Beruflich Dokumente
Kultur Dokumente
February 2011
Technology Report
processing load, so that scanning will not noticeably decrease access times or interrupt workflow. As both the malware landscape and anti-malware products have changed, so has the security testing industry. When products under test were updated periodically, used on-demand scanning and the total known malware was in the thousands, it made sense to have only a single pass or fail test which was performed a few times a year over a static test-bed of samples. This is no longer the reality of the current user experience. While it can be a meaningful baseline test of anti-malware functionality, it is far from a complete picture of overall product performance. In order to accurately reflect a users experience with malware, it is important to gather the full spectrum of malware from a variety of sources from throughout the internet, which circulate on various protocols. This means including not just email-based malware, but malicious files on P2P networks, as well as on the web and other attack vectors. Because malware does not stop when the work day ends nor does it recognize geographic boundaries, threats must be collected all day from around the world. As anti-malware products have begun to include more wide-ranging technologies, including ones which are initiated upon execution of a file, testing must incorporate dynamic functionality by running threats on test machines. This naturally takes more time than scanning an immobile directory of files, so one must take care to select the most relevant sample set which a customer is most likely to encounter. This takes into account not just prevalence, but attack vector popularity on which its spread, potential for damage on an infected system, as well as geography. Malware authors are always abreast of technology trends where do people share their information, how do people share files? At West Coast Labs, weve already begun to see an increase of attacks on things like digital picture frames, USB thumb drives, mobile phones and on popular Web 2.0 sites. So, suffice to say, if you know a few people who use one or other or all malware authors are looking to exploit them for financial gain. Likewise, anti-malware vendors are developing technologies to protect them and testers like West Coast Labs are developing methodologies to mirror the users risk and potential infection experience. In order to keep up to date on the evolving malware landscape, one need only see which new widgets are being used in home and business network environments.
www.westcoastlabs.com
As both the malware landscape and anti-malware products have changed, so has the security testing industry.
But in the corporate world, keeping updated on the latest threats and technologies is not enough TCO and ROI need to be considered. How well do advanced technologies proactively detect? How quickly are new threats added? How is customer support response? How easily can the solution be managed remotely? How much CPU time is used for scanning? To find the answers to many of these questions, take a look at product performance data from leading independent test organizations, such as West Coast Labs, and the performance validation programs they deliver such as Real Time Testing. You can also take a close look at how individual vendors are responding to the changing threat landscape and the implications for the security of corporate networks. Nowadays, vendors are defining protection differently. No longer is it just product performance-related, but also related to business and customer service issues, delivering a higher value overall service to meet not just security, but also business needs. When considering product performance in a corporate network environment, protection is more than current malware detection capabilities, its also about the extent of a vendors product research and development strategy that anticipates threats and trends to ensure proactive network protection. It can be further defined as the extent to which malware protection is delivered for a multiplatform infrastructure through efficient and easily managed solutions with wide interoperability capabilities. Protection is also about the extent to which business interests are protected through vendor service strategies that now include optimized and cost-effective security plans tailored to individual corporations needs for maximizing business productivity, lowering the total cost of ownership and maximizing the return on investment. Also, given that corporations are operating in a worldwide e-economy all this needs to be supported by trusted and responsive global support plans. Yes, the threat landscape is continuing to evolve with new malware threats spawned at an alarming rate, but no longer is malware protection and information security in general just a technical issue its a business issue. Thats why vendors product and service solutions are evolving to suit these changing needs and West Coast Labs is developing independent product performance programs that ensure that these products and services are tested and validated accordingly. n
Technology Report 2
Lysa Myers, Director of Research at West Coast Labs. Lysa can be contacted at lmyers@ westcoast.com
VP US Sales: Scott Markle - smarkle@westcoast.com US Sales: Rochelle Carter - rcarter@westcoast.com UK/Europe Sales: Sebastian Stoughton - sstoughton@westcoast.com China/Japan Sales: Jesse Song - jsong@westcoast.com India/ROW Sales: Chris Thomas - cthomas@westcoast.com
1 Technology Report
Technology Report
Kaspersky Security 8.0 for Microsoft Exchange Servers (Kaspersky Security 8.0)
Kaspersky Security 8.0 provides antimalware and anti-spam protection for mail traffic on corporate networks. Its integration with Exchange allows for detection and removal of malware and spam at the gateway level. The product is easy to install and its userfriendly interface, flexible administration and straightforward configuration and reporting system does not place excessive demand upon administrators time. No extra setup is required on Exchange and malware protection began immediately. Management of the solution is simple as Kaspersky Security 8.0 employs a Microsoft Management Console (MMC) snap-in, providing an intuitive interface with full access to all features. Database and signature updates run automatically, as often as every two hours, but if required may be run on-demand. Although there are fewer options available compared to other corporate products on the market, it can be argued that all the necessary options are available thus leading to a streamlined user experience. In the ongoing Checkmark Certification Static and Real Time tests, like all the Kaspersky products, this solution has achieved consistently high standards of performance. For the comparative performance testing to measure the products detection capability of malware known to propagate over SMTP, Kaspersky Security 8.0 achieved 100% detection rate of the 8,042 malware samples used in the test. This performance is equivalent to and matches that of the competitor products included in the test. We also test HTTPS. n Installation of Kaspersky Anti-Virus 8.0 is simple, using a standard Windows Installer and settings imported from TMG during the install process. The default settings provide fast protection, but a more tailored installation can be achieved if required. The solution is managed via MMC with an additional central monitoring screen and network policies which can be be added to complement those of TMG; making the whole process of management, administration and ongoing use very straightforward. Kaspersky Anti-Virus 8.0 allows permission or denial of various traffic types HTTP, FTP, SMTP and POP3 plus the ability to define what, if any, of the protocols should be subject to scanning. Data on network status including the protocols which are being blocked, numbers of files scanned, and the number of resulting infections, is readily available. In the performance testing over the HTTP and FTP attack vectors, the combination of Kaspersky Anti-Virus 8.0 and TMG provided 99% detection of the range of malware samples which were included in the test. n
Kaspersky Anti-Virus 8.0 for Microsoft ISA Server and Forefront TMG Standard Edition
Kaspersky Anti-Virus 8.0 sits on top of Microsoft Forefront TMG 2010. While TMG acts as a standalone security solution in its own right, the addition of Kaspersky Anti-Virus 8.0 provides a multilayered security solution.
3 Technology Report
www.westcoastlabs.com
www.westcoastlabs.com
Technology Report 4
Technology Report
Domino 8.5 on Windows 2003 that each picked up emails for a FQDN owned and controlled by WCL. Client machines running Lotus Notes 8.5 were used to pick up the messages from the Domino servers and analyzed the attachments to aid calculation of the overall detection rate which for Kaspersky Anti-Virus 8.0 was of a particularly high standard which mirrored that of the competitor products included in the test program. All solutions attained a 100% detection rate during the test period. n Application interface of KAV for ISA KAV 8.0 for Linux File Server interface within the product interface to review any malware logged and thus decide what actions to take. Given the complexities involved with porting anti-malware solutions to Linux, it is not always possible to ensure consistency of performance. However, Kaspersky Anti-Virus 8.0 sets itself apart in this regard. It is well implemented, as demonstrated in the comparative performance tests where it led with a 99.95% detection rate on the 25,640 malware samples tested compared to an average performance rate of 99.52% for five other leading corporate solutions. n Update process on Kaspersky Anti-Virus WSEE
some of the other vendor products included in the comparative performance review, Kaspersky Anti-Virus 8.0 does not need the installation of a desktop anti-malware product to be able to use the desktop products scanning engine signature files. In the comparative testing against five other leading corporate solutions, the test methodology employed sender machines running a Linux distribution. Scripts developed by WCL were used to send the emails that contained infected attachments over a live internet connection. Emails were sent to servers running Lotus t
On Demand scans can be set to a predefined security level or customized to meet the demands of the organization. Similarly, On Access protection can be set with a preference for either high speed scans or high protection levels. Throughout the comparative test program, WCL found the scans ran quickly with
an overall detection rate for Kaspersky Anti-Virus 8.0 of 99.68% compared to an average performance of 99.51% for the other five security solutions included. n
WEST COAST LABS VERDICT Combining ease of use with high levels of performance, the Kaspersky Lab solutions under test have delivered comparable and at times, better detection rates to equivalent products. With a consistent level of anti-malware protection across the network topology, users of the Kaspersky Lab products featured in this report can be confident that they are all rigorously tested through the Checkmark Certification and the Real Time testing.
5 Technology Report www.westcoastlabs.com www.westcoastlabs.com Technology Report 6
Technology Report
TrustPort AV
TrustPort
DEVELOPER'S STATEMENT TrustPort AV detects viruses and spyware at all entry points to the computer and prevents attempts by hackers to access the computer. It enables not only the continuous monitoring of files being opened, but at the same time also scans files from incoming electronic mail or downloaded from the web. usual scheduling as required, or if preferred they can be run on-demand. TrustPort also allows various actions to be configured for detected malware samples. WCL noted that the product management is in keeping with other products traditionally found in this category, however, it should be noted that what it actually does, it does very well. TrustPort is a security bundle providing anti-malware protection for local files, email, and web. It also includes URL blocking and a firewall, enabling control of what can be viewed on the client. The URL filter contains a variety of site classifications, such as adult and gambling, to prevent viewing this type of content if required and this product includes a Portable Antivirus solution that allows a version of the TrustPort AV solution to be deployed to a USB stick, thus protecting any files you wish to transport; excellent for those on the move. Observations from the WCL engineers include comments on TrustPort being a really good all-round package with the Portable Antivirus helping it stand out in an already crowded market. This type of capability is important for anyone relying on technology when on the move, and should not be underestimated as it will protect their credibility and keep their security in one piece when it could otherwise be compromised.
CA Threat Manager is specifically recommended for small to medium sized business models and is designed essentially to protect client machines residing on a corporate network. With its anti-malware protection, CA Threat Manager will provide an important and much needed extra layer of security your business deserves. The CA Threat Manager can be installed and managed via a central server, giving the administrator more time to concentrate on other tasks on the IT infrastructure. CA Threat Manager is a server-client solution and the installation can be managed via a separate executable installation. Alternatively, CA Threat Manager can be installed from a central server and as it is extremely straightforward and well documented, which is always an added benefit, the process can be accomplished with relative ease. This installation can be automated from a network-wide roll out and though the default options suffice there is some flexibility in the install options available. With a good variety of installation methods available and wide ranging system-support,
This particular security solution is designed for home users and could also provide an invaluable layer of security for home workers or the self-employed. With its low system requirements, TrustPort is an ideal solution for providing malware protection for local files, web downloads and email, and also offers firewall protection along with a URL filter. TrustPort is installed and managed directly on the client as it is purely a client-side-only solution, making it user friendly for the less well initiated. Users can purchase and install TrustPort from a separate executable that is downloaded from the TrustPort website, with the license provided at the point of sale; making it extremely accessible. We all know the importance of ease of use with the single user client-based products and TrustPort doesnt disappoint with a quick and painless installation that is easy to follow. The available options contain good descriptions and there is also some flexibility in the installation options available to the user, however if you are happy not
there are practically no pre-requisites needed other than those already found on a standard client machine for instance SP2 on XP Professional. CA Threat Manager can also be configured to automatically deploy to any systems joining the network for the first time for instance DHCP; this
to tinker, all of the default options happily suffice. TrustPort supports all the usual Windows client platforms and the West Coast Labs (WCL) engineer stated that this traditional client-side installation manages everything with minimal fuss. The client is managed via a local GUI interface with the updates capable of the
WEST COAST LABS VERDICT CA Threat Manager offers a variety of deployment models and offers endpoint protection against malware. The central management console offers flexibility combined with good reporting over and allows for the overview of endpoints on a corporate network of small to medium size.
7 Technology Report www.westcoastlabs.com
WEST COAST LABS VERDICT TrustPort AV is aimed at home users, but can equally offer protection for SOHO workers. Including anti-malware protection in the suite of protection that it offers, the solution is well documented and is easy to configure for flexible protection levels dependent upon the requirements of the individual user.
www.westcoastlabs.com
Technology Report 8
Technology Report
IMSVA v5.1
Trend Micro
DEVELOPER'S STATEMENT Trend Micro InterScan Messaging Security Virtual Appliance is a hybrid SaaS email security solution that integrates an onpremise virtual appliance with in-the-cloud SaaS email security. On the initial configuration of IMSVA, local firewall rules permitting, customization of the solution is carried out via the web-based GUI, which can be accessed anywhere on the network. The West Coast Labs engineer again commented on the excellent web-based GUI, however, emphasized that access to the management interface will depend upon existing firewall rules. Providing full anti-malware capability, as well as providing URL filtering for those URLs found inside emails, IMSVA has the same malware capability as IWSVA while also providing anti-spam support. Working at the gateway level, IMSVA scans inbound traffic before it reaches the endpoint and blocks any traffic it finds to be malicious, thus protecting the whole enterprise. This ensures nothing is left to chance and endusers are not bogged down with header messages they understand little about or decisions on what is expected of them in respect of malicious and unwanted email. The West Coast Labs' engineer also commented on the product's overall ability as a solid, reliable gateway-level defense. This is an important point, as any experienced IT manager will tell you, having full confidence in the security product's capability along with ease of use goes a long way when you have a large network to run.
IWSVA v5.1
Trend Micro
DEVELOPER'S STATEMENT Trend Micro InterScan Web Security Virtual Appliance is a consolidated web security solution that combines awardwinning malware scanning, real-time web reputation, powerful URL filtering, and integrated caching. not so experienced, it should still prove easy to use and therefore it does not limit you to a specific member of your IT staff being on hand. This, as described by the WCL engineer, is again a good user-friendly web-based GUI, but he also observed that access to the management interface will depend upon any existing firewall rules, which is important to remember when setting up IWSVA for the first time. IWSVA not only provides full anti-malware capability, but also provides URL filtering; it also offers the same malware capability as IMSVA. Working at the gateway level, IWSVA scans all of your enterprise's inbound traffic before it reaches the endpoint and blocks any traffic it finds suspicious so that malicious entities are blocked and your systems remain secure. This requires no client-side intervention and is therefore less prone to user error. West Coast Labs found that during test that this was again a solid, reliable gatewaylevel defense solution worthy of the job in hand. So overall, IWSVA offers a wellrounded security blanket protecting the enterprise at the gateway, which frees up IT staff to concentrate on other business at hand.
IMSVA is designed specifically for enterprise size business models. It provides traditional malware protection, but it does not stop there, with the addition of extended technologies, such as firewall, web threats and POP3 scanning. IMSVA ensures a cloak of security for any credible business looking to secure itself from potentially damaging security breaches. This also gives the administrator peace of mind in knowing that no glitches will occur in this security as there will not be any issues with compatibility. The IMSVA solution is initially installed on the server and can then be managed from there; this is prior to rollout to the endpoint clients. The security policies are also managed on the central server then pushed out to the client machines, so the administrator does not have to configure each individual client machine, saving time and money. Designed for VMware ESX/ESXi servers IMSVA is a virtual machine with the images being loaded into the ESX Hypervisor server. IMSVA does require some basic setup via a Linux-based command line when running the virtual machine for the first time. Product IMSVA v5.1 Manufacturer Trend Micro Contact Details www.trendmicro.com Certification www.westcoastlabs.com http://www.cctmark.gov.uk/
As with IMSVA, IWSVA is designed for the enterprise. IWSVA is installed and managed directly on the server with no further client installations necessary. The security policies are also managed on the central server and pushed out to the client machines to allow IWSVA to provide traditional malware protection, as well as incorporating extended technologies such as firewall, web threats and POP3 scanning. These are all indispensable components of a versatile security solution and the centralization provides the ease of use and flexibility administrators have come to expect, especially useful when running a large network efficiently. Designed for VMware ESX/ESXi servers, this is a virtual machine, with the virtual images being placed on the ESX Hypervisor server. IWSVA requires some fairly basic setup via a Linux-based command line when you run the virtual machine for the first time, but again, this is an uncomplicated process; and as youd expect with a virtual machinebased technology the product's setup and configuration is carried out via a web-
Product IWSVA v5.1 Manufacturer Trend Micro Contact Details www.trendmicro.com Certification www.westcoastlabs.com http://www.cctmark.gov.uk/
based GUI. With the ability of accessing it anywhere on the network, local firewall rules permitting, IWSVA customization may be carried out via the web-based GUI once the initial configuration has been accomplished. For any administrators familiar with Trend's IMSS and IWSS solutions they will be accustomed to the web GUI, but for those
As our engineer observed during his initial encounter with it, the IMSVA setup and configuration is carried out via a web-based GUI. Of course, for any administrators with experience of Trend's IMSS and IWSS solutions, utilizing a web GUI will already be familiar to them, and for those with limited or no such experience, it still offers ease-ofuse.
WEST COAST LABS VERDICT Trend Micro's IMSVA solution comprises a virtual machine that handles messaging traffic and includes a number of core technologies, such as spam, anti-malware and anti-phishing. These are combined to offer a scalable and flexible solution which can be deployed in a number of network scenarios.
9 Technology Report www.westcoastlabs.com
WEST COAST LABS VERDICT Trend Micro's IWSVA solution offers the ease of virtualization and the flexibility to handle web traffic in a number of types of network. The technologies at work that contribute to the operation of this solution include anti-malware, and URL content filtering, and allow for very fine grained control.
www.westcoastlabs.com Technology Report 10
Technology Report
OfficeScan v10.0
Trend Micro
DEVELOPER'S STATEMENT Trend Micro OfficeScan is a comprehensive endpoint security and malware protection solution for medium sized businesses and enterprises and is normally used in a clientserver configuration. It was also noted that OfficeScans has pretty low system requirements and that it also offers good support to the virtual desktops. OfficeScan is managed via an MMCstyle interface with all common options available, such as scanning actions, schedules and targets, with various security policies being catered for; so in all this is a versatile product. Although there is nothing revolutionary in the way that OfficeScan is managed, it certainly does not detract from the solution in any way. It does however seem to pack a lot into one package. As its name suggests, OfficeScan provides protection against viruses, trojans, spyware and rootkits, with the further inclusion of firewall, web threats and a hostintrusion prevention, so in all this is a fairly comprehensive barrier against potential threats. OfficeScan can also scan inbound POP3 traffic. This product utilizes the Trend SPN system to provide cloud-based detection of malware. During WCLs extensive testing, the engineer observed that OfficeScan really did offer a good level of defense and he also said it was in-depth, with numerous combined security technologies included. That has to put OfficeScan in a strong position, with its comprehensive security, as being a solution worthy of a place in any security-conscious enterprise.
If you are an administrator running an enterprise and you are charged with finding a suitable security solution, how do you weigh up the protection you require without compromise? With OfficeScan you can protect the enterprise by providing traditional malware protection, incorporating extended technologies such as firewall, protection from web threats and POP3 scanning all in one solution. This must make OfficeScan one such product worthy of noting to IT administrators. OfficeScan is installed and managed on the server, and when ready to deploy it is simply rolled out to your endpoint clients to provide the layer and level of security required. With security policies managed on the central server, the administrator can push them out to the client machines, making it an easy task to accomplish - job done. Simply put, OfficeScan is a server-client solution and OfficeScan is initially installed on a central server before being sent out to the client machines around the network. Deployment can be carried out either by targeting specific client machines from the server console, downloading the install
Product OfficeScan v10.0 Manufacturer Trend Micro Contact Details www.trendmicro.com Certification www.westcoastlabs.com http://www.cctmark.gov.uk/
ScanMail for Exchange is designed as an umbrella for email protection, including content filtering, spam, recipient filtering, URL detection (within emails) and phishing, which is specifically produced for enterprises running Exchange servers. ScanMail for Exchange is an obvious choice for securing your incoming content as the system requirements are relatively low when considering the security this solution provides and the market it's aimed at. This particular product is installed and managed on the server. While ScanMail for Exchange can be deployed to the Exchange server if necessary, it is also a server-based solution with no client-side aspect. The installation itself is carried out directly on the server and can be placed on the Exchange server, however this is not recommended for the larger business model because of the impact on resources, but if so required, the option is there. At the installation stage, a number of possible
Product ScanMail for Exchange v10.0 Manufacturer Trend Micro Contact Details www.trendmicro.com Certification www.westcoastlabs.com http://www.cctmark.gov.uk/
package to the client, or by incorporating the solution utilizing the Active Directory. The client installation is silent, so neither the administrator nor the end-user has to intervene on the client machine and, as youd expect, OfficeScan supports all common Windows client platforms, as well as VMware workstations. During installation, the engineer commented on the various choices and variables available as deployment methods.
configurations can be achieved, however the main installation routine itself is welldocumented. Although, some experience with Exchangebased systems will be necessary, this is assumed given the target market. ScanMail for Exchange supports a number of Windows server platforms and Exchange versions, providing support for various network configurations, such as Server 2000/3/8 and Exchange 2003/7/10.
WEST COAST LABS VERDICT Trend Micro's OfficeScan offers anti-malware technology at its core, with the possibility of central reporting and administration in an enterprise level setting. The deployment and management of remote endpoints is streamlined through the central management GUI offering an easy way for IT staff to ensure that hosts are protected.
11 Technology Report www.westcoastlabs.com
WEST COAST LABS VERDICT Trend Micro's ScanMail here considered in the integration with Microsoft Exchange Server offers gateway protection against email-borne threats. It includes all the components that might be expected, such as anti-spam, anti-malware and phishing protection, administered with ease through a central management console.
www.westcoastlabs.com Technology Report 12
Technology Report
SecureWeb
K7 Computing
DEVELOPER'S STATEMENT K7 SecureWeb provides end-to-end protection for personal information right from the keyboard to the website and specifically aims to secure online transactions. SecureWeb address space and as such all user data remained protected. SecureWeb also protects against the threat of DNS poisoning, which alters the IP address associated with the URLs for such sites, so that a user is instead directed to a website controlled by the attacker. To test, a list of well-known e-commerce and financial domain names were added to the host's file. Each domain was associated with an IP address of various web servers owned and controlled by WCL. However, SecureWeb does not rely on information contained within the system's host files. All attempts to redirect SecureWeb to an incorrect webserver/webpage proved unsuccessful. Many transaction websites use SSL certificates (HTTPS) for privacy assurance. But, attackers will often try to create fraudulent certificates to pass-off spoofed versions as legitimate. SecureWeb provides a means of checking the authenticity of SSL certificates, reporting if they are self-signed and therefore not legitimate. To display this information, SecureWeb employs a SiteBand that uses colored warnings to provide an at-a-glance report on whether the site can be trusted or not. Throughout testing, SecureWeb accurately identified those sites that were using legitimate SSL certificates from those that weren't.
Product Webroot Web Security Service Manufacturer Webroot Contact Details www.webroot.com Certification www.westcoastlabs.com
Designed to provide end-to-end protection for personal information such as username, password, and credit card right from the keyboard to the website, and to secure online financial transactions. In addition to protecting internet users against various threats, such as screenscrapping and keylogging, SecureWeb also provides SSL certificate verification and website authentication. And the automatic browser launch is a great feature as it prompts users whenever they browse to online bank and shopping websites. SecureWeb was tested using a network consisting of a primary network attached directly to the internet and a secondary, aggressor network. A standard desktop machine was used as the host for SecureWeb housed on the primary network. To prevent theft of passwords and bank details SecureWeb provides an additional layer of security. It does not provide antivirus or URL filtering, however, what it protects is done extremely well. To protect against keyloggers, SecureWeb encrypts all keystrokes so that any data that is captured is unintelligible. When dealing with screen grabbers, West Coast
Labs found that each screenshot was redacted so that any potential attacker captures a blank screen. DLL injection can disrupt a security solution and lead to the theft of user data. Attackers will often target the solutions themselves as a first port of call to try to circumvent protection on a local machine, whether this is anti-virus, URL/website filtering or data protection. In order to protect against this, SecureWeb continuously monitors its own processes for signs of malicious behavior. WCL's engineers attempted to load malicious and harmful DLLs, but were unable to inject malicious code into the
Webroot Web Security Service is recommended for the larger business and enterprise-sized models and as its name suggests is a managed solution, therefore there is no hardware requirement. Webroot Web Security Service (WWSS) provides gateway-level security to protect against web-based threats as a managed service. These threats could include file downloads and URL filtering, which can be a real headache for corporate credibility. WWSS is managed from a web-based interface with each client machine being directed to use the proxy address of WWSS. As far as setting up the service, it is an extremely quick and easy affair and requires an administrator providing basic network information to Webroot. Various settings can be defined by the administrator, such as which URL categories to block, the amount of time each user is permitted to spend online as well as giving information to the user of their
company's individual internet acceptable use policy. The deployment to client machines is also completed quickly and as already noted, as a managed service the installation is almost non-existent. The West Coast Labs engineer commented that once the account has been finalized with Webroot, end-user machines simply have to be configured to begin using the Webroot service. As far as the management of the service, this is accomplished remotely by logging into the Webroot management portal allowing protection and internet use policies to be created and rolled out rapidly. As the service is hosted by Webroot, there is no need for the administrator to run updates for either software or security definitions, making it less time-consuming. As WCLs engineer pointed out, although management is only possible via the web interface, the options available do allow for a tailored approach.
WEST COAST LABS VERDICT K7 SecureWeb is a good example of a solution to a specific problem that fulfills its remit very well. This is not a general use web browser, but in terms of protecting users when entering financial details it has been shown to succeed.
WEST COAST LABS VERDICT Webroots Web Security Service offers web threat protection as a managed service and protects against a variety of threats whilst allowing the administrator central control through a web portal. The use of a managed service also means that administrators no longer need concern themselves with remembering updates.
www.westcoastlabs.com Technology Report 14
13 Technology Report
www.westcoastlabs.com
Technology Report
One of the two BalaBit products to be reviewed under West Coast Labs (WCL) new Performance Validated program is Shell Control Box (SCB). As with syslogng Store Box, the SCB test allowed WCL to provide an independent review of the solution. To test SCB, WCL was provided with a x2200 Sun Microsystems server running SCB. WCL also tested a virtual version of SCB. Testing of the SCB solution was conducted on a custom-built network at WCLs UK facility. The network itself consisted of a variety of client and server machines running a range of both Windows and Linux-based operating systems. WCL downloaded SCB from the BalaBit website as a virtual machine, then SCB was imported onto a server running VMPlayer. Before full deployment, SCB requires basic network configuration (Host IP address, gateway address, and so on) and the license is imported to SCB at the end of the initial configuration. SCB is an independent appliance designed
Product Shell Control Box (SCB) Manufacturer BalaBit Contact Details www.balabit.com Certification www.westcoastlabs.com
to integrate with ease, offering high availability and is configured via a clean, intuitive web interface. The roles of each SCB administrator are clearly defined using a set of privileges. SCB receives connection attempts for a specific target host then forwards the connection. The solution enables the creation of rules allowing the administrator to permit or deny connections based on set criteria, and provides for the auditing of network connections. SCB also works in conjunction with BalaBits Audit Player to allow logged network traffic to be replayed in real time and supports the following protocols: Secure Shell (SSH), Remote Desktop (RDP), Telnet and terminal emulators using the standard TN3270, VNC and VMware View. WCL only examined the following during the test period: VNC, RDP, SSH, and Telnet. The recorded audit trails can be replayed
As part of its Performance Validated testing program, West Coast Labs (WCL) reviewed the syslog-ng Store Box (SSB) solution from BalaBit. The aim of the testing was to provide an independent means of validating the features and capabilities of SSB. To test SSB, WCL was provided with a x2200 Sun Microsystems server running SSB. WCL tested a virtual version of SSB, deploying the virtual machine SSB image that had been downloaded from the BalaBit website under the VMware Player application. This deployment of the machine was straightforward, and should prove simple to anyone familiar with networking or virtualization technologies. On first boot, SSB requires some basic network configuration, such as designated IP, gateway and DNS addresses along with the application of the SSB license key. With this complete, the administrator is free to log in to SSB, via a web browser, and to begin any required customization of the solution.
Product syslog-ng Store Box Manufacturer BalaBit Contact Details www.balabit.com Certification www.westcoastlabs.com
The test networks on which SSB was evaluated contained client machines running Windows XP along with AV software, various network security appliances, and a number of routers. Added to this were aspects of WCLs proprietary Real Time system. SSBs ability to monitor, in real time, the incoming log files and flag any that do not match an expected pattern makes it extremely useful; providing an early indicator to any deviation in network traffic and/or usage. While not a security solution in its own right, SSB can work in conjunction with those security solutions already deployed to a given network and provide a means of monitoring any security events that may occur. SSB allows the administrator to capture redirected log files from various devices such as routers, security appliances,
WEST COAST LABS VERDICT Testing of the SCB virtual machine showed that all connections were received and handled correctly, the administrator was able to terminate established connections and the logged files were 100% accurate. Tests also showed the capability of Audit Player to recreate the data from the session in an accurate movie-like format.
15 Technology Report www.westcoastlabs.com www.westcoastlabs.com
WEST COAST LABS VERDICT SSB received several thousand logs, all from various sources, and WCL concluded that all log files were received with a 100 percent success rate. All log files that were received were accurately classified and grouped.
Technology Report 16
www.westcoastlabs.com US Headquarters & Test Facility West Coast Labs 16842 Von Karman Avenue Suite 125 Irvine CA 92606 U.S.A. USA: Email: smarkle@westcoast.com Telephone: +1 (347) 403 0374 Email: rcarter@westcoast.com Telephone: +1 (949) 870 3250 European Headquarters & Test Facility West Coast Labs Unit 9 Oak Tree Court Mulberry Drive Cardiff Gate Business Park Cardiff CF23 8RS U.K. UK/Europe: Email: sstoughton@westcoast.com Telephone +44 (0) 208 267 8280 Asia Headquarters & Test Facility West Coast Labs, A2/9 Lower Ground Floor, Safdarjung Enclave, Main Africa Avenue Road, New Delhi 110 029, India.