Once again, we came away from our tests of F-Secure's product convinced it is best-suited for inside the corporate LAN. It's not going to be of much use to mobile users, at least not in this iteration.
You can create four profiles: Home, Office, Aux1 and Aux2. The user selects which profile reflects his or her current location. There's no support for real application control, which means the Sheepshank Trojan was able to get through. The limited application control F-Secure does offer is based on the run-time name. The product also lacks integrity checking (such as MD5 checksum), so any program that is on the approved list could be modified.
Like Sygate Management Server, F-Secure's administration supports inheritance. You can create a policy domain, and all subdomains or computers inside it inherit the traits of the parent. Settings dependent on the parent are colored gray unique settings to the current domain are in black. This makes it easy to change settings and see where the changes occur.
Rule setting is rudimentary at best. Rules are still a matter of cutting off certain parts of the network from other parts. Devices are identified by either IP address, DNS name, WINS name or VPN key.
This product is definitely falling behind the competition, but there are a few bright spots. The user-management capabilities are still quite good. Also, you can centrally manage your antivirus, VPN, firewall and smartcards from one console. In a corporate environment where desktops are stationary, that's a plus. But overall, F-Secure is limited to port blocking.
F-Secure Distributed Firewall. F-Secure, (408) 938-6700, (888) 718-4928; fax (408) 938-6701. www.f-secure.com
Internet Security Systems ICEcap Manager with BlackICE Agent
This time out, the ISS duo comes in last. BlackICE still does not support multiple policy files per agent, and it doesn't have any support for application control, though this is planned for future releases. On the plus side, the ICEcap management-server user interface has been refined, and it is much cleaner and less confusing.
The agent program is an inbound firewall and IDS product. It can block ports for incoming traffic but not outgoing. For example, we couldn't block outbound telnet traffic. During our testing, we loaded Sub7 on the agent and tried to connect to it from our attack machine. BlackICE did identify the signature and blocked it. But as with many antivirus solutions, this approach doesn't work against unknown Trojans. We did the same thing with Sheepshank, and we were able to get through easily.
At the heart of this suite is the management console, called ICEcap. ICEcap is controlled using a Web server running IIS and a SQL database. One of the new features in ICEcap is the addition of Help Wizards, which is a combination of flow charts and documentation to facilitate setting up the software. It's a good thing this feature has been added, as this is the still the most complex product to set up among our test group.
During setup, policy files were flying all over the place. There are separate policies for firewall rules, IDS rules, installation configurations and response rules, and we weren't sure how they all interacted without slogging through the docs to figure out what goes where.
The reporting capabilities within ICEcap remain solid. The graphs are perfect for overhead projection at security meetings. And drill-down capabilities are excellent. For example, if you're looking at the top attack signatures, you can click on the most common signature and see all the clients that reported the attack.
BlackICE also includes an event dampener, so if two attacks occur within a time frame, they're treated and reported as one attack (the total number is still shown). During testing, we were able to see that we had 24 Sub7 attacks, but that each set of attacks occurred only three times. The first day of testing we had four hits, the second day eight and the third day 12 in a row. The final neat thing is you can make SQL queries directly from the management interface; no other vendor offers this feature. For those of you who know some SQL, it's a nice feature doing for quick and dirty queries.
BlackICE Agent and ICEcap Manager. Internet Security Systems, (650) 532-4100; fax (650) 341-0719. www.networkice.com
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Send your comments on this article to him at mdemaria@nwc.com.
REPORTS
ANALYTICS
Follow 
