Although CyberArmor won our Editor's Choice award, InfoExpress should beware. The other vendors are closing in. CyberArmor still demonstrates the best ability to switch between multiple policies and has the best application control among our test group.
The suite comprises six components. CyberArmor Policy Expert is used to edit policy files. CyberServer is the management software for distributing policies and accepting log file uploads. CyberBridge is used in conjunction with Microsoft Internet Information Server (IIS) to simplify policy downloads and make it easier to switch users to different groups. CyberConsole and CyberReports are for viewing users and alerts. CyberArmor Personal Firewall is the agent software.
The executable blocking is among the most flexible we tested this time out. It uses PERL-style regular expressions to block or allow programs by name, wild card and command-line argument. You can also block spawned programs, including those that might come with e-mail attachments. This would let you block .vbs scripts from Microsoft Outlook Express, but allow .shs from Eudora if you like.
The user can be informed of a reason the program was prevented from running, and the administrator can decide whether to generate an alarm to the user and the central management station.
You can verify executables with an MD5-based checksum. The policy editor lets you scan an executable or directory and builds a database of checksums. CyberArmor's application control is solid. It was able to block the Sheepshank Trojan.
The Policy Expert's interface has been improved over version 1.1's, which we tested last year. It was simplified to ease the creation of configurations and templates, which are used as the sets of rules you want to implement. The different configurations help change network settings, and download servers, VPNs and so forth. All changes in a template affect the configurations that are built from it. The capability to have one set of policies in place and let it take effect across multiple remote offices is a real boon.
As in the earlier version, there are multiple levels of complexity, from simple clicking check boxes to manually editing policies. Most of the new interface is wizard-based, so it doesn't supply you with every option possible. You can go back to the version 1.1 interface for more fine-tuned control, but it's a bit ugly because you're basically editing text files. Editing multiple policies has become much more straightforward. You can create installers for these different configurations.
The newest component is CyberBridge, which greatly simplifies changing users and groups. CyberBridge works with IIS via a PHP script to link the Web server with the policy and user database. Via CyberConsole, you can move individual users into a different group or move all the users in one group into a different group. Then, when the clients check for updates from the CyberServer, it changes groups and gets the new policy file.
When the user installs the client software, you can have the user enter his or her user name and e-mail address. On one of the clients, we entered mdemaria, which we could immediately see in the CyberConsole. You can then lock the user from changing the user name and password.
You can also set a password on the CyberArmor Personal Firewall configuration screen, so the user can't modify any of the settings. These settings include shutting off the firewall, and changing the update interval or trusted IP addresses. You don't want your users turning off the firewall on a whim. But what if you have a salesperson at a remote site, with no access back to the corporate network, and he or she needs to let someone connect to his machine? CyberArmor allows a one-time override for this type of situation.
The client generates a one-time cookie, which is an eight-digit number. You then use the Policy Expert to type the first four characters of the configuration password and the cookie provided by the user. This produces a one-time eight-character password. The user can use this password to override the normal setup password and change his or her settings. The only thing you can't change with the one-time password is any of the other setup passwords.
CyberArmor does not let you generate a one-time password without knowing part of the setup password. CyberArmor is the only product we tested that allows for this emergency-override capability, even when the client can't connect back to the network. This is a handy feature, especially if someone is stuck in the field.
CyberArmor Suite 2.1 Enterprise Personal Firewall. InfoExpress, (650) 623-0260; fax (650) 623-0268. www.infoexpress.com
Sygate Technologies Sygate Secure Enterprise and Sygate Management Server
The Sybergen product came in last place in our review last year. This year it comes back with a new name -- Sygate Secure Enterprise -- and is much improved. The portion of the suite we tested is called Sygate Management Server. Our testing revealed a cleaner interface, better documentation and easier policy creation and management than previous iterations. Sygate now also supports failover policy and database servers.
This product requires the use of a SQL or Oracle database and IIS, which powers the back end just as CyberArmor and ISS' BlackICE Agent and ICEcap Manager do. The management is done through a Java applet. The Java applet was manageable, but the manual process of locking and unlocking groups was sluggish. Locking prevents two administrators from working on the same group at once.
The philosophy behind the administration user interface is inheritance. Each group inherits the policies of the parent group. For example, you can create a group of computers called Sales, and inside that create another group called East Coast and West Coast. Changes to the Sales group will also affect East Coast and West Coast.
There are two ways of grouping things together: by computers or by users. Computers autoregister with the administration server. Users can be added manually or imported from a Windows NT domain or LDAP server. You can then set policy files on users or computers. This way you can grant more freedom or give users access to different applications across your domain. A computer policy file overrides the user policy. In the course of our testing we found switching users from group to group easy.
Setting multiple policy files depending on the user's location is also easy. This can be done by looking at the gateway MAC (Media Access Control) address, client IP address, subnet or MAC address of a DHCP server. It's nice but not as full-featured as CyberArmor, which lets you do all this, as well as resolve DNS and check VPN registry keys. Like CyberArmor, Sygate Management Server was able to stop the Sheepshank Trojan.
The reporting in Sygate Secure Enterprise has improved. You can more easily generate reports for individual users, groups, computers or the entire organization. If you want a more in-depth look, you can view each blocked attempt. Rules are assigned a severity level from 0 to 15. You can sort the logs by severity, with the more important attacks and violations bubbling to the top. We made blocking outgoing telnet the highest severity and incoming TCP 80 the lowest. Each time we ran telnet, it showed up at the top of the report. The graphical report generation is a nice touch for making Microsoft PowerPoint slides.
You can add rules based on application name, path, file size, checksum, network information, ports, protocols or time. For example, you might want to shut down both incoming and outgoing traffic whenever your employees are out of the building--perhaps nights and weekends. You can also create rules that apply only when the VPN connection is up. You might want to have instant-messaging software active only when the VPN tunnel is up, for example. InfoExpress' CyberArmor is the only other vendor with this feature.
If multiple rules have the same priority, the rule created first gets priority. This was a bit irritating during our testing. If you don't plan ahead, introducing a fresh rule for the top of the list can be tough. It would be handy to have a way to change the order of rules with the same severity level more easily.
Sygate Secure Enterprise and Sygate Management Server. Sygate Technologies, 1-877-923-7436; fax (510) 742-2699. www.sygate.com
REPORTS
ANALYTICS
Follow 
