Network Computingwww.networkcomputing.com

Among our tested products, Sybergen Management Server offered the most user flexibility in the client software. If you trust your users, you can give them control over which ports are open, security level, allowed applications, trusted IPs and more. Options can be set via the server as well.

The management software provides options for group or individual management. This can cause some confusion and create difficulties in making exceptions for one person in a group. If you configure an option to be group-managed, then the management server cannot change that option for an individual client in the group. The setting needs to be set to individual control first.

On the client side, the Secure Desktop firewall can block incoming and outgoing TCP and UDP ports, as well as distinct ICMP types. For instance, you can let a user ping a remote host, but not the reverse. The program also provides some application control: You can specify which programs are allowed or denied network access. However, the interface doesn't inform the user when a program is denied; in fact, the program may run (potentially accompanied by a Trojan), but it won't connect. The downside is that you may end up with frustrated users hunting you down to find out why ICQ doesn't work.

Sybergen provides four security levels, up to "ultra-high" security. At this level, the client is permitted no network access during a specified time period or when the screen saver is active--all ports are blocked, incoming and outgoing. Essentially, you're pulling the plug on the network for any period of time you designate--say, midnight till 6 a.m., when the hackers come out to play. Since there's an absence of network activity during this time, updates can't occur.

Unfortunately, we found some security holes in Secure Desktop. For example, when the firewall's learning mode is enabled, a dialogue box asks if the user wishes to let a launched program access the network. Actually, the program has network access until the user clicks on "no." That brief interval is enough for a Trojan to transmit data or announce an infected machine to an IRC channel before the user can move the mouse pointer. Also, while Secure Desktop alerted us when we tried running the default Back Orifice server, blocking is based on run-time name, not file name. If a Back Orifice server is given the run-time name iexplore. exe, for example, it can have any file name, and you can bet that Internet Explorer will be in the list of allowed applications. When we tested under these conditions, Back Orifice ran undetected.

The software doesn't provide a way to set alert priorities, and its reporting capabilities are limited. We received no reports for DoS attacks or port scans. Secure Desktop mostly reported receiving ICMP packets or that a packet was received on a blocked port. When blocking pings, the firewall sends an alert to the management server every time it gets a ping, and an alert appears on the management-server interface. We would have liked to see additional alerts when denied programs were launched.

The spiffy part of the reporting, however, is the display of pie charts showing attack types, locations and directions (inbound or outbound). The software also can create charts for individuals, groups or the entire network. While we appreciated being able to see which types of attacks were being used most often, one question is whether the program provides too much reporting, and if it could cause a form of DoS on the administrative server in a large enough environment. If Sybergen's product is being used on a corporate LAN behind a frontline firewall, it probably won't overload the system. In our tests, our Windows NT-based administration server--a 600-MHz Pentium III machine running on a 100-Mbps network--stayed up.

Secure Desktop also provides some network monitoring. The clients send out heartbeat ping packets at specified time intervals. If the server doesn't get a heartbeat, the client is marked as down in the management GUI and is marked back up when the server hears from it again. Finally, the software tracks machines based on their DNS names, which can complicate matters on certain networks with dynamic names or between subdomains.

Sybergen Mobile Workforce Solution (Sybergen Secure Desktop 2.1, Sybergen Management Server 1.0), Sybergen Networks, (510) 742-2600; fax (510) 742-2699, www.sybergen.com.

Michael J. DeMaria is a system administrator in Syracuse, N.Y. Send your comments on this article to him at demaria@nand.net.