Rollout: eEye's Blink Professional 2.5

Eeye Digital Security's Blink Professional 2.5 is a robust endpoint security suite that protects standalone machines, small workgroups and enterprise deployments against network-based and client-side attacks. Companies looking to protect Windows workstations, laptops and servers from malicious attacks, identity theft and tomorrow's vulnerabilities will find it all here. Unlike conventional intrusion-detection and -prevention systems, Blink operates both at the network and application layers to stop attacks before they do damage.

Blink features six categories of protection: system firewall, application firewall, intrusion prevention, identity-theft protection, anti-spyware and system protection. In each category, users can create custom protection rules or modify existing ones.Feature Upon Feature

The stateful firewall protects both inbound and outbound traffic. It's a welcome addition to Windows XP's inbound-only firewall, but nothing new compared with products from competitors like ISS and Symantec. A quick nmap scan verified that the firewall worked as expected. Blink's detailed wizard makes it extremely easy to configure firewall rules.

Blink's application firewall allows or denies apps access to the network. Unlike Altiris' Endpoint Security Solution and Senforce's ESS, which verify apps only by process names, Blink can trust apps by the full path from which the executable was run, the executable's MD5 and the process name. Network behavior can be defined by inbound or outbound traffic, destination IPs, and ports and protocol. Another rules wizard makes configuration simple. Blink also can prompt users to allow or deny applications trying to communicate outbound on the fly.

Intrusion prevention is a highly useful component, made up of prevention analyzers and signatures that identify suspicious activity and block known attacks. eEye's research team lays the cornerstone for the intrusion prevention analyzers: full protocol decoders that understand network and application protocols. The researchers create specific analyzers that alert or block suspicious behavior. When we rolled back the patches on a Windows XP host to test a particular exploit, for example, the attack was blocked by an analyzer that noted malicious SMB activity.

Blink includes identity-theft protection that catches common attempts by phishers to trick users into clicking on falsely identified links that lead to a compromised server. The rules use analyzers to detect possible attacks in POP3, IMAP and HTTP. Unfortunately, the feature didn't work consistently with all browsers. Our best results came with Internet Explorer 6 and 7; tests on Mozilla's Firefox 2.0 and Thunderbird didn't catch as many attacks. This result surprised us, because checks at the network protocol level shouldn't involve the app.The anti-spyware feature uses a combination of disk scanning and memory checking. Signatures exist for adware, spyware, browser helper objects, search hijackers and more. Additionally, heuristic detection is enabled for new processes being loaded. Although these features don't add much to standalone products such as Ad-Aware or CounterSpy, tying anti-spyware features into Blink's system allows for central reporting of infections.

The final category, system protection, comprises application, registry and execution protection. Application protection prevents buffer overflows and similar attacks that attempt to execute code from heap or stack in memory. During a buffer overflow attack, application protection sees the overwritten stack and stops the app from running. Registry protection stops reads and writes to keys that could signal an attack. Execution protection lets users define rules to prevent certain applications from executing cmd.exe. Before a patch was available, we tested exploits for the Internet Explorer SetSlice vulnerability from Metasploit. Registry protection identified the improper attempts to the CSLIDs and blocked the attack.

Built-in Or Add-on Management

Configuring Blink is a breeze. Its intuitive interface resembles Windows XP's streamlined Control Panel, and icons include summaries of configuration details. Blink offers two management options. The suite can integrate with eEye's REM Security Management Console, which enforces policy, deploys Blink to endpoints and centralizes logging. Small workgroups that don't use other eEye products can create a Blink Central Policy Server (CPS), a single Blink install that lets other hosts mirror that configuration. The CPS option provides the basics, but doesn't allow for remote management or deployment.

Although Blink has logging capabilities, it's hard to collect this data without using REM or SNMP. We couldn't log remotely with syslog, nor could we pass logs into the Windows event subsystem for use by something like Microsoft Operations Manager.Within REM, admins can configure location-awareness policies, such as preventing financial apps from running when not on the corporate network or blocking access to removable storage. However, standalone or CPS-linked installs can't be configured for location awareness, as in Altiris ESS and ISS Proventia Desktop.

Blink Professional is a solid endpoint security suite. During testing, the multiple protection layers caught all our network-based attempts to exploit the Windows XP host and stopped client-side attacks against IE. Blink identified attacks that were not patched and did not explicitly have signatures defined. Companies looking for an endpoint security solution will be hard-pressed to find a better alternative. n

John H. Sawyer is a Senior It Security Engineer at the University Of Florida and a GIAC Certified Firewall Analyst. Write to him at [email protected].