The tool is primarily made up of a central administrative console which controls policy dissemination through software agents deployed to hosts running Windows, UNIX, Linux and iSeries operating systems. Configuration management is also offered for Oracle, MS SQL, Sybase and a handful of other application systems.
The SCM server components are typically installed on Windows 2000 or Windows 2003 and use a MS SQL 2005 database. We had a little bit of trouble with the solution not recognising a database during one install attempt, but it recognised it when we chose a different installation option.
Agents for individual hosts (branded as NetIQ VigilEnt) that are managed through SCM can be deployed by the console using a deployment wizard. We did not have any trouble deploying various test agents throughout our lab environment. Hosts can also be part of the reporting and monitoring process without an agent installed, they simply won't have policies pushed to them.
Unlike policy management solutions that strictly push configuration files to network devices, there is a little bit more overhead associated with managing agents installed on Windows, UNIX and other operating systems.
Overall, the performance was good, however. SCM approaches policy management by comparing known vulnerabilities and threats with the configuration of the managed assets in the environment.
Baselines are taken and compared against a series of regulation requirements, best practice templates, or your own custom policies. Out of the box, we liked the fact that the SCM solution has a solid number of features and is based on risk. SCM goes above and beyond a simple black and white gap analysis of your assets and whether or not they're in compliance with pre-determined policies and configuration standards.
The value is enhanced by the ability to weigh the importance of the asset within your environment. Reports are then generated with risk scores based on that criticality in order to aid in remediation efforts and prioritisation of tasks when your assets appear out of compliance.
Stakeholders can then choose to remediate or accept the risk, and NetIQ has taken a business approach to these tasks. Additionally, there are several compliance templates and reports for all the popular regulations, as well as a host of best practice templates.
Documentation for the SCM is adequate to get by, but we would like to see just a few more screen shots in the PDF documents and bundled help file.
Pricing starts at US$1,100 per server that reports through SCM (agent or agentless) and this price includes basic support. In addition to phone and email support, customers can also access the online user forums and the NetIQ knowledge base. Premium support is available for an additional cost.
Overall, we find that this is a pretty good value for organisations who really struggle with compliance and configuration management across multiple platforms. NetIQ customers will benefit from framework integration with other products.
See original article on SC Magazine US
For: Solid feature set. Risk-based scoring mechanisms to help prioritise remediation efforts. Against: May get pricey as more assets are managed. Verdict: Overall a good risk-based approach for managing known weaknesses in configurations, patches and other host-level vulnerabilities. We recognise this product with our SC Magazine Best Buy.