In the age of feudalism, medieval towns were surrounded by thick stone walls. Sometimes attackers would charge these perimeter walls, but this took a lot of time, and it was risky. It was also hard to do without drawing lots of attention. Eventually, bands of attackers would take the time to befriend someone on the inside. That person would quietly rob his neighbors, then throw the loot over the wall in the middle of the night. An inside job usually works better.
In this modern age of computer security, network-based Trojan programs are like the guys on the inside. Virus scanners can't always identify Trojan programs, especially those that are new or not so highly circulated that a signature has been found. The best protection against this sort of attack is a desktop firewall.
Desktop firewalls are effective against intruders lurking behind the main lines as well. Packet monitoring, intrusion detection, port blocking and application control can help prevent Trojan viruses and other nasty programs from creeping into your network.
Getting a Trojan onto someone's computer isn't hard -- just look at the e-mail viruses and worms going around. All it takes is an e-mail attachment with something cute, like dancing hamsters. Or, if you really have an ax to grind, loading a Trojan using a simple floppy is easy enough. Before we began our testing for this review, we did an unscientific experiment. We took just 17 seconds to walk up to a PC in the lab, install a Sub7 Trojan off a floppy disk and walk away whistling.
But keep in mind, a firewall won't protect you from a Trojan that is aimed at unlinking every file from the system. Using antivirus software in tandem with personal firewalls is a must.
The Roundup
In the review of desktop firewalls we ran last year, we tested products from F-Secure Corp., InfoExpress, Sybergen Networks and Network ICE Corp. This year we have the same four vendors going against each other, though two have changed their names. Network ICE was recently acquired by Internet Security Systems (ISS), and Sybergen is now known as Sygate Technologies.
We also asked Symantec Corp. to participate, but its product doesn't have centralized reporting. Securitae Corp. was also invited, but its product was in beta at test time. Finally, we tried getting Zone Labs to participate but, like the last time around, the company was still working on adding centralized management. Like Securitae, ZoneAlarm was in beta during our test period.
Last year InfoExpress' CyberArmor Suite 1.1 won our Editor's Choice award. CyberArmor repeats this year with the best protection capabilities, great support for mobile users and good policy management. Sygate Secure Enterprise has improved markedly over the past year and is now neck and neck with CyberArmor in most features. The InfoExpress and Sygate products both support fault-tolerant servers, while the other two do not. ISS and F-Secure haven't advanced much since last year, and offer less protection than their competitors.
All the products we tested work in a similar way. Each desktop is loaded with a client agent that sits as a shim, intercepting and inspecting all data going into or out of the machine. These agents inspect, protect and send back status reports. A back-end server (or multiple servers) sits on the LAN, distributing policies and maintaining log reports.
Before rolling out a desktop firewall program, allocate the appropriate resources for the support and helpdesk issues that will inevitably arise. If you block certain programs from running, users will call up and ask, "Why is the network broken?" Provide user education on how the firewall works and what sort of traffic is blocked. You'll definitely get a lot of questions from home-based telecommuters if you don't prepare your users.
We looked at the firewalls from the viewpoint of a corporation planning to roll out 5,000 desktop firewalls in phases, by department. Our grading criteria included policy management, protection, mobile-user support, price and reporting. We tested from the perspective of a corporate IT office with full say over the security and policy files, letting the user have as little interaction with the firewall as possible.
|
Online Special
Trojans are becoming more dangerous all the time. If you want to make sure your network is safe, you have to stay one step ahead of the troublemakers.
Check out our online-only story "How Trojan Viruses Work -- a New Wrinkle".
|
All the products we tested offer standalone installers with the necessary configurations already in place (such as the IP address of the administration server). We wanted to see how well you could create different policies for multiple users or machines. For example, the engineers -- and nobody else -- may need FTP access. Every product supports this capability. We also tested how easy it is to switch users to different groups, in case of reorganizations, merging departments or individual job changes.
Each solution we looked at supports dynamic IP addresses. InfoExpress and Sygate offer the best support for mobile users, allowing for multiple policy files depending on the location. InfoExpress offers more granularity than Sygate. F-Secure allows for four policy files per client, but the catch is the user must switch them manually. ISS doesn't offer any support for multiple policy files based on location.
Application Control a Must
The use of port blocking as a primary mechanism for securing desktops is way over. It used to be that if you wanted to stop people from connecting to a Trojan-infected laptop, you could simply block all incoming connections. Not anymore.
Some Trojans will use outgoing connections with traffic that looks legitimate to fool firewalls and intrusion-detection systems. Other Trojans, like Sub7, can e-mail out key grabs or make announcements to IRC (Internet Relay Chat) channels. All this traffic looks legitimate, so simply blocking outbound traffic to remote Port 80 or 25 won't work. (For more, see our online-only story "How Trojan Viruses Work -- a New Wrinkle.")
In this era of smart viruses, the only truly worthwhile desktop firewall supports application control. This firewall will grant individual executables access to the network. Along with that, the firewall needs to use a checksum, such as an MD5 (Message Digest 5) hash, to make sure the executable itself hasn't been modified or compromised. InfoExpress and Sygate both offer this capability; F-Secure and ISS don't.
The selection of desktop firewalls dwindles dramatically when you look for centralized management. By the end of the year, only six such products will be available -- the four in this review plus those of Securitae and Zone Labs. These products vary in price from as as little as $37 per seat to as much as $80, depending on quantity. That's a small price to pay for the protection they offer.
Perimeter firewalls can't protect your network entirely now that the baddies have figured out it's much easier to get by individual desktops. Antivirus software is helpful, but its makers are always playing catch-up with the latest Trojan programs. Intrusion-detection systems may not catch the latest Trojan either. And once a Trojan gets onto your network, it can spread. Still, desktop firewalls are a critical line of defense in the never-ending battle to keep your network secure.
RSS
