Two Approaches to Policy Enforcement

As enterprises allow employees, partners, and contractors to access corporate information anytime and anywhere, effective security policy enforcement at the endpoint PC is critical. Cisco's release of phase one of its Network Admission Control program - allowing Cisco routers to communicate with certain antivirus products - signals the company's first step to providing security to its networking products. While Cisco has just announced the release of these capabilities, Check Point Integrity has led the market with best-of-breed enforcement for the past two years.

At the heart of Integrity is Cooperative Enforcement™ technology, which enables Integrity to integrate with hundreds of network gateway products - from VPNs to routers, switches and wireless access points. With Cooperative Enforcement, Integrity requires that all endpoint PCs be in compliance - ensuring that all required patches, antivirus updates, registry keys, files, and applications are in place - before it grants access to the network. In effect, Cisco has validated Integrity as the right choice to fulfill the immediate need for remote and internal endpoint policy enforcement.

Proprietary vs. Vendor-Agnostic Policy Enforcement
Network Admission Control and Cooperative Enforcement take very different approaches to policy enforcement. Network Admission Control is based on a proprietary, vendor-centric architecture that effectively locks in Cisco customers. It only works with Cisco routers and several antivirus products, and its policy enforcement capabilities are limited to checking for up-to-date antivirus and OS patches in PCs. Deployment entails installing the Cisco Trust Agent on every endpoint if customers don't have Cisco's Security Agent, and non-Cisco network access devices and AAA servers will need to be replaced with Cisco equipment in order to support Network Admission Control policy enforcement.

In contrast, Check Point takes a vendor-agnostic, open standards-based approach to policy enforcement. Integrity provides customers with an extensible client/server architecture that's compatible with existing network IT infrastructures and seamlessly integrates with industry standard hardware, software, and networks. Integrity was the first endpoint security product to support the IEEE 802.1x/EAP standard, enabling enterprises to use over 200 switches, routers, and wireless access points from more than 20 vendors including Cisco. This flexibility provides lower TCO with better networking performance and security than being tied to a single vendor.

Regardless of the platform chosen, Integrity will continue to provide the most reliable and trusted endpoint security. Therefore, in the future, Integrity will support Network Admission Control and Microsoft's Network Access Protection policy enforcement platform.

Here's a closer look at what Cooperative Enforcement and Network Admission Control provide today:

Feature	Integrity and Cooperative Enforcement	Network Admission Control
Enforces up-to-date antivirus software and OS patches on endpoint PCs	Yes - enforces antivirus with any vendor	Limited - works only with Cisco 830 Series to Cisco 7200 Series routers which enforce up-to-date antivirus for Symantec, McAfee, and Trend Micro
Enforces application patches, registry keys, and required or prohibited applications on endpoint PCs	Yes	No
Enforces policy compliance throughout the internal corporate network	Yes	No
Integration with switches, routers and wireless access points	Yes	No—it only integrates with selected Cisco routers
Enforces all policy elements without the need to integrate with any network hardware	Yes	No
Supports clientless protection	Yes	No
OS Support	Windows XP, 2000, NT, Windows 98SE and 95	Windows XP, 2000, and NT

Related Links: