Endpoint Policy Management
Software Blade
Overview
Enterprises have typically deployed some standalone point solutions for endpoint security such as a personal firewall or antivirus software. This approach quickly becomes a management nightmare in organizations with hundreds or thousands of PCs. For example, each time a software update is available for individual endpoint agents, IT must execute a rigorous engineering test cycle to qualify the release for performance and compatibility before pushing the update out to endpoints. Because it is not uncommon for enterprises to have three or more endpoint security agents on each device, implementation can become very time consuming and costly.
A new strategy is to unify endpoint security with functionality on each PC that is centrally deployed and managed by IT security specialists on a single console. Unification of security functionality allows for simplified deployment and management, which lowers the overall cost of operations. With a unified agent approach, IT will only have to run test cycles for one agent and will have the assurance that each function within that agent is compatible. However, to achieve strong endpoint security, an enterprise should carefully consider functions in a particular unified endpoint solution. Only a comprehensive set of security controls can provide an enterprise with complete endpoint security.
The Endpoint Policy Management Software Blade enables you to centrally manage the security products you use on your organization's end-user devices. This means that you can take and keep control of computing devices and the sensitive information they contain.
Key Benefits
- Centralized and delegated management options
- Central monitoring and reporting on every endpoint security control
- Faster security incident discovery, monitoring, and forensics
- Comprehensive reporting and support for audits and compliance
- Easier, faster deployment of software using single agent without requiring on-site manual intervention of IT or end users resulting in lower TCO
- Unification of endpoint security with network security event management
Features
- Firewall Rules
- Access Zones and Zone Rules
- Program Control Policies
- Program Advisor Service Policies
- Program Enforcement Policies
- Cooperative Enforcement® Policies
- Check Point Antispyware Policies
- Check Point Antivirus Policies
Firewall Rules
Provides same the level of security as standard perimeter firewalls by restricting or allowing network activity based on connection information
Access Zones and Zone Rules
Provides network security through creating groups of locations to which you assign network permissions
Program Control Policies
Restricts network access on a per-application basis
Program Advisor Service Policies
Automates application control management
Program Enforcement Policies
Ensures that every Endpoint computer meets application and version requirements before it connects to the network. For example, using Program Enforcement, you can require that Endpoint computers have a certain version of Antivirus protection
Cooperative Enforcement® Policies
Restricts or disconnects noncompliant users at the network access/authorization level
Check Point Antispyware Policies
Protects your company’s data by detecting and removing spyware
Check Point Antivirus Policies
Provides centrally-managed antivirus protection to your Endpoint users
Specifications
| Feature | Details |
|---|---|
| Firewall | |
| Antivirus Protection Protocols | Block/allow traffic based on packet data, source/destination locations, protocols, ports, and when timed activities occur |
| Zone rules | Restrict/allow network activity based on traffic origination or destination zone: Trusted Zone, Blocked Zone, Internet Zone Allow/deny traffic based on security locations: Host, site, IP address, IP range, IP subnet and mask |
| Hot spot registration | Allows for a temporary, controlled opening in the policy, regardless of the policy restrictions, so that the user may register to a local hot spot |
| Program control | Limits exposure to vulnerabilities and attacks by restricting network access on a per-program basis Moderates network access for programs Uses program permissions applied to individual programs or program groups to control program activity |
| Program permissions | Sets permissions for individual programs or group of programs: Allow, block, ask, terminate |
| Program authentication | Verifies programs have not been tampered with by authenticating via MD5 signature or signed certificates |
| Program Advisor | Automatically terminates known malicious programs Automates application policy decisions based on real-time data collected from millions of PCs worldwide |
| Program groups | Sets program permissions for groups of programs rather than for individual programs |
| Network access control (NAC) | |
| Endpoint policy compliance and auto remediation | Corrects policy violations: Antivirus, anti-spyware, firewall rules, software patches, specific application versions, registry entries Quarantines unsafe PCs and automatically brings endpoints into compliance Restricts network access from unknown guest users |
| Cooperative Enforcement® | Ensures endpoint computers remotely connecting to the network are running an agent, have a specific policy, and comply with the enforcement rules in the security policy assigned Restricts or terminates network access for noncompliant endpoints |
| Network segmentation-level NAC | Cooperative Enforcement with VPN-1 gateways |
| Port-level NAC | 802.1x authentication support, third-party switch and wireless access point support Restricts noncompliant endpoints to isolated VLAN: Limited to specific destination IP, ports, and protocols |
| VPN NAC | Supported gateways: VPN-1, Connectra™, and VPN gateways from Cisco Systems and Nortel Networks Enforces spyware checks, keylogger removal, and ensures antivirus and operating system patches are current VPN NAC on Connectra: includes on-demand browser-based solution for session confidentiality, disables spyware on guest PCs before granting SSL VPN access |
| Network access control (NAC) | |
| Heuristic virus scan | Scans files and identifies infections based on behavioral characteristic of viruses |
| On-access virus scan | Scans files as they are opened, executed, or closed, allowing immediate detection and treatment of viruses |
| Deep scan | Runs a detailed scan of every file on selected scan targets |
| Scan target drives | Specifies directories and file types to scan |
| Scan exclusions | Specifies directories and file extensions not to be scanned |
| Route-based VPN | Utilizes Virtual Tunnel Interfaces, numbered/unnumbered interfaces |
| Treatment options | Enables choice of action agent should take upon detection of virus: Repair, rename, quarantine, delete |
| Third-party antivirus support | McAfee VirusScan, Symantec Norton Antivirus, Trend Micro PC-cillin/OfficeScan, Sophos Anti-virus, Computer Associates eTrust InnoculateIT, Computer Associates VET, Check Point Endpoint Security Antivirus, Kaspersky Antivirus, NOD32 Antivirus, AVG Antivirus, AVAST Antivirus, BitDefender Antivirus, F-Secure Antivirus, Panda Antivirus, Microsoft OneCare Antivirus |
| Protection Details | |
| Anti-spyware | |
| Intelligent quick scan | Checks the most common areas of the file system and registry for traces of spyware |
| Full-system scan | Scans local file folders and specific file types |
| Deep-inspection scan | Scans every byte of data on the computer |
| Scan target drives | Specifies which directories and file types to scan |
| Scan exclusions | Specifies directories and file extensions not to be scanned |
| Treatment options | Enables choice of action agents should take upon detection of virus: Automatic, notify, or confirm |
| Remote access: IPSec VPN | |
| Connectivity options | Dynamic and fixed IP addressing for dialup, cable modem, and DSL connections |
| Authentication | Preshared secrets, X.509 digital certificates, SecurID, username and password, RADIUS, TACACS, Check Point Internal Certificate Authority (ICA) |
| High availability and load sharing | Inbound VPN connections distributed across a cluster of VPN-1 gateways, multiple entry points |
| Multiple connectivity modes | Office Mode, Visitor Mode, Hub Mode |
| Management | |
| Single management console | For policy configuration, policy administration, reporting, and analysis Web-based administrator console |
| Role-based administration | Creates administrator accounts limited to specific user sets Assigns an administrator to specific entities—user catalogs or groups Creates accounts that are allowed only to perform specific functions |
| Unified with Check Point SMART Management | Manage endpoint security events from SmartCenter Centralizes security event management and reporting via Eventia Analyzer and Eventia Reporter Enables shared management server, login, console, log viewing, and event management |
| Management server log monitoring | SNMP trap, Syslog |
| Management Platform Support | |
| Operating systems | Windows Server 2003 Check Point SecurePlatformTM |
| Browsers | Internet Explorer 6 (SP2) and 7 Mozilla Firefox 1.5 and higher |
| Client Platform Support | |
| Operating systems | Windows XP Pro (SP2) Windows 2000 Pro (SP4) Windows Vista |
| Certifications | |
| Certifications | Common Criteria Evaluation Assurance Level 4 (EAL4) FIPS 140-2 |
Support
Threats to the network are constantly evolving and becoming more sophisticated. To maintain continuity and productivity, defenses must advance as quickly to deliver the technology and features that protect the business. Check Point Update service protects against emerging threats with critical hot software fixes, service packs, and major software upgrades.
Benefits
- Ensures continuous security with access to critical hot fixes and service packs
- Maximizes ROI and investment with access to major upgrades and enhancements
- Increases security with the latest applications, features, and technologies
-
Next Steps
- Find a Partner
- Call US sales: 1-866-488-6691
- Contact Us Online
Resources
Check Point Software Blade Architecture Brochure- Software Blades Demo
- Software Blade Architecture White Paper
Software Blades
Security Management Software Blades