|S N E A K P R E V I E W|
Aladdin Puts Content-Borne Viruses Back in the Bottle
December 4, 2000
By Michael J. DeMaria
It's safe to say most organizations have firewalls to protect their networks from hackers and attacks. A year ago, however, the Melissa macro virus cost companies millions. How did it happen? Melissa slipped in because firewalls can offer only so much security. For enterprises that want to go the extra mile, a content inspector, which scans files and Web pages for malicious content, is an effective way to stop macro viruses, Trojan horses and malicious Java applets in their tracks.
Aladdin Knowledge Systems' eSafe Gateway provides content security and integrates well with existing network protection devices. However, I ran into a few bugs during testing and recommend waiting for a maintenance release before installing eSafe.
The eSafe system has three parts. First, Content Redirector, the system's gateway device, runs on top of Microsoft Windows NT and requires two NICs. Content Redirector's job is to intercept traffic and route it to a Content Inspector machine. Sites can have multiple Content Inspectors, for load-balancing and redundancy, or a single machine can act as both Content Redirector and Content Inspector. This capability is useful for smaller organizations without the budgets for multiple content-inspecting machines. The last piece is the eConsole, the management GUI. This software can be installed on multiple machines and performs management functions. In my tests, I installed all three components on a Dell Computer Corp. Precision 410 with dual 600-MHz processors and 1 GB of RAM--slight overkill, seeing as eSafe does not support multiprocessing.
In the eSafe documentation, Aladdin states the product does not provide protection against direct hacks and DoS (denial of service) attacks. The company recommends placing eSafe behind a firewall -- a good suggestion: The product is a firewall supplement, not a replacement. ESafe Gateway can also plug into a firewall compliant with Check Point Software Technologies' OPSEC (Open Platform for Security). The previous version of the eSafe product was OPSEC- certified; the new version should be certified by print time. Because the OPSEC version was not available, I tested the standalone version (for more on OPSEC, see "Integrated Security Suites").
Administrators should place the eSafe Gateway between the firewall and the backbone router. The version I tested required the two NICs on the Content Redirector machine to have IP addresses on different subnets. This requires changing the internal interface IP address on the firewall or router. Aladdin said it plans to release a version that will allow for transparent installation in the near future.
The Content Inspector machines can go anywhere on an internal network. Aladdin said the product has load-sharing and fail-over capabilities available, though I didn't test these features. Multiple Content Inspector machines can be deployed, and the Content Redirector will disperse the load. Likewise, if one Content Inspector fails, the others will pick up the slack. The biggest performance hit occurs during content inspection, so the more Content Inspectors deployed, the more traffic that can be handled. One warning for sites using 3Com Corp. NICs on the Content Redirector: Do not install the diagnostic components. Don't go near them at all. In tests on systems with 3Com cards, the product did not work until the diagnostic software was disabled. This is a known conflict that is, needless to say, quite annoying. Aladdin said the next maintenance release will correct this. If the company holds true on this promise, it will save a lot of headaches.
Installing eSafe Gateway does not make it safe to remove desktop virus scanners. Viruses can still be introduced into the network via floppy disk, and there is no content inspection of Web pages encrypted with SSL (Secure Sockets Layer), so malicious content can be brought in that way as well. Likewise, I was able to get past the gateway some malicious content, such as Java applets, that the vendor claims to block. The product failed to inspect recursive zip files (a zip file of a zip file of a zip file) correctly; rather, it reported a scanning error. When a scanning error occurs, the Content Redirector can be set to reject the file. However, a normal zip file with a viral part was correctly scanned and identified. I wouldn't put all my faith in this product today, even though it did catch a significant amount of malicious data. These worries will probably diminish after the first maintenance release.
A technology called NitroInspection is used for on-the-fly inspection of HTTP and FTP transmissions. This is designed to reduce bandwidth degradation. The normal proxy method requires Content Inspector to receive the entire file, scan it and send it to the client. This causes file transfers to take longer than usual because the file is essentially being transmitted twice. NitroInspection transmits most of the downloaded file simultaneously from Content Redirector to Content Inspector and to the client. The last packet is not transmitted to the client until after Content Inspector sends its approval. This means that, when Content Inspector gives its go-ahead, the client gets the file instantly. I did not detect any noticeable latency.
SMTP scanning lets administrators scan attachments, enforce attachment file-size limits and control spam. ESafe includes a list of keywords commonly found in spam subject lines, and e-mail messages that contain these keywords can be dropped. Also included are antispoofing and antirelaying features. However, my tests focused on virus detection rather than spam and spoofing, so these features weren't tested.
ESafe Gateway can add scanning results or warnings to e-mail messages, and it can alert a recipient if a message is cleaned, modified or blocked. Likewise, it can alert senders of viruses. However, client machines on a network need the eSafe Messenger program loaded to get feedback. Messenger works under Windows 9x, NT and 2000. Without Messenger, a file transfer appears to fail. With Messenger loaded, an alert box will appear. Administrative alerts can be recorded in the log file or sent via e-mail to the administrator, via a network message using the eSafe Messenger or to the NT event manager. One limitation is that administrative network messages are sent only to computers on the same subnet as the Content Redirector system.
In general, this product should be a useful addition to an established protection system. It will block hostile attachments and downloads and can limit spam and mail bombs. However, not all its features work properly just yet. Aladdin said a bug fix release should be available by press time. After that, eSafe Gateway should integrate well and be a worthwhile investment.
Michael J. DeMaria is a systems administrator in Syracuse, N.Y. Send your comments on this article to him at firstname.lastname@example.org.