|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Antivirus hardware: 3 appliances tested February 26, 2003 URL: http://www.zdnet.com.au/reviews/hardware/peripherals/soa/Antivirus-hardware-3-appliances-tested/0,139023417,120272398,00.htm
  If e-mail security is giving you headaches, before you turn to voodoo magic, try one of these hardware appliance solutions. We all have a policy to counter the threat of malicious virus threats and while they look good in the procedures manual, does the reality match your expectations? It’s all well and good installing antivirus (AV) software on all our desktops and servers but how do we ensure they all carry the very latest detection engines and virus signature files? In a large organisation just keeping track of AV software configurations can be a tough task. For example, I have a colleague who religiously updates his AV signatures and quite reasonably thought this was offering protection. However, the scan engine on his software was not the latest version—although it happily worked with the latest AV data files, it nevertheless had a security vulnerability which was unfortunately exploited by a virus that could have been detected and stopped with the latest engine. What is needed, at the very least, is a secure and robust way to manage the deployment and updating of virus data files on your organisation’s myriad PCs. Wouldn’t it be nice if you could simply plug in an appliance and have it look after the administration and rollout of AV software to all your network clients? And, taking it a step further, it would also be great if the antivirus appliance (AVA) also acted as a first line of defence and actually scanned incoming e-mail and attachments for viruses? For this feature, the Lab tested three such appliances, two of which include both client administration and active virus scanning, while the third handled only client administration. Checking e-mail is certainly a high priority, so support for SMTP and POP3 is certainly mandatory but what about FTP (both Gets and Puts—you do not want a staff member unwittingly FTPing an attached virus past your defences)? While on the topic of e-mail, many attachments are compressed so the AVA had better be able to examine compressed files. The Web can also provide an attractive conduit for viruses into your organisation, so it would be nice if the AVA checked all HTTP traffic for Java, ActiveX, and Visual Basic viruses, or perhaps even blocked downloadable objects completely. What does the AVA do with the viruses once it finds them? Obviously the standard clean, delete, and quarantine options should be available but in the case of an infected e-mail it would be helpful if the AVA sent a message back to the sender warning them that they passed on malicious code. Obviously the whole process should be as automated as possible—the updating of the AVA’s virus signature files and scan engine should be automatic and, in the case of the former, a daily or weekly schedule would be desired. The scanning engine should also include “heuristics”, that is the ability to spot a new virus, where there is no signature on record, simply by analysing the code and looking for undesirable actions. Another neat feature to look out for is load balancing where one or more of the appliances can share the load and if one were to fail for example the other could maintain antivirus security, albeit at a reduced throughput. Other useful features include blocking unwanted e-mail, spam, and “time-wasting” Web sites. This may simply be a case of the product providing the ability to define e-mail addresses, message contents, or Web site addresses, and content that you wish blocked. And at the end of it all you would certainly like to be able to capture logs of the activity to help identify common threats and, if nothing else, justify the existence of the appliance. FortiGate Network Protection Gateway 200
The FortiGate is a small 1RU unit that can be either rack mounted or simply stacked. It’s certainly not a complex looking unit—the front panel features five status LEDs for Power, Status, Internal LAN, External LAN, and DMZ LAN (the three 10/100 Ethernet ports and a COM port). The unit is sealed and with one exception has no user serviceable parts—the exception is the 2.5in 20GB hard drive that resides in a removable cradle at the rear of the unit. The FortiGate is also much more than an AV appliance because it also includes integrated firewall, intrusion detection, and VPN.
Installation and configuration was very simple, a stark contrast to the Symantec unit for example. We simply connected a notebook to the internal LAN port with the supplied crossover cable and, using a Web browser, accessed the unit’s Web interface. The Web interface is far from complex, in fact it is one of the simplest we have seen, and although it’s very easy to navigate it is nevertheless still feature rich. The unit can be configured to screen HTTP, SMTP, POP3, and IMAP protocols and set to either Network Address Translation (NAT) or transparent mode. Both antivirus scanning (which includes scanning for worms) and content filtering can be configured to screen between all three LAN interfaces (internal, external, and DMZ), in both directions if required. Now while the unit is quite flexible in terms of the interface and directions screened, it’s pretty heavy-handed when a virus is detected: the offending file is simply deleted from the data stream and replaced by a message alerting the receiver of the infection and the deleted file. Setting the AV software up to block specific types of files functions in much the same way—the offending file is deleted and again the receiver informed. File types that can be specifically blocked (or allowed as the case may be) include exe, bat, com, vbs, zip, gzip, tar, hta, rar, scr, dll, and MS Office files containing macros. What is neat, but perhaps not all that useful, is a feature that enables a list of all viruses and worms that the FortiGate recognises to be displayed. The virus signatures can be updated manually or automatically on either a daily or weekly basis. As far as Web traffic is concerned the FortiGate can block specific URLs, or all URLs for that matter and then you can simply allow a couple of enumerated ones through. Content blocking also allows the definition of banned words and these can be in English, Chinese, Japanese, or Korean. Full event logs are maintained by the appliance and these can be saved on the unit’s internal hard drive or, if you choose, on a nominated remote PC. The log files are not particularly pretty and if your organisation suffers quite a few attacks and attempted virus incursions it can be a pain to wade through, however there is a useful search feature so you can zero in on particular incident types.
McAfee WebShield e250
The e250 appliance proves you do not have to reinvent the wheel by cooking up new hardware when existing hardware can be tailored to suit the task. Without being derogatory, the e250 is nothing more than a Pentium III desktop PC running Red Hat Linux and an antivirus engine. The PC includes a reliable Intel motherboard and two 10/100 Ethernet connectors, one integrated into the motherboard and the other on a PCI card. As with any typical PC, should the need arise the unit’s memory and hard drives can be expanded or upgraded. Configuration of the unit is surprisingly simple; we connected a notebook up to LAN port 1 with the supplied crossover patch cable for immediate access to the configuration page through our Web browser. It was then a simple matter to configure the network settings (which surprisingly took less than 10 minutes) and remotely reboot the e250 for the new settings to take effect. Also during the initial setup the decision must be made whether to configure the unit as a proxy or simply set it to transparent mode. Upon rebooting the Web interface gains a whole new swag of functionality and for the first time the user is presented with the e-mail and antivirus configuration options. The interface may not be particularly pretty but it is definitely simple and very easy to navigate. And because there is no need to drill down through multiple menus, even a novice user can find their way about at a glance. The antivirus engine includes the ability to independently configure the method of scanning and actions on incoming and outgoing data. There are three user definable levels of scanning—the highest scans all files, including compressed, while the lowest only scans executable and MS Office files. There is heuristic analysis for unknown macro and program viruses and you can select either clean or delete when a virus is found. You can also select to have the virus quarantined if the cleaning fails. If a virus is found both the receiver and sender can be automatically notified. The e250 supports SMTP, POP3, FTP, and HTTP protocols. In terms of functionality, the appliance is very flexible—in the case of e-mails the e250 can be configured to not just block relaying but fine tune it to permit or deny domains and also right down to user specified e-mail address character patterns. The configuration of settings for content scanning, anti-spam, and attachments is also quite flexible. Web browser content blocking extends to specifying URL substrings and any of Active X, Java, and scripting languages in general. The e250 has quite robust logging, reporting, and alerting options but if you want absolutely all the bells and whistles in this department McAfee’s e Policy Orchestrator delivers. The ePO also manages desktop client and server antivirus administration as well.
Symantec Gateway Security 5300
The SGS 5300 is a largish 1RU unit that includes pretty much the whole gamut of Internet security features: it has an integrated firewall, Internet content filtering, intrusion detection, VPN, and of course antivirus engine.
The front panel is quite neat as it flips up to make it easier to use, which is just as well because the two line LCD display is tiny, the characters are much the same size as your average digital watch. The unit can be configured via the LCD display and six buttons on the front panel, and while relatively logical you would be advised to carry out the bulk of the configuration via the Symantec Raptor Management Consol (SRMC) once IP addresses are sorted out. The front panel also features status LEDs for the LAN link and activity and hard drive activity. Yes, the unit includes a 30GB hard drive and what’s more has space for four hard drives in total. The unit is quite expandable, ours was fitted with a single processor but there is the facility for a second. The base unit’s 512MB of memory can be expanded with three free DIMM slots. The rear of the unit is fairly sparse, other than the four 10/100 LAN interfaces there are two Com ports for console communication and UPS control if necessary. The setup procedure is a reasonably lengthy process although it is complicated by the perhaps overzealous security in the form of long product registration keys and even lengthy passwords. Once up and running however the antivirus functionality can easily be configured from the SRMC, which is quite intuitive to drive. The 5300 monitors SMTP, FTP, and HTTP traffic in either proxy or transparent mode. Viruses can be cleaned, deleted, or quarantined, and the 5300 combines quite a range of Symantec’s antivirus core technologies. For example, “Bloodhound” is the heuristic module for detection of new and unknown viruses; “Striker” identifies polymorphic viruses, and the NAVEX antivirus engine enables virus definition and engine updates without the need to interrupt the service—updates are carried out automatically by the 5300. The unit also supports very robust content filtering so even before a new virus definition is supplied, attachments with a particular filename, extension, subject line, origin, or size can be dealt with. The 5300 can be configured to warn recipients that a virus was detected and handled and can also warn the sender that a virus was detected in their e-mail. Mail can also be filtered by file name, file size, subject, domain, and intentionally malformed e-mail. Internet content filtering is a rules-based function. For example you can disallow “satanic/cult” sites while allowing “drugs/drug culture” for example, or a particularly offensive site can be excluded by defining its URL. If you want to be particularly limiting you can disallow all URLs except those specifically allowed. The “allowable filename extensions” setting is not as flexible as some of the others with just an “allow” extension option. If, for example, you allow .gif extensions then every other file extension will be disallowed, you will have to carefully list all the extensions you want passed—a bit of a drag. If multiple units are deployed in your organisation the 5300 supports high availability and load balancing for the cluster.
Specifications
How we testedInteroperability Futureproofing ROI Service Editor's Pick
The features offered by the units we tested differed somewhat, making it difficult to choose an all out winner. If you’ve already got a firewall in place then you’d want to go for the McAfee WebShield e250. It was flexible, feature rich, and is reasonably priced. On the other hand, if you were also looking around for something that would give you firewall and intrusion detection in addition to antivirus scanning, then the inexpensive FortiGate NPG 200 is a winner. It’s not quite as feature rich as the Symantec appliance, and yet is roughly a fifth the price. ScenarioScenario 1: This company wants to install an antivirus gateway appliance to scan all incoming e-mail and Web traffic for its 150 users. Approximate budget: Open. Requires: One antivirus appliance. Concerns: The company is concerned the appliance may affect throughput of Internet and mail traffic. The appliance should be easy to manage remotely. The frequency of virus definition updates is also a concern. Best solution: If you already have a firewall in place then the obvious choice for your antivirus appliance is McAfee WebShield e250. Of the appliances tested the McAfee product is the most flexible and feature rich in terms of its AV prowess and is reasonably priced. On the other hand, if you were also looking around for a firewall and intrusion detection appliance as well, which of course was not the thrust of this comparison, then the inexpensive FortiGate NPG 200 is hard to go past— although it’s not quite as feature rich as the Symantec appliance it is nevertheless around a fifth its price. Aladdin eSafe Appliance
Unfortunately we received the Aladdin eSafe Gateway after we had completed testingââ,¬"it was actually delivered a couple of days before we left for our Christmas break. We did, however, have a chance to give it a very quick once over. The appliance is actually a PC crammed into a tiny 22 x 24 x 5cm stackable case. The unit is powered by a Celeron 733 with 512MB of RAM, a 2.5in 10GB hard drive loaded with Linux; the AC power supply is a large external -brick". The rear has connectors for keyboard, mouse, monitor, parallel port and two Com ports as well as a single 10/100 LAN port. The unit can be configured to automatically update virus/vandal signatures, restricted lists, and URL filters.
Aladdin eSafe Appliance
Subscribe now to Australian Technology & Business magazine.
About RMIT Test Labs
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs’ testing for Technology & Business, they are in direct contact with the clients supplying products. Their findings are their own—only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
