Rollout: eSoft ThreatWall 450 Web Security Gateway

The Internet has become a depressingly common vector for viruses and spyware, not to mention a fantastic way for users to waste time and violate corporate usage policies, often with the aid of Web-based applications like IM and P2P file sharing. For small and medium enterprises, this trouble is compounded by short-handed IT staffs and tight budgets.Enter the ThreatWall 450 from eSoft. This Web gateway appliance scans common Web protocols such as HTTP for viruses, spyware and spam; filters URLs to stop employees from surfing to restricted sites; and can block or allow the use of well-known IM and P2P file sharing apps.

These same capabilities are available from a variety of competitors on a variety of platforms, including appliances, software and services. However, eSoft bundles popular features into an easy-to-deploy appliance at a price—$3,299 plus yearly subscriptions—that SMEs will find manageable. Throw in a software upgrade, and the appliance can also scan network protocols, acting as a network IPS in addition to a Web filter.

On the downside, it lacks specialized capabilities found in dedicated devices, such as IM/P2P proxies. And its ease-of-use advantage is challenged by service providers that offer many of the functions of the ThreatWall 450.

Filtered For PurityThe ThreatWall 450 works by running all incoming Web traffic through what eSoft calls a "bimodal scanning process" to determine which packets should go through signature-based packet inspection, and which should be fed into a proxy engine that can stop viruses, spam and other unwanted traffic. It can also send traffic through both processes simultaneously.

When scanning incoming traffic, the device looks for signs of attack; it bases its judgment on signatures of known exploits that eSoft compiles, combined with heuristics to help keep out emerging threats. Practically speaking, this protects your network from IIS and Apache attacks, and even from browser-based exploits such as SQL injection.The device also has a URL-filtering capability. More than 30 categories of sites, including gambling, drugs and politics, can be blocked with the check of a box. The URL filter is best used when the device is set up to act as a proxy server for your network and has LDAP/AD authentication enabled, allowing for easy application of policies to disparate groups of users.

The ThreatWall also allows administrators to block or allow specific IM services, including AOL, Google Talk, Yahoo, MSN Messenger and MySpace, and P2P services, including BitTorrent, eDonkey and Kazaa.

Unlike IM regulators from companies such as Blue Coat, Akonix and FaceTime, the TW450 does not proxy the IM or P2P connections. Instead, it uses its IPS engine to detect when a user attempts to log in to a service. The upside is that administrators can enforce policy on the use of IM and P2P services. However, because it doesn't proxy connections, it can't monitor the content of IM or P2P sessions that are allowed.

More Than The WebTo expand the product's capabilities, eSoft sells ThreatPacks. For example, the E-Mail ThreatPack performs AV and spam scans on incoming and outgoing e-mail, eliminating the need for additional security software on your e-mail servers. Messages marked as spam can be rejected or quarantined. The anti-spam capabilities include white and black lists, heuristic analysis, and word matching. More advanced features include server authentication, address verification, spam signatures and Bayesian filtering. A plug-in lets users train the Bayesian filter by marking spam messages that make it into their inboxes.

The E-mail ThreatPack also quarantines inbound or outbound messages that contain keywords or phrases on predefined lists. Administrators can review these quarantined messages to ensure sensitive information or inappropriate language isn't being sent via e-mail.

The Network ThreatPack applies malware filtering to a broader range of network protocols, such as FTP; this allows the appliance to be used in conjunction with an existing firewall or deployed as a standalone IPS on the network edge.

To keep the appliance up-to-date with the latest signatures and threat information, eSoft provides its Distributed Intelligence Architecture, or DIA. The aim of the DIA is to protect against attacks before vulnerable OSes or applications can be patched. As with other signature-based systems, you have to pay an annual subscription fee to get updates.The DIA incorporates a worldwide network of sensors that act as early-warning systems for new attacks. It comprises three parts: ThreatWall appliances in the field, the SoftPak Director and eSoft's threat prevention team. ThreatWall appliances deployed by eSoft customers send anonymous log information to the SoftPak Director, which acts as a central repository for processing information about what the appliances are seeing and what security updates are available. The threat prevention team writes signatures to detect attacks, and eSoft also licenses some signatures from Secure Computing.During testing, the device performed as advertised. We had 10 computers simultaneously downloading large files, while the ThreatWall was tasked with answering Web server requests from remote locations. The appliance supports HTTP scanning at up to 150Mbps, according to eSoft, with a maximum of 400 users, and you can set the ThreatWall up in failover or pass-through mode, allowing traffic to continue if a device fails.

We managed our ThreatWall through a Web-based interface that, unfortunately, does not tie into any enterprise management tools. In addition to common monitoring and reporting capabilities, the ThreatWall generates a map showing where attacks against your network are originating and illustrating threat levels being seen around the world (see image at right). This doesn't add to the product's manageability, but it is an interesting visual element.

The ThreatWall 450 costs $3,299 plus $999 for a one-year subscription. Spam filtering requires an additional subscription, which starts at $899 for one year.

Ryan Elstad is a system administrator at Syracuse University's Martin J. Whitman School of Management. Write to him at [email protected].

0