We all have a policy to counter the threat of malicious virus threats and while they look good in the procedures manual, does the reality match your expectations? It's all well and good installing antivirus (AV) software on all our desktops and servers but how do we ensure they all carry the very latest detection engines and virus signature files?
In a large organisation just keeping track of AV software configurations can be a tough task. For example, I have a colleague who religiously updates his AV signatures and quite reasonably thought this was offering protection. However, the scan engine on his software was not the latest versionâ€"although it happily worked with the latest AV data files, it nevertheless had a security vulnerability which was unfortunately exploited by a virus that could have been detected and stopped with the latest engine.
What is needed, at the very least, is a secure and robust way to manage the deployment and updating of virus data files on your organisation's myriad PCs. Wouldn't it be nice if you could simply plug in an appliance and have it look after the administration and rollout of AV software to all your network clients? And, taking it a step further, it would also be great if the antivirus appliance (AVA) also acted as a first line of defence and actually scanned incoming e-mail and attachments for viruses?
For this feature, the Lab tested three such appliances, two of which include both client administration and active virus scanning, while the third handled only client administration.
Features that you will want to look for in an active antivirus appliance are quite extensive. For a start, can the AVA function in both proxy and transparent mode? In proxy mode you will have to reconfigure all your clients to look at the AVA instead of your mail server for example. It may be that in your situation it would be easier if you could simply plug the AVA into the data stream so that all network traffic simply flows through the appliance and is scanned transparently.
Checking e-mail is certainly a high priority, so support for SMTP and POP3 is certainly mandatory but what about FTP (both Gets and Putsâ€"you do not want a staff member unwittingly FTPing an attached virus past your defences)? While on the topic of e-mail, many attachments are compressed so the AVA had better be able to examine compressed files.
The Web can also provide an attractive conduit for viruses into your organisation, so it would be nice if the AVA checked all HTTP traffic for Java, ActiveX, and Visual Basic viruses, or perhaps even blocked downloadable objects completely.
What does the AVA do with the viruses once it finds them? Obviously the standard clean, delete, and quarantine options should be available but in the case of an infected e-mail it would be helpful if the AVA sent a message back to the sender warning them that they passed on malicious code.
Obviously the whole process should be as automated as possibleâ€"the updating of the AVA's virus signature files and scan engine should be automatic and, in the case of the former, a daily or weekly schedule would be desired. The scanning engine should also include -heuristics", that is the ability to spot a new virus, where there is no signature on record, simply by analysing the code and looking for undesirable actions.
Another neat feature to look out for is load balancing where one or more of the appliances can share the load and if one were to fail for example the other could maintain antivirus security, albeit at a reduced throughput.
Other useful features include blocking unwanted e-mail, spam, and -time-wasting" Web sites. This may simply be a case of the product providing the ability to define e-mail addresses, message contents, or Web site addresses, and content that you wish blocked.
And at the end of it all you would certainly like to be able to capture logs of the activity to help identify common threats and, if nothing else, justify the existence of the appliance.
FortiGate Network Protection Gateway 200
The FortiGate is a small 1RU unit that can be either rack mounted or simply stacked. It's certainly not a complex looking unitâ€"the front panel features five status LEDs for Power, Status, Internal LAN, External LAN, and DMZ LAN (the three 10/100 Ethernet ports and a COM port). The unit is sealed and with one exception has no user serviceable partsâ€"the exception is the 2.5in 20GB hard drive that resides in a removable cradle at the rear of the unit. The FortiGate is also much more than an AV appliance because it also includes integrated firewall, intrusion detection, and VPN.
Installation and configuration was very simple, a stark contrast to the Symantec unit for example. We simply connected a notebook to the internal LAN port with the supplied crossover cable and, using a Web browser, accessed the unit's Web interface.
The Web interface is far from complex, in fact it is one of the simplest we have seen, and although it's very easy to navigate it is nevertheless still feature rich. The unit can be configured to screen HTTP, SMTP, POP3, and IMAP protocols and set to either Network Address Translation (NAT) or transparent mode. Both antivirus scanning (which includes scanning for worms) and content filtering can be configured to screen between all three LAN interfaces (internal, external, and DMZ), in both directions if required. Now while the unit is quite flexible in terms of the interface and directions screened, it's pretty heavy-handed when a virus is detected: the offending file is simply deleted from the data stream and replaced by a message alerting the receiver of the infection and the deleted file. Setting the AV software up to block specific types of files functions in much the same wayâ€"the offending file is deleted and again the receiver informed. File types that can be specifically blocked (or allowed as the case may be) include exe, bat, com, vbs, zip, gzip, tar, hta, rar, scr, dll, and MS Office files containing macros. What is neat, but perhaps not all that useful, is a feature that enables a list of all viruses and worms that the FortiGate recognises to be displayed. The virus signatures can be updated manually or automatically on either a daily or weekly basis.
As far as Web traffic is concerned the FortiGate can block specific URLs, or all URLs for that matter and then you can simply allow a couple of enumerated ones through. Content blocking also allows the definition of banned words and these can be in English, Chinese, Japanese, or Korean.
Full event logs are maintained by the appliance and these can be saved on the unit's internal hard drive or, if you choose, on a nominated remote PC. The log files are not particularly pretty and if your organisation suffers quite a few attacks and attempted virus incursions it can be a pain to wade through, however there is a useful search feature so you can zero in on particular incident types.
McAfee WebShield e250
The e250 appliance proves you do not have to reinvent the wheel by cooking up new hardware when existing hardware can be tailored to suit the task. Without being derogatory, the e250 is nothing more than a Pentium III desktop PC running Red Hat Linux and an antivirus engine. The PC includes a reliable Intel motherboard and two 10/100 Ethernet connectors, one integrated into the motherboard and the other on a PCI card. As with any typical PC, should the need arise the unit's memory and hard drives can be expanded or upgraded.
Configuration of the unit is surprisingly simple; we connected a notebook up to LAN port 1 with the supplied crossover patch cable for immediate access to the configuration page through our Web browser. It was then a simple matter to configure the network settings (which surprisingly took less than 10 minutes) and remotely reboot the e250 for the new settings to take effect. Also during the initial setup the decision must be made whether to configure the unit as a proxy or simply set it to transparent mode.
Upon rebooting the Web interface gains a whole new swag of functionality and for the first time the user is presented with the e-mail and antivirus configuration options.
The interface may not be particularly pretty but it is definitely simple and very easy to navigate. And because there is no need to drill down through multiple menus, even a novice user can find their way about at a glance.
The antivirus engine includes the ability to independently configure the method of scanning and actions on incoming and outgoing data. There are three user definable levels of scanningâ€"the highest scans all files, including compressed, while the lowest only scans executable and MS Office files. There is heuristic analysis for unknown macro and program viruses and you can select either clean or delete when a virus is found. You can also select to have the virus quarantined if the cleaning fails. If a virus is found both the receiver and sender can be automatically notified.
The e250 supports SMTP, POP3, FTP, and HTTP protocols. In terms of functionality, the appliance is very flexibleâ€"in the case of e-mails the e250 can be configured to not just block relaying but fine tune it to permit or deny domains and also right down to user specified e-mail address character patterns. The configuration of settings for content scanning, anti-spam, and attachments is also quite flexible.
Web browser content blocking extends to specifying URL substrings and any of Active X, Java, and scripting languages in general. The e250 has quite robust logging, reporting, and alerting options but if you want absolutely all the bells and whistles in this department McAfee's e Policy Orchestrator delivers. The ePO also manages desktop client and server antivirus administration as well.
Symantec Gateway Security 5300
The SGS 5300 is a largish 1RU unit that includes pretty much the whole gamut of Internet security features: it has an integrated firewall, Internet content filtering, intrusion detection, VPN, and of course antivirus engine.
The front panel is quite neat as it flips up to make it easier to use, which is just as well because the two line LCD display is tiny, the characters are much the same size as your average digital watch. The unit can be configured via the LCD display and six buttons on the front panel, and while relatively logical you would be advised to carry out the bulk of the configuration via the Symantec Raptor Management Consol (SRMC) once IP addresses are sorted out. The front panel also features status LEDs for the LAN link and activity and hard drive activity. Yes, the unit includes a 30GB hard drive and what's more has space for four hard drives in total. The unit is quite expandable, ours was fitted with a single processor but there is the facility for a second. The base unit's 512MB of memory can be expanded with three free DIMM slots.
The rear of the unit is fairly sparse, other than the four 10/100 LAN interfaces there are two Com ports for console communication and UPS control if necessary.
The setup procedure is a reasonably lengthy process although it is complicated by the perhaps overzealous security in the form of long product registration keys and even lengthy passwords.
Once up and running however the antivirus functionality can easily be configured from the SRMC, which is quite intuitive to drive.
The 5300 monitors SMTP, FTP, and HTTP traffic in either proxy or transparent mode.
Viruses can be cleaned, deleted, or quarantined, and the 5300 combines quite a range of Symantec's antivirus core technologies. For example, -Bloodhound" is the heuristic module for detection of new and unknown viruses; -Striker" identifies polymorphic viruses, and the NAVEX antivirus engine enables virus definition and engine updates without the need to interrupt the serviceâ€"updates are carried out automatically by the 5300. The unit also supports very robust content filtering so even before a new virus definition is supplied, attachments with a particular filename, extension, subject line, origin, or size can be dealt with. The 5300 can be configured to warn recipients that a virus was detected and handled and can also warn the sender that a virus was detected in their e-mail.
Mail can also be filtered by file name, file size, subject, domain, and intentionally malformed e-mail. Internet content filtering is a rules-based function. For example you can disallow -satanic/cult" sites while allowing -drugs/drug culture" for example, or a particularly offensive site can be excluded by defining its URL. If you want to be particularly limiting you can disallow all URLs except those specifically allowed. The -allowable filename extensions" setting is not as flexible as some of the others with just an -allow" extension option. If, for example, you allow .gif extensions then every other file extension will be disallowed, you will have to carefully list all the extensions you want passedâ€"a bit of a drag.
If multiple units are deployed in your organisation the 5300 supports high availability and load balancing for the cluster.
Subscribe now to Australian Technology & Business magazine.
