client in a “quarantined” state. There, the client can update the signature to comply with the policy, then access the network. EMSM includes a wide range of reports to let IT audit their clients for policy compliance.
A client in the kernel
The Senforce Mobile Security Client, which runs in the kernel of the host OS, intercepts network traffic at the NDIS layer. Inspecting network traffic from there requires much less CPU time than is required by other client integrity products, such as Sygate and Integrity, which operate higher in the network stack.
For all of its impressive features, EMSM is not a perfect product. Creating your policies is not an intuitive process, although there are some wizards to step you through it. I felt like I was constantly jumping back and forth between settings to get my policy created. Also, the client-side application runs as a service under Windows 2000 and XP. If your users have local administrative rights to their PCs, they can stop the service and thereby circumvent the policy enforcement. Both of these problems are being addressed in an upcoming release of EMSM due early in 2005.
Senforce Enterprise Mobile Security Manager is a great tool for managing your end-point security from a single, centralised location. The level of granularity in the Policy Editor is first rate; I can’t imagine a situation it cannot handle. It is flexible yet ultimately in control of not only which network services a client can use but on which types of network they can use them. Problems with the management interface and client service are already being addressed, so Senforce should be on your short list of end-point integrity tools.
This tool's ability to push a specific policy to a client based on its network affiliation is a good way to keep mobile users in check without being too heavy-handed about it. Its reporting engine should help where you are required to prove compliancy with policies, and it has good support for wireless adapters and access points.