Check Point R80 Unified Endpoint Security Management review
By David Strom | Network World US | Published: 15:20, 23 May 2011
If you're in the market for endpoint protection, Check Point's new R80 Unified Endpoint Security Management product shows promise.
The R80 represents the first integration of the Pointsec encryption product line, which Check Point acquired in 2007, and the notion of software blades. The R80 features six separately licensed blades that cover a wide range of endpoint security features, everything from host-based firewall to malware protection to the DLP-type ability to restrict removable media access, to the NAC-like ability to force a desktop to install security updates.
This means that you install a single security software agent on each desktop, and the management software will send whatever protective features to that agent to install and activate for each client. There is also a single management console.
While this sounds good in theory, the number of dials to turn and tweak is astoundingly complex. For an IT manager unfamiliar with Check Point products, the R80 will require a steep learning curve to understand the interaction of the various software blade modules, along with how to create the best policies and also to interpret and correct the inevitable mistakes made along the way.
As an example, the full disk encryption policy section, which is one of the more powerful features, comes with five main menu paths and dozens of options. So yes, you can secure just about anything and everything on your desktop, but at the price of spending time pouring over the manuals, reading the online discussion forums and getting on the phone with Check Point's support team.
We tested the product on a Windows 2003 Server with Windows XP and Windows 7 Ultimate clients connected on a small network. We didn't explicitly test performance but we didn't observe anything odd either.
On the server side, you need Microsoft .NET 3.5 SP1 Runtime Framework. The actual Checkpoint client agent consumes less than 6MB of memory and less than 2% of CPU activity, depending on what it is doing at any given time. Both of which are quite reasonable given the level of security protection it provides.
Deploying the product is very simple: you use the server console to create an MSI package that you can then deliver to each desktop to be protected, and once this is installed (you'll need administrative privileges) there is nothing further for a user to do, unless they run into something that you inadvertently blocked. If you need to uninstall or upgrade the agent, you first have to login with admin rights and remove the agent manually in the Windows Uninstall control panel.
The management console is organized into five broad thematic sections, each accessible from a tab at the top of the screen:
- An overview dashboard showing summaries of alerts, machines in compliance and policies in use
- Policies for the various protective features
- A special section on software deployment
- Monitoring and reporting section
- And a section to create policies for particular users and groups.
Each section is further broken down into the particular protective features, so there is a malware policy sub-section and a malware monitoring sub-section for example. This makes sense, but as you dive into the product you have to remember where everything goes. The user and group structures can be directly imported from Active Directory, and provided you have the proper domain credentials, this shouldn't be difficult to populate this section and keep it synchronized with changes to your directory store.
As you might imagine, the firewall section of R80 is the most solid, given Check Point's history. Rules are easy to edit and apply to particular endpoint groups and use traditional specifications such as inbound or outbound traffic, deny or allow traffic, and specify ports and protocols.
The full scope of E80 includes the following features:
- Host-based firewall
- Web URL content filtering and anti-phishing
- Whole disk encryption
- Removable media encryption for USB drives and DVDs
- Port blocking
- Application white and blacklisting (comes with more than 500 pre-set application signatures as part of their Program Advisor service)
- Additional endpoint compliance rules
This last category bears some explanation. You can set up each endpoint to require particular OS service packs, prohibit or require particular applications or files, and install a particular antivirus engine. For each of these actions, you can set the rule to observe and log the activity, to restrict and remediate, or to just issue a warning message.
One of the nice things with the product is that you can create policies for three different endpoint states: connected, when an endpoint is physically present on a local or remote network that can be seen by the management server; disconnected, when it can't; or restricted, when an endpoint is out of compliance or offline for a pre-set monitoring time period.
Policies can be assigned on a very granular level to particular groups of users and different physical networks. And there are tons of reports that can be delivered at the click of a mouse that provide insight into your network security posture. Many of the early endpoint products were not as flexible or as capable.
Endpoint security technology has been maturing over the years. However, the E80 isn't quite fully baked yet. Despite all these features and flexibility, there are things I disliked about the product. For example, if you have a mixture of 32- and 64-bit machines, you'll need to create a separate installer for each, and you'll also need to enable 64-bit support in your software deployment blade. Macs and Linux machines are currently not supported, which is an issue for many enterprises with mixed desktops.
The user interface on each desktop can be too terse in some places and too verbose in others: for example, at one point one of our test clients showed that we had a security policy violation and that we had to address this issue urgently. Is there a place to click on a button to resolve it? Is there some way to get a message back to our desktop administrator? No and no. There is a log viewer, which no user should ever have to deal with, that shows the most recent security events. This is not for the faint of heart.