Managing security products on workstations and servers is an important task
and becomes critical when new threats appear to threaten the productivity of
enterprise employees. You want to know that all systems are properly protected
the day they are deployed, and that they are kept up-to-date with the newest
threat-detection technology, whether pattern files or updated scanning engines.
For this review, I've looked at five products that offer central, policy-based
management of desktops and servers. To provide a consistent context, I asked
each vendor to provide its product's management console along with desktop antivirus
software. If you're looking for a discussion of desktop threat-protection mechanisms,
you won’t find it here. This review and its ratings are unabashedly—and
narrowly—focused on the policy management interface and don't evaluate
each product's utility for its intended purpose of protecting your desktops.
What this article does is review the server-based architecture each vendor implements
for control of managed clients, the options to scale up for the management of
large numbers of systems, and the approach each product takes to organize managed
clients in a way that facilitates the assignment of client application configuration
policies and application deployment.
For the purposes of this review, I define policies as settings that control
the function of an aspect of the application software. In some of the products,
policies are named groups of settings that can be copied or assigned as a single
object; in others, individual settings inherit down through a policy domain
hierarchy of domains and subdomains. Policies can also be implemented as a combination
of these methods. There are many ways to organize a policy domain structure.
Frequently, organizing systems by the details of the policy they need is an
effective approach. Sometimes, administrative responsibility can be another
level of organization. There is no one-size-fits-all approach.
F-Secure Policy Manager
F-Secure Policy Manager when combined with applications in F-Secure Anti-Virus
Enterprise Suite manages the security of endpoints throughout the enterprise.
The suite supports a variety of Linux as well as Windows servers and workstations.
I installed Policy Manager with F-Secure Client Security 7, which is part of
the Anti-Virus Enterprise Suite.
Architecture
Policy Manager comprises many components. The management interface, Policy Manager
Console, is written in Java and can run on a variety of platforms. Policy Manager
Server, implemented as an extension of an Apache Web server, is the repository
for software and policies and uses standard HTTP protocols to communicate with
managed clients. Policy Manager Web Reporting is a Web-based graphical reporting
system that will report enterprisewide status information, including out-of-policy
systems. Policy Manager Reporting Option is a command-line reporting interface.
Policy Manager Update Server manages automatic antivirus and spyware definition
updates to managed hosts. The management agent is the client-side component
and includes an end-user interface and a common interface for all F-Secure applications.
It enforces policies created and assigned within Policy Manager Console. Policy
Manager Proxy is a remote agent, intended primarily for network segments that
have slow upstream connections, and downloads protection updates and distributes
them to local systems.
Installation was fairly easy, and took me about 15 minutes. I installed the
software on a Windows Server 2003 system. By default, the Web-based Policy Manager
console can be accessed only from the local machine’s localhost address,
which can be opened by way of a check box. During installation, you can specify
the remote installation jar files of other F-Secure products, or easily configure
them later. After installation I found a Status Monitor, which displays the
status of the server and its host; Administration and Reporting modules; and
an Automatic Update Agent interface, which displays the version of the most
recent update for each product, the success or failure of recent update requests,
the ability to manually check for updates, and access to the Update Agent’s
configuration file. The Automatic Update Agent makes sure the console server
always has the most current updates for distribution to managed clients. You
configure the polling interval and the preferred sources for updates.
Policy Manager Console
Two access modes are available from the console: Administrative, which requires
that you enter a passphrase defined during installation, and Read-only. The
logon screen lets you define and save connection information for other servers,
easing access for large enterprises that have many console servers. Within the
console, you find two functional modes: Anti-Virus, which Figure
1 shows, and Advanced, which is selectable from the View drop-down menu.
Anti-Virus Mode manages client protection features of F-Secure Client Security,
including Virus Protection, Automatic Updates, E-mail Scanning, and Internet
Shield. Advanced Mode manages policy settings and deployment to clients. Both
modes share Internet Explorer 6.0–like drop-down menus and function icons
at the top of the window, the Policy Domains pane at the left side of the window,
and (when the console server has generated status messages or alerts) a Message
area along the bottom. In both modes, I found the Policy Manager Console UI
well organized and easy to use.
Advanced Mode
When you start the Policy Manager Console and select Advanced Mode, a tabbed
Properties pane displays to the right of the Policy Domains pane, with a details
pane to the far right.
Policy Domains is a multilevel hierarchical folder structure with some similarities
to an Active Directory (AD) organizational unit (OU) structure. Each client
receives the policies that are assigned to its folder. F-Secure offers several
ways to assign clients to folders. Large organizations will want to use the
autoregistration feature, which lets you import into the structure clients that
have the F-Secure Management Agent preinstalled. Policy Manager will place new
clients into a particular domain within the structure according to, for example,
a partial WINS or DNS name or IP address network segment (other and custom properties
are also supported). Discovery and manual placement is also supported, and I
chose that option for my testing. Similarly, policy-based installation allows
automatic deployment of F-Secure products and policies to systems according
to signed policies obtained by the client management agent from the console
server.
You set policies by selecting a Policy Domain from the left-hand panel and
clicking the Policy tab in the central Properties pane. A hierarchy of products
displays in the Properties pane: Expanding the appropriate product displays
its policies. Policies inherited from the level above display in light gray;
policies explicitly set at this level appear in black. To set a policy, click
it and change the setting that displays in the details pane. A Force option
allows you to reset explicit settings at a subdomain or host to values inherited
from above. A Show Domain button displays the current policy setting throughout
all domains. Using reporting options, you can list domains and policies where
explicit settings override inherited settings.
After you've set policies, you must both save and distribute them. Unsaved
policy settings will revert to the default when you exit the console, but the
console prompts you to save settings upon exit. Saving and distributing policies
is easily accomplished by clicking icons in the icon menu bar. After you've
distributed a policy, it will take effect on managed clients using that policy.