Защита рабочих станций сотрудников (Endpoint Security)
Концепция Check Point защиты рабочих станций комплексная и всеобъемлющая: выбор необходимого функционала аналогичен шлюзам безопасности (контейнер + необходимый функционал, т.е. Software Blades), а система централизованного управления всем комплексом Endpoint Security позволяет повысить удобство и эффективность управления, создав единую политику безопасности компании.
Преимуществом подхода Software Blades является также возможность расширять функционал комплекса защиты по мере появления новых задач простой активацией необходимой лицензии на сервере.
Функционал защиты рабочих станций (Endpoint Security Software Blades)
Full Disk Encryption – шифрует все содержимое выбранных логических дисков прозрачно для пользователя ПК. Поддерживает многофакторную аутентификацию для начала запуска ОС.
Media Encryption –предоставляет централизованно управляемую политику шифрования сменных носителей (флешек) и контроля использования портов ввода-вывода (USB, WiFI, CD и т.д.).
Remote Access – возможность безопасного удаленного доступа к корпоративным ресурсам через IPsec VPN туннель для сотрудников, работающих удаленно от офиса.
Anti-Malware / Program Control – используя антивирусный движок Касперского, эффективно защищает ПК от различных угроз. А Program Control позволяет ограничить запуск приложений лишь одобренными администратором.
WebCheck – защищает от атак и угроз, нацеленных на браузер. Сеанс работы браузера запускается в безопасной виртуальной среде.
Firewall / Compliance Check – проактивная защита входящего и исходящего трафика предотвращает инфицирование рабочих станций, блокирует атакующего и нежелательный трафик.
The Check Point Full Disk Encryption Software Blade обеспечивает безопасность всей информации, хранимой на компьютере, включая пользовательские данные, файлы операционной системы, временные и удаленные файлы. Для максимального уровня безопасности требуется применения многофакторной аутентификации перед запуском операционной системы и предоставления данных пользователю.
Full Disk Encryption
Automatically encrypts all information on the hard drive - including user data, the operating system, temporary files and erased files, for maximum data protection.
Pre-Boot Authentication
Ensures that only authorized users are allowed to access the endpoint. All valid credentials must be provided before the operating system will boot. Multi-factor authentication options and multiple pre-boot authentication languages are supported.
Single-console, Intuitive User Interface
The Full Disk Encryption Endpoint Software Blade provides an intuitive user interface for centralized management and easy viewing of security status and log files or making basic configuration changes.
Secure Remote Help
Remote Password Change and One-Time Login remote help options are available for users who may have forgotten their passwords or lost access tokens. Web-based remote help options are available.
Central Management
The Full Disk Encryption Software Blade is centrally managed by the Endpoint Policy Management Software Blade, enabling central policy administration, enforcement and logging from a single, user-friendly console.
Integrated into Check Point Software Blade Architecture
The Full Disk Encryption Software Blade is fully integrated into the Software Blade architecture, saving time and reducing costs by allowing customers to quickly expand security protections to meet changing requirements.
Client Platform Support
Operating Systems
Windows 7 (32 & 64-bit)
Windows Vista (32 & 64-bit)
Windows XP Pro (32-bit, SP2, SP3)
Windows 2000
Mac OS X (10.4.5 – 10.4.11, 10.5.0 - 10.6.x)
Linux (2.6.4+ kernel, Red Hat, SuSE 9.x, RHEL 4, NLD)
Client Language Support
Languages
English, Russian, Japanese, French, Italian,
German, Chinese (simplified), Spanish
Certifications
Full Disk Encryption
Common Criteria EAL4
FIPS 140-2
The Check Point Media Encryption Software Blade обеспечивает централизованно-управляемую политику шифрования сменных носителей таких как USB флешки, жесткие диски для бекапа, CD и DVD-диски. Для максимальной защиты, централизованно администрируется политика использования портов ввода-вывода, а проведенные операции логируются.
Set Encryption from Centralized Security Management
Allows administrators to set and enforce encryption policy for removable media using algorithms such as AES 256-bit, for maximum data protection. Users can securely access encrypted media from unmanaged computers, with no client installation.
Device Access Settings
The device access settings control access to removable media, devices and ports. Devices can be defined at a granular level by type, brand, size or ID. Access to endpoint ports such as USB, FireWire, Bluetooth, WiFi, printer, etc., can be centrally managed.
Removable Media Enforcement
Removable media enforcement maximizes data security by placing a unique digital signature on each encrypted device, informing the user of any unauthorized changes made to stored information.
Logging and Alerts
Administrators can store device activity and file movement logs to a central database, enabling centralized auditing and reporting for easy compliance. Email alerts can be configured to notify administrators about specific events.
Client Platform Support
Operating Systems
Windows 7 (32 & 64 bit)
Windows XP Pro (32-bit, SP2 and later)
CD/DVD Buring Application Integration
Applications
Windows CD/DVD wizard
Nero 9 Multimedia Software
Client Language Support
Languages
English, Russian, Japanese, French, Italian, German, Chinese (simplified), Spanish
Certifications
Media Encryption Certificates
Common Criteria EAL4
FIPS 140-2
CCTM CESG
Ports Controlled
Port Types
USB, WiFi, Fire Wire, IDE, Bluetooth, PS/2, PCMCIA, SATA, IrDA and SCSI
Devices Controlled
Device Types
USB flash drives, floppy drives, external hard drives, tape drives, Windows Mobile Smartphones, PDAs, imaging devices, scanners, iPhones, Blackberrys, modems, other network access devices, iPods, other digital music devices, printers, CD/DVD drives, keyboard, mouse, digital cameras, wireless network interface cards, biometric devices and smart cardreaders
The Check Point Anti-Malware & Program Control Software Blade эффективно обнаруживает и удаляет вредоносный код с рабочих станций единым сканированием. Вирусы, шпионское ПО, клавиатурные перехватчики, трояны и руткиты определяются по сигнатурной базе, поведенческому анализу и эвристическому анализу. А компонент Program control гарантирует, что только пользователь сможет запустить лишь программы, одобренные администратором.
Single Anti-Malware Scan
The Anti-Malware & Program Control Software Blade efficiently detects and removes malware from endpoints with a single scan. Malware is identified using signatures, behavior blockers and heuristic analysis.
Anti-Malware and Antivirus Policy
Anti-malware and antivirus policy is managed and deployed from a central console, giving administrators full control of scan scheduling and remediation requirements.
Program Control
Program control ensures that only legitimate and approved programs are allowed to run and perform tasks on endpoints. Program authenticity is verified to prevent spoofing, altering or hijacking of applications.
Program Advisor Service : App Control
The optional Check Point Program Advisor Service delivers real-time updates to the Anti-Malware & Program Control Software Blade from a knowledge base of more than one million trusted and suspicious programs.
Client Platform Support
Operating Systems
Windows 7 (32 & 64-bit)
Windows Vista (32 & 64-bit)
Windows XP Pro (32-bit, SP2, SP3)
Client Language Support
Languages
English, Russian, Japanese,
French, Italian, German, Chinese (simplified), Spanish
Antivirus
Heuristic Virus Scan
Scans files and identifies infections based on behavioral characteristic of viruses
On-access Virus Scan
Scans files as they are opened, executed or closed, allowing immediate detection and treatment of viruses
Deep Scan
Runs a detailed scan of every file on selected scan targets
Scan Target Drives
Specifies directories and file types to scan
Scan Exclusions
Specifies directories and file extensions excluded from scanning
Treatment Options
Choice of remediation: repair, rename, quarantine, delete
Checks the most common areas of the file system and registry for traces of spyware
Full-systen Scan
Scans local file folders and specific file types
Deep-inspection Scan
Scans every byte of data on the computer
Scan Target Drives
Specifies which directories and file types to scan
Scan Exclusions
Specifies directories and file extensions excluded from scanning
Treatment Options
Choice of remediation: repair, rename, quarantine, delete
The Check Point Firewall & Compliance Check Software Blade защищает рабочие станции путем регламентации входящего и исходящего трафика (персональный фаервол) и контроля соблюдения политики безопасности (policy compliance) на уровне централизованного управления. Применение различных политик к разным группам пользователей и уровням безопасности позволяет защитить рабочие места от неавторизованного доступа.
Desktop Firewall
The desktop firewall protects the integrity of endpoints by regulating inbound and outbound traffic.
Compliance Check
With compliance scanning, endpoint systems are scanned for compliance with corporate security policy. Systems failing compliance can be directed to remediation.
Compliance Check
Anti-Malware Vendors and VersionsChecked by Compliance Check
Check Point, Symantec, McAfee, Trend Micro, Kaspersky, Nod32, AVG, Avast, Sophos, Panda CA, Inoculate IT engine, BitDefender, MS Forefront
Firewall Options
Configuration Options
Inbound Firewall, Outbound Firewall, Stealth Mode
Platform Support
Operating Systems
Windows 7 (32 & 64 bit), Windows Vista (32 & 64 bit), Windows XP Pro (32-bit, SP2 and later)
Client Language Support
Languages
English, Russian, Japanese, French, Italian, German, Chinese (simplified), Spanish,
The Check Point Remote Access VPN Software Blade обеспечивает пользователей безопасным, не требующим настройки доступом к удаленной корпоративной сети и ее ресурсам пользователям, находящихся вне своих рабочих мест (командировка, работа из дома). Сохранность и целостность информации гарантируется многофакторной аутентификацией, следованием корпоративной политике безопасности ПК и шифрованием передаваемых данных.
VPN Auto-Connect
Re-establishes lost connections by automatically switching connection modes. It eliminates the need for users to re-authenticate when roaming between different network types, using intermittent networks or resuming work from sleep mode.
IPsec VPN
Check Point Remote Access Software Blades support full IPsec VPN connectivity for strong authentication, data integrity and confidentiality. NAT-T standard support enables traversing between static and dynamic Network Address Translation (NAT) devices.
Multi-Factor Authentication Support
The Remote Access Software Blade offers comprehensive authentication, including: username and passwords, SecureID, challenge/response and CAPI software and hardware tokens.
Compliance Scanning
With compliance scanning, endpoints are automatically scanned for malware and suspicious activity to ensure compliance with corporate security policies. Failing endpoints can be directed to remediation.
Secure Hotspot Registration
With secure hotspot registration, administrators can selectively grant access to hotspot registration sites. Hotspot registration pages are loaded automatically for the user.
Client Platform Support
Operating Systems
Windows 7 (32 & 64 bit)
Windows Vista (32 & 64 bit)
Windows XP Pro (32-bit, SP2 and later)
Client Language Support
Languages
English, Russian, Japanese, French, Italian, German, Chinese (simplified), Spanish
Gateway Support
Check Point Gateways
Power-1 Appliances
UTM-1 Appliances
IP Appliances
Connectra R66
VPN-1 R65 HFA 40 and higher
The Check Point WebCheck Endpoint Software Blade protects the enterprise against the rising number of web-based threats. Known and unknown web threats, such as drive-by downloads, phishing sites and zero-day attacks, are isolated with browser virtualization technology, while advanced heuristics stop users from going to dangerous sites. This software blade is easily managed by unified Endpoint Security Management.
Browser Virtualization
The WebCheck Endpoint Software Blade maximizes browser security by virtualizing the browser and creating an isolated protected sandbox for the web browser—thereby segregating corporate data from the Internet.
Anti-Phishing
Signature matching and heuristics alert users to both known and unknown phishing pages. The Check Point heuristic detection engine identifies fraudulent copies of major financial, social networking, webmail and shopping sites.
Site Status Check
The WebCheck Endpoint Software Blade rates each site visited to warn users if a site has weak or suspicious credentials. Numerous attributes are examined to determine if the site is dangerous.
Browser Support
Browser Protected by WebCheck
Internet Explorer 6, 7, 8
Mozilla Firefox 2, 3
Client Platform Support
Operating Systems
Windows 7 (32 & 64 bit)
Windows Vista (32 & 64 bit)
Windows XP Pro (32-bit, SP2 and later)
Client Language Support
Languages
English, Japanese, Chinese (simplified)
Browser Attack Target
Attack Vector
External Browser Plug-in
Drive-by malware via plug-in outside browser (Flash, Acrobat, Office, etc.)
Internal Browser Plug-in
Drive-by malware via plug-in inside browser
Un-patched Vulnerabilities
Drive-by malware via browser holde
Browser Helper Object (BHO)
Drive-by malware via plug-in outside browser
Anti-phishing - Heuristic Protection
The WebCheck Endpoint Software Blade provides preemptive heuristic phishing protection for major web sites. Examples include:
Category
Web Site (partial list)
Banking
Bank of America
Wachovia
Wells Fargo
Ecommerce
eBay
PayPal
Amazon
Social Networking & Webmail
MySpac3
Yahoo Mail
MSN Hotmail
Check Point GO
Check Point GO - это USB-флеш носитель с аппаратным шифрованием и предустановленным ПО, мгновенно превращающим любой доступный вам ПК в Ваш корпоративный компьютер, позволяя получить доступ и корпоративным файлам и приложениям. Формфактор USB plug-and-play позволяет легко запустить безопасную виртуальную среду (secure virtual workspace), которая обеспечивает безопасность данных, ограждая доступ между виртуальной средой и используемым компьютером. Пользователи могут работать с файлами на Check Point GO локально, а также и онлайн, используя предустановленный VPN client.
Secure Virtual Workspace for Strong Endpoint Security
Check Point GO virtualization technology segregates the secure workspace from the host PC, enforcing isolation between Check Point GO and host PC environments. Since Check Point GO does not write to the host, no session traces or data are left behind.
Standard Windows User Environment
The Check Point GO secure virtual workspace leverages the standard Windows user environment, enabling easy navigation and rapid end-user adoption.
Integrated VPN Connectivity
Access critical files and applications anywhere using the Check Point GO advanced VPN client to connect with corporate networks and secure online resources. Host PCs are scanned to ensure presence of acceptable antivirus software.
Always-on Hardware and Software Encryption
Data at rest on the Check Point GO USB stick is always protected with “always-on” AES 256-bit hardware encryption. In addition, software encryption isolates and protects the data when in use.
File Transfer Control
Transfer of files between personal and corporate workspace environments is strictly controlled by the security policy.
Application Control
Only pre-approved applications are allowed to run within the secure virtual workspace, blocking installation of malware and other threats. GO can also block attempts to print from applications running inside of the protected environment.
Strong User Authentication
Check Point GO supports minimum password strength enforcement, as well as certificates and tokens for multi-factor authentication. A “virtual keyboard” can be used at login to block password theft by keyloggers.
Check Point GO Host Platform Support
Operating Systems
Windows 7 (32 & 64-bit, Home Premium, Enterprise, Ultimate)
Windows Vista (32 & 64-bit, Home and Professional, SP2+)
Windows XP (32-bit, Home and Professional, SP3+)
Check Point GO Client Language Support
Languages
English
Japanese
Chinese (simplified)
Encrypted USB Drive
SanDisk USB Drive
Available capacities: 4, 8 GB
High-speed USB 2.0 interface
AES 256-bit hardware encryption
FIPS 140-2 Level 2 certified drives available
Applications Tested for Functionality within the Check Point GO Secure Workspace
Adobe Acrobat (writer)
Adobe Reader 8/9
Citrix (web and fat clients, XenApp, NetScaler)
ClearQuest
CuteFTP
Cyberarc
Famatech Remote Administrator
FileZilla
Google Chrome portable
iNotes
Microsoft HyperTerminal
Microsoft Internet Explorer 6/7/8
Microsoft Media Player
Microsoft Notepad
Microsoft Office XP/2003/2007 Excel, PowerPoint and Word
Microsoft Paint
Microsoft terminal services (RDP) client (AKA mstsc)
Microsoft Windows Image Viewer
Mozilla Firefox, version 3 and later
Mozilla Firefox Portable edition from http://portableapps.com
Mozilla Thunderbird Portable Edition from http://portableapps.com
OpenOffice (Excel, Powerpoint and Word)
OpenOffice.org Portable office suite: Writer, Calc, and Impress from http://portableapps.com
Outlook Web Access
Personal Communications Workstat ion Program
PowerTerm InterConnect for Windows
Putty
SecureCRT
Siebel Client
Sumatra PDF Portable PDF Reader from http://portableapps.com
VNC Viewer
WebDav
WinRar
WinZip
WordPadCalc
WS_FTP Home/PRO