Defense Starts Here

With centrally managed firewalls, the kind we tested for this review, a centralized server dictates the security policy. Each client queries the server to download its policy file and upload status reports--then enforces the server's policy mandates.

We tested desktop firewalls from Internet Security Systems, Securitae, Sygate Technologies, Symantec and Zone Labs. We also invited InfoExpress, whose product won our Editor's Choice awards in previous desktop firewall reviews, but the company declined to participate because a new version of its product was in beta during our tests.

With these firewall products, the central management server and end-user desktop clients are directly and completely intertwined, though the client software usually has one name and the server another--for example, ISS's ICECap manager and RealSecure Desktop.

We tested only Microsoft Windows systems in this review. Although all OSs contain vulnerabilities, there are comparatively few malicious programs on non-Windows/Intel platforms. That is to be expected: Windows sits on more than 90 percent of desktops in the United States and is therefore a more enticing target.

Our test bed used 600-MHz Pentium-based computers running Windows 2000 as management server and client stations. When necessary, we installed Microsoft SQL 2000 on the management server.More Administrator Time

In the past, you could secure a desktop by blocking all incoming connections and limiting outgoing ports to a few well-defined services (such as Port 80 for Web access). But this method is obsolete. Today, Trojan horses (hostile code typically disguised as or hidden in benign applications) can initiate outbound connections that look like legitimate traffic. For example, sensitive data can be encoded and hidden inside an HTTP request. To a network analyzer, a Trojan uploading your financial-data spreadsheets may resemble normal Web traffic. To get around this problem, the desktop firewall's central server must grant individual applications permission to access the network. These permissions comprise part of the firewall's security policy.

Methods of populating and configuring the permitted applications vary by product. Some products offer a scanning tool that's uploaded to the server; others let a clean client system learn and report back the available applications. All the products we tested compute MD5 hashes, or fingerprints, to protect the network from modified or overwritten applications. If the application being launched has a different hash from what the server dictated, the application is denied network access. This way, infected Internet programs (viral or Trojan) and renamed applications (such as a Trojan masquerading as iexplore.exe) will send up red flags.

Four of the products we tested--the exception is Symantec's Client Security--also offer component control; that is, they extend control capabilities to .DLL and other library files, which Trojans can also attack. A library is a small file of compiled code, such as a Windows .DLL file, that contains functions an application may wish to access. The firewall calculates an MD5 hash of each library, exactly as it does for the applications.

The administrator creates a list of allowed applications, libraries and MD5 hashes as part of the security policy. Compiling and maintaining these lists and hashes require a significant time investment (see "Beyond the Initial Expense").Because protection is a desktop firewall's top concern, we used two programs-- FireHole and TooLeaky --to challenge and test each firewall's application-blocking abilities. These programs work by interjecting DLLs and Windows hooks into Internet Explorer. FireHole and TooLeaky got through each of the firewalls until we enabled component control; clearly, application control is insufficient to protect your network.Only Symantec's Security Center failed to block these two Trojans. Symantec's product does include an antivirus program that could detect and purge widespread Trojans. However, this solution is reactive instead of proactive.

All the products we tested require a lot of administrative time, so an easy-to-use feature-management interface is key to reducing the TCO (total cost of ownership). Tiered administration, for example, lets you create admins for groups of users and delegate responsibilities. Using such a feature, you can create an admin to monitor the logs for potential attackers and another to manage the accounting group. We also examined a management server's high availability and load-balancing capabilities. Securitae CMDS, Symantec Security Center and Sygate Management Server have high availability.

With so many hardware and software layers, a secure network can become a quagmire without the right tools to tie everything together. We judged the products' integration capabilities, based on support for third-party security products, multiple policies and networks, and directory services. Sygate Management Server offers the best integration capabilities in these areas.

Likewise, the ability to set multiple policies based on location is a plus. We considered this an integration issue because the multiple policies affect users that roam across networks or need access to certain ports/programs while a VPN is active. Sygate's product excelled in its integration with supported VPN and antivirus products. You can create multiple policies more easily in Sygate Management Server than in any of the other programs we tested. This is useful if you want to set separate policies for people on the corporate network, on VPNs and using wireless.

For directory services, we evaluated if the products support user and group information from Active Directory, LDAP, RADIUS and NT domains. In this category, Zone Labs' Integrity excelled.Reporting can be a godsend or completely useless for finding attackers. The Internet is a hostile place, with millions of scans for vulnerabilities conducted every second. Simple sweeps for vulnerabilities on the Internet occur often enough that tracking them is futile. However, you may be interested in knowing if scans are being conducted inside the LAN by a disgruntled employee. We evaluated reporting capabilities based on the number of available reports, filtering data and presentation.

Finally, though price is always important, we found that the vendors all quoted about the same list price, and we therefore gave it little weight on our scorecard.

After considering all these factors, we gave our Editor's Choice award to Sygate Secure Enterprise 3.0, which did the best job of balancing protection, management and integration. Each of the other products fell short in at least one area, and none approached Sygate's superiority across the board.Sygate's package--comprised of Sygate Management Server (SMS) and Sygate Security Server--offers the best blend of protection, management and integration. Its support for multiple administrators and policy inheritance and its compatibility with antivirus and VPN products helped this firewall win our Editor's Choice award.

Sygate's Java management-configuration tool uses an inheritance structure in which global security policies apply to all users and groups. Once you've established the global policy, you can create subpolicies that override or supplement it. You can also nest multiple subgroups. For example, we created a global policy to allow Internet Explorer for all users. We then created a "tech editors" subgroup with FTP access. Changes in the parent policy take effect on all the subgroups below it. If we added a rule to allow SSH (Secure Shell) in global, the tech editors would have gotten access to SSH. Users can be assigned and moved around any of the groups or subgroups.

SMS lets you create multiple administrators and give them tasks, adding to the product's flexibility. To test this feature, we created groups called CMP East, CMP West and NWC Syracuse, then assigned one administrator account to each group. The NWC Syracuse admin could manage all his or her users based on his or her network's security policy, without seeing or affecting the other two groups. Besides SMS, only ISS's RealSecure package gets as granular.SMS lets you configure rules to enable or disable DHCP, DNS, NetBIOS, OS masquerading and shunning attackers. The process is simple. When we ran an NMAP probe with OS masquerading enabled, for example, the software identified the system as a Red Hat Linux station to trick attackers into trying Linux attacks against a Windows workstation. This feature will mislead script kiddies performing scans for hosts, but it won't guarantee complete security.

The server software provides two methods for establishing trusted applications: manual input or client-learned. Every time a client with a learning-enabled policy launches a new Internet program, it reports the file name, version number and MD5 hash to the server. You can then add the appropriate applications to the trusted list. In test environments, new applications can be added to the approved application list automatically, or the management server can send you an e-mail when a user runs a previously undiscovered application.

Application discovery is important in the initial configuration and testing phases of deployment. We had one big complaint about the way the product accomplishes this. The server cannot dictate the components' MD5 hashes. Instead, these hashes are computed on the end node. Although this technique makes diverse environments easier to administer, it also necessitates installation on clean systems. If you install the firewall on a system that's already compromised, the firewall won't catch the Trojan. You can, however, dictate and require the executable's hash to come from the server. In other words, you can require iexplore.exe to have a certain MD5 hash, but the system DLL hashes cannot be centrally defined. Integrated antivirus and intrusion-detection support should catch any stragglers.

Sygate's is also the only product that lets you create multiple policies based on the user's location or tasks. For example, you can have one policy for local users, another for those connecting via VPN, and a third policy for wireless users. You can set policies based on MAC (Media Access Control) addresses, IP addresses, network adapters, VPN adapters, applications and time of day.

Sygate's report generation isn't as robust as ISS's: You can't drill too deeply into Sygate's graphs. Each rule, for example, can be assigned a severity on a scale from zero to 15. We created a rule that said running telnet.exe would produce a critical flag. After executing telnet on a client machine, we sorted the security log by severity. Our telnet violation appeared at the top. You can create line, bar and pie charts showing IPs, protocols, time, application or severity of attacks, but you can't take the reporting much further.Sygate Secure Enterprise 3.0, starts at $30 per seat. Sygate Technologies, (866) 308-8899. www.sygate.com

Zone Labs Integrity 2.0 | Internet Security Systems RealSecure Desktop Protector 3.5 | Securitae CMDS 2.2 | Symantec Security Center

Zone Labs Integrity 2.0

Zone Labs made its mark in the desktop firewall world with Zone Alarm, its application-blocking firewall for consumers. This technology has been merged into Zone Labs' enterprise product, Integrity 2.0 with Integrity Agent 3.5. Integrity offers all the protection options we sought, but its management, reporting and integration features are average at best.

Through the browser-based management server, Integrity lets you create multiple administrator accounts. However, you cannot place access limitations on which groups the administrator can configure--you can do so with Sygate's and ISS's products. All administrators have full access to all policy files. You can set two policy files: one for the trusted zone, the other for the Internet zone. And you can use these two files to control the ports, or applications can act as a server or as a client in either zone.

Integrity can quarantine POP3 and IMAP e-mail attachments based on file extensions, though it can't do the same for Webmail and Exchange. The end user has final say over whether an attachment should be permitted, but the file's extension is changed. You can find the original extension and change it back by looking at the mailsafe log file.

Importing the MD5 hashes can be a hassle, but an included utility, appscan, simplifies the process. You can do a reference scan or put a client in observation mode. We did the reference scan on a clean client system, and appscan generated a complete list of MD5 hashes, then uploaded that file to the Integrity server.

Unfortunately, a reference scan isn't enough to create an explicitly defined trusted application list. We needed to put the client on a clean system in observation mode. Once we launched our applications, they were reported to the management server. We could then set up the approved application list. This is the same process as enabling the Sygate firewall's learning mode. The benefit to a reference scan is that you can configure a policy to permit an application listed in the reference scan but not explicitly permitted or denied in the approved application list.Integrity has some well-thought-out integration capabilities. It is the only product that can pull user and group information from a RADIUS server. It also can check virus-definition files from McAfee, Symantec and Trend Micro virus scanners. Zone Labs is the only vendor in this review that supports Symantec as a third party.

Integrity's reporting capabilities need improvement. The reports are both uninformative and confusing. For example, when FireHole triggered a program violation in iexplore.exe, Integrity notified us about the violation but failed to mention FireHole. Such a lapse makes it much harder for an administrator to discover the problem's cause.

Zone Labs Integrity 2.0, starts at $65 for an end-user license (server license included). Zone Labs, (877) 876-4960, (415) 341-8200. www.zonelabs.com

Internet Security Systems RealSecure Desktop Protector 3.5

ISS has improved the managed firewall capabilities of its product substantially since we evaluated it in 2001. While BlackICE, ISS's earlier product, lacked application control, RealSecure ICECap Manager with RealSecure Desktop Protector comes with many new features, including application control. Nevertheless, a shortage of integration and antivirus-detection capabilities brought this product's score down.Browser-based RealSecure ICEcap Manager provides four account classifications: system admin, account admin, system user and account user. The two ICEcap admins have write access, while the ICEcap users have read-only access to the management interface. System admins and users can access any group, while account admins and users can access their specified groups only.

For creating application-control policies, ISS offers a utility program to generate the MD5 hashes. You load this client on a baseline machine, and then copy the resulting text file to the management server and import it. You can allow any and all programs with hashes known by the server and allow or deny specified programs. When an application is approved, so are its DLLs. The application list is grouped by product names as determined by the baseline scan, though some applications fall in odd places. For example, "Internet Explorer 6" is one category, but it refers only to ie6setup.exe. The real Internet Explorer falls into the "Microsoft Windows Operating System" group. There's no changing these groups; you must use whatever product name ICEcap assigns to an executable. You also can't move applications into different groups.

ICEcap generates top-notch reports, courtesy of Seagate Crystal Reports. Not only do you get bar graphs of top signatures, intruders, targets, and most frequent attacks, you can drill down in them. By clicking on an attack type, you can see who attacked your system and all other attacks from that node. A link to the ISS advice center provides more detailed information.

RealSecure Desktop Protector 3.5, starts at $6,800 for 100 clients. Internet Security Systems, (888) 901-7477, (404) 236-2600. www.iss.net

Securitae CMDS 2.2

We received a very late beta of Securitae's CMDS (Centrally Managed Desktop Security) 2.2 and its Desktop Security Engine 2.0, which the vendor described as "almost gold code." This product has potential, thanks to the wide range of databases it uses to store data. It even supports open-source database packages MYSQL and Postgres. However, the program needs some interface improvements.

CMDS is configured via a signed Java applet. You can create multiple administrators and assign them to configure only specific groups. The configuration tool lets you create and edit policies on a clean client machine, but figuring out how to use the tool is difficult, and the documentation is brief.

The package does provide powerful sandboxing, including component checking and mail spawning control. Policies for the sandbox environment, firewall rules and MD5 hashes can be exported and copied to the administration server.

There is not much to the event viewer, which contains filters based on time, priority, IP, reporting module and login name. The documentation states that this part is sparse because Securitae expects customers to build their own reporting tools. CMDS costs about $20 per seat less than the other products. However, we think the subpar management interface and sparse documentation negate this advantage.

CMDS 2.2, $40 per seat, Securitae Corp., (408) 919 7360. www.securitae.comSymantec Security Center

Symantec's product, which consists of Security Center and Symantec Client Security, covers an antivirus product with a thin veneer of a firewall. As such, it falls short in several areas, especially in reporting and the management interface.

On the upside, you get a complete antivirus system--and not just Norton Internet Security with a different badge. At the program's heart is the system center, which lets you load firewall and antivirus configurations and start virus-scan sweeps. It is designed to allow easy management of multiple servers spread across your organization.

The firewall configuration tool is a standalone program for creating firewall policies. You can import these policies into the System Center. Here you can allow or deny ports and programs. Because there is no scan or import tool, you must enter all applications manually. The tool can calculate hashes automatically, and can be installed on a clean client machine. You also can set up trusted and restricted zones.

The firewall does not engage communication between computers in the trusted zone. Symantec includes approximately 50 IDS signatures, and you can't add more manually. Perhaps most disappointing aspect of this product is its lack of centralized reporting for firewall events. You have to get this information off each client.There is no integration with directory services for user and group management. While Security Center does create MD5 hashes, it doesn't provide DLL or mail spawning controls.

Symantec Client Security, starts at $102 for 10 to 24 nodes. Symantec Corp., (800) 441-7234, (541) 335-7000. www.symantec.com

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs. Write to him at [email protected].

Post a comment or question on this story.

Antivirus software? Intrusion-detection systems? VPNs? They're not enough. Every layer makes your network a little bit more secure, and centrally managed desktop firewalls are an essential part of your arsenal. These suites do more than protect your perimeter; they keep sensitive data from leaving your network at the hands of internal attackers.

In our review of desktop firewall packages from Internet Security Systems, Securitae, Sygate Technologies, Symantec and Zone Labs, we focused on the protection these suites provide, as well as their manageability, integration capabilities, reporting and price. Sygate Secure Enterprise 3.0 topped our list, with the best-rounded set of features and abilities.Firewall client licenses average about $50 per seat. Cut the free soda program for a month and you'll find the funds to pay for it. From a pure operational standpoint, however, unless you are constantly repairing hacked machines, rolling out desktop firewalls will probably yield a negative return. But, remember, you're not just interested in protecting mobile users against Internet script kiddies. Intellectual property theft is costly, embarrassing and could put you out of business. The most common losses were from R&D at $404,375 loss per incident, and financial data at $356,035 per incident, according to a report by ASIS and PricewaterhouseCoopers. Preventing one loss may pay for the entire program.Of course, the initial cost is just one part of the story. Maintenance is time-consuming but necessary. To maintain policy files, for example, you must keep a list of applications and their DLL checksums, and a separate list of people who may access that information. Furthermore, you must track users' needs, as well as their whereabouts within the company. Products that tie into existing directory services (such as Active Directory or LDAP) for user/group configuration can help reduce this cost. However, you must also keep updating executables' signatures when you upgrade. The desktop firewall won't let IE 6.0 launch if it contains only IE 5.0 signatures, for instance.

Helpdesk calls are bound to bog you down once you roll out a desktop firewall. Some users will be locked out of critical applications for a few days. Others may want to use forbidden programs, and you'll have to convince them that the security policy is more important than their individual wants. And heaven forbid you accidentally block DNS or DHCP.

Letting users see the attack report in real time may also be problematic, especially since many of them don't know what they're seeing. For example, ISS RealSecure showed overnight some 8,000 attempted attacks from one of our SNMP servers. These attacks, however, were harmless, generic scans that require no action, though they'll light up a desktop firewall on the Internet like matches dipped in gasoline. Denying users the ability to see scans and minor attacks will save your helpdesk a few phone calls.Shouldn't antivirus software and an e-mail server scanner be enough to protect desktops inside the LAN? If your organization keeps all its remote users away from the private LAN, all current and former employees are trustworthy, and you keep strict physical security, perimeter firewalls should prevent people from hacking in, while the antivirus software and e-mail server scanner catch any virus or Trojan. Right? Wrong. Antivirus software is reactive, not proactive. And desktop firewalls do only part of the job.

Antivirus software operates by matching a file against a database of existing virus signatures. New viruses and Trojans don't get caught. Antivirus and IDS vendors respond quickly, creating signatures for new viruses; still, a few hosts are always hit first. Attackers that target your organization directly have one advantage: They don't have to mass deploy their Trojan or virus. Your machines may be vulnerable to new Trojans that remain under the antivirus vendors' radar. Correctly configured, desktop firewalls should catch these Trojans and prevent them from sending data.

Firewalls do not replace antivirus software--they won't protect you from a virus aimed at unlinking every file from the system. And they won't eradicate the Trojan or guarantee that your system will be usable after infection, but they will help keep your data out of the wrong hands. At least that's the theory. If your desktop firewall contains bugs, it can crash or be compromised. If a new exploit is found, you're vulnerable until a patch is released. Meanwhile, the more layers you add, the more likely you'll survive an attack.

R E V I E W

Desktop Firewalls

Sorry,
your browser
is not Java
enabled

Welcome to

NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® iconabove. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.