Mucking Up Malware


For a long time, the most accessible pathway for malware and threats to enter a corporate network was through e-mail. After widespread and rapidly evolving nuisances like the Melissa virus or Netsky, businesses took appropriate measures to shore up their defenses against e-mail threats.

Of course, it never takes the ill-intentioned very long to figure out how to thwart defenses. The largest harbinger of malware currently is the Internet. Compromised Web pages and sites that practice drive-by downloads are a few examples that pose a constant threat to the safety and security of a corporate network.

Security vendors have honed their products in response. Content filtering offerings have become more robust and more intelligent. The best products do so much more than report on which users are going to which sites: They prevent circumvention of Internet usage policies, report on the types of traffic coming in and out of the network, and use intelligent scanning methodologies to prevent access to compromised sites that may not even appear on traditional black lists.

The CRN Test Center took a look at three leading midmarket products: Sophos' WS1000 Web Security Appliance, ContentWatch's ContentProtect Security Appliance CP100 and SonicWall's Network Security Appliance 3500.

This was a challenging comparison because all three products made a strong showing in testing. Each product did its job, namely filtering Web traffic and providing information on that traffic flowing in and out of the network. Yet, each also had unique features, interfaces and functionality.

Products were tested on ease of deployment, detail of management interface, how easy or not it was to navigate through the interface and how well filtering blocked access to restricted sites and Web proxies.

Next: Sophos WS1000

Sophos WS1000
Sophos asserts that this appliance can be set up quickly. It was spot-on. From opening the box the WS1000 shipped in to configuring its network settings took no more than 20 minutes.

In that 20-minute time frame, the device ran a configuration test, registered itself with Sophos' network and updated to the latest software that was downloaded from the vendor's software repository. A reboot was required after the initial update.

One thing was a bit puzzling: After returning from reboot (which by the way, the browser did not close out at all—a nice touch) the device gave a message stating that updating was 100 percent complete. But it wasn't. The only option to move forward and finish configuration was via an "Update" tab. And updating wasn't really 100 percent complete because after initiating update a second time, a new slew of downloads took place for the antivirus module.

But that's a minor quibble. After this last update, reviewers commenced with testing.

For testing purposes, client browsers were set up to use the WS1000's IP as a proxy server. Of course, in a corporate environment, this setting can be deployed through Group Policy.

The management interface gives the de rigueur Dashboard view. Information on virus updates, Web traffic, bandwidth consumption and traffic patterns, like spikes during the day, are all visible. Web traffic is represented in a gauge-type format—kind of like an odometer with a throughput reading that goes from 1-1,000 kbps. Latency is also represented this way on a scale from 1-1,000 ms. It is a quick and easy way to get an overview of bandwidth details and a nice deviation from standard pie charts and graphs.

A feature that really caught our eye was the URL test. On this home page, there is a field in which a systems administrator could input a URL. The WS1000 will report back on that URL giving the category of site it falls under (for example, Gambling or Adult) and also will report the security risk for that site.

To test, reviewers entered the Web address of a known hacking site, which was correctly identified and classified as a high security risk. This is a great tool for an Admin to check on a site that he or she may be unfamiliar with and appropriately configure access or denial in the Web-filtering policies.

Although the dashboard is full of good information, it was difficult to see a way to customize it. An Admin may not need to have all the information displayed all the time.

The WS1000 really shines when it comes to scanning capability. Sophos Labs scans every day for high-risk sites and updates its product based on this. Finding the latest threats is what this vendor is all about, and these folks take that very seriously. The WS1000's scanning capability differs from other scanning technologies, such as reputation scanning. Instead, the vendor uses behavioral genotype scanning, which catches unknown and zero-day threats by analyzing content pre-execution and analyzing the behavior of the code—sort of like picking up on the intent of the code rather than what the code has done.

Sophos' research labs make the claim that one in five Web sites are being infected every five seconds and that this figure is up from their finding last year of every 14 seconds. Seventy-eight percent of hacked sites, per the vendor, are legitimate sites.

This, Sophos makes the case, is the very heart of why its scanning technology is more effective than reputation scanning. At these rates, reputations filters would not be able to catch the latest infected site. Sophos' filters were able to detect the recent "Storm Worm Virus" when other solutions had failed.

The WS1000 provides full content scanning; that is, content is scanned as it leaves the network. Data coming back from the Web server is scanned real-time, so there was very little latency during testing.

The appliance also engages in true file-type scanning—a spoof-proof technology that does only look at the file's extension.

The WS1000 features in-the-box reporting. Reports can be set up to go back to Sophos for analysis or can be sent directly to a VAR.

Although Sophos has put out a pretty impressive product with the WS1000, the company is not resting on its laurels. Sophos will have updates to enhance the WS1000's content-filtering capabilities. One such enhancement is dynamic detection of anonymous proxies. As traffic goes through the Web, this feature will be able to detect if traffic is going through an anonymous proxy. Proxies are tricky to detect because they can pop up randomly and on the fly.
Another upgrade soon to come is the ability to scan HTTPS content.

Next: ContentWatch ContentProtect Security Appliance CP100

ContentWatch ContentProtect Security Appliance CP100
ContentWatch offered its 1u or 2u rack-mountable CP100 for review. The device sits between a firewall/gateway and the LAN. The CP100 has two Ethernet ports for LAN and WAN connectivity.

The setup of the device took a bit longer than it did with the Sophos appliance. The device was finicky about sharing network space with an intermediary router that also acted as a DHCP server, but after some reconnecting and swapping around cables, it was up and running.

Once the LAN and WAN interfaces were connected, the CP100 effortlessly picked up default network settings; nothing had to be defined.

The CP100 does the ultimate in hand-holding. Instead of opening up to a home page with configuration options, the only initial screen is a wizard to assist in getting started with the device. This nurturing assistance may be more of an annoyance to seasoned pros, but it made setup very easy, and ensured that settings were done with vendor recommendations.

A very useful feature—one that is helpful to even the technologically savviest—is the Help button that accompanies every configuration setting. The Help feature displays detailed information about that setting.

After breezing through the initial configuration, which consists of testing network settings and proxy settings, the interface still is not done ensuring the device is set up correctly. The Interface opens up to a registration page (which can be skipped at this point).

The next screen is a "Getting Started" section that provides a sequence of steps to finish configuration. This is on the device's home page. Besides the sequential list of tasks, there is a section for messages and system notifications. Reviewers went through the configurable modules listed in the "Getting Started" section:

"Group Management" has defined groups already that are associated with predefined policies—default, bypass filter and strict are among them.

The "Time of Day Rule Manager" allows for defining blocks of time policies and when usage takes effect.

In the "Internet Rules Manager" for testing purposes, the Moderate Policy Rule was applied to the Default group. The Moderate policy blocks access to the usual work-inappropriate sites like pornography, gambling, hacking and filter avoidance. Also files that have a greater chance of being piggy-backed with malware are blocked: .bat, .exe, .cmd and .dll files are among some of them. In this section of the interface, those administering the solution may choose to block specific URLs or can add a white list of safe sites.

One configuration option that is particularly useful is the "Shaping Rules" option. "Shaping Rules" is used to define how much bandwidth to allocate to a user group, for example, the maximum amount of data a group can download or upload. These rules can also be set against specific applications or Web content. One way this is effective for management would be in the case in which a group of users had to regularly upload data to a site as part of their job function. An Administrator could allocate a greater amount of bandwidth for this group to the site, while restricting bandwidth on the network for less critical tasks.

Groups can consist of either users or network nodes. The CP100 automatically picked up all nodes on the subnet. While possible to use LDAP, the LDAP integration is a bit lacking; users will come over from a defined LDAP server. However, in the case of Active Directory, specified groups and created AD objects will not import over. Also, there is no auto-synch to AD. A more robust solution to LDAP integration will be released with a very near-term upgrade. The feature will be available as a no-cost upgrade to current customers.

A stellar aspect to the CP100 was its reporting capabilities and real-time interface views. System reports include information on active users, CPU utilization, IP connections, latency, packets per second and RAM usage. The report page, which displayed the network nodes being monitored, showed total amount of nodes, top downloads and top uploads. A link was associated with each node listed showing a drill-down, real-time, beautifully rendered view of information about that particular node. Information for each particular node was very detailed and displayed total traffic, application traffic, Web requests by hosts and by category, infected spyware, IM chat log and any open ports on the node.

Truly, there is a plethora of information accessible from one area of the management interface.

The CP100 is also capable of managing remote subnets and VLANs.

Next: SonicWall NSA 3500

SonicWall NSA 3500
It took reviewers a good hour to work the kinks out in setting up this appliance. It is not as intuitive a configuration as the other devices. Yet, the NSA 3500 offers a lot of granular control and some functionality not seen in the previous devices.

For example, the NSA 3500 offers configuration options for WAN failover and load-balancing. The WAN interface can be checked in specified intervals. There is also a feature, High Availability, which provides redundancy with a second, synchronized NSA 3500.

The appliance has a diagnostic tool and packet-capturing capability for troubleshooting. Diagnostics can be gathered in "tech support result" format and will report in VPN keys and ARP cache. In addition, it will manage VoIP and wireless.

Performance of the appliance was a little lethargic. There was some delay switching between areas of the management interface, and the clients did not seem to "take" to applied policies right away. Yet, once they did, the NSA 3500 made up for performance by detecting a number of intentionally placed threats on the test network. The dashboard picked up on Netsky malware, spyware and blocked multimedia per a defined policy, such as Skype and BitTorrent.

Reviewers didn't see a way to customize the dashboard, and there was no way to drill down to particular items in the dashboard. There are reports options, however, to display detailed information. This appliance features modules besides content filtering: antispyware, RBL filter, client antivirus enforcement and gateway antivirus enforcement.

The Bottom Line
Each device got the essential job done: filtering content and enforcing Web-usage policy. The SonicWall NSA 3500 provides even more with the capability to do sophisticated diagnostics. It's more of a complete network-management solution. Still, it was somewhat disappointing performance-wise, and the initial install was not as smooth as with the other products.

ContentWatch's CP100, although a bit tough to initially get going, gives magnificent reporting in real-time. The ability to see a lot of information without a lot of mouse clicks is definitely a time-saver for a harried system administrator.

But the Sophos WS1000 has the edge. It was breathtakingly simple to set up, but that in no way negates how effective a content filter this appliance is. The scanning capabilities are excellent, and it would take the most stealthy of ruses for any malware to get by this device. A little more flexibility in the dashboard would be nice, as would the ability to drill down to more detailed information from one screen. Still, the WS1000 impressed the reviewers very much.

One thing is certain: There's no foreseeable end to the evolution of malware and Internet threats. Invariably, that means no end to the evolution in the devices designed to combat them.