Anti malware Technology Report by benbenzhou

VIEWS: 5 PAGES: 10

									Anti-malware
Technology
Report
February 2011
                                                                                                                                                   Technology Report


The evolution of malware, security                                                                                                                 processing load, so that scanning will not noticeably
                                                                                                                                                   decrease access times or interrupt workflow.
                                                                                                                                                                                                                “As both
                                                                                                                                                                                                                the malware
                                                                                                                                                                                                                                   But in the corporate world, keeping updated on
                                                                                                                                                                                                                                   the latest threats and technologies is not enough
                                                                                                                                                                                                                                   – TCO and ROI need to be considered. How well do



technologies and services
                                                                                                                                                   As both the malware landscape and anti-malware               landscape and      advanced technologies proactively detect? How
                                                                                                                                                   products have changed, so has the security testing                              quickly are new threats added? How is customer
                                                                                                                                                   industry. When products under test were updated
                                                                                                                                                                                                                anti-malware       support response? How easily can the solution be
                                                                                                                                                   periodically, used on-demand scanning and the                products have      managed remotely? How much CPU time is used
There are few who are unaware of the malware                                         or via poorly worded and spelled mass-mailer viruses.         total known malware was in the thousands, it made                               for scanning? To find the answers to many of these
landscape changing since the release of the first few                                When malware authors discovered there was profit to           sense to have only a single pass or fail test which was
                                                                                                                                                                                                                changed,           questions, take a look at product performance data
viruses decades ago. But it seems there are just as                                  be had in spreading their malicious wares, they began         performed a few times a year over a static test-bed of       so has the         from leading independent test organizations, such
few people outside the computer security industry
who understand the nature of that change. No longer
                                                                                     to take many of the tactics used by Search Engine
                                                                                     Optimizers and improved their social engineering
                                                                                                                                                   samples. This is no longer the reality of the current user
                                                                                                                                                   experience. While it can be a meaningful baseline test
                                                                                                                                                                                                                security testing   as West Coast Labs, and the performance validation
                                                                                                                                                                                                                                   programs they deliver – such as Real Time Testing.
is malware as ethereal a threat as an urban legend,                                  craft, placing files where people were most likely to         of anti-malware functionality, it is far from a complete     industry.”
and no longer is the virus outbreak of the day making                                run across them. Consequently, the web is now where           picture of overall product performance.                                         You can also take a close look at how individual
the evening news. Threats now come not by ones and                                   the majority of people become infected with malware                                                                                           vendors are responding to the changing threat
twos but by the many tens of thousands each day                                      and, given the extent to which the internet is such an        In order to accurately reflect a user’s experience with                         landscape and the implications for the security of
with the known total hovering in the tens of millions.                               integral part of all corporations’ business activities, the   malware, it is important to gather the full spectrum of                         corporate networks. Nowadays, vendors are defining
And threats come quietly, remaining as far below the                                 web is a potent threat vector. Company’s websites are         malware from a variety of sources from throughout                               ‘protection’ differently. No longer is it just product
radar as possible to maximize their stay on an affected                              regularly targeted for defacement or infected to spread       the internet, which circulate on various protocols. This                        performance-related, but also related to business
machine. Corporations are now victims of targeted          Lysa Myers, Director      malware to the site’s visitors.                               means including not just email-based malware, but                               and customer service issues, delivering a higher
attacks, as well as the regular masses of malware, and     of Research at West                                                                     malicious files on P2P networks, as well as on the web                          value overall service to meet not just security, but also
have specific needs for the protection of corporate        Coast Labs. Lysa can be   Given that the internet is operating system agnostic          and other attack vectors. Because malware does not                              business needs.
information assets.                                        contacted at lmyers@      and because current scripting languages allow for             stop when the work day ends nor does it recognize
                                                           westcoast.com             queries of the specific browser version of each visitor,      geographic boundaries, threats must be collected all                            When considering product performance in a
While malware activity has increased, security budgets                               malware can be spread in a manner which infects any           day from around the world.                                                      corporate network environment, ‘protection’ is more
certainly have not. Many corporate security staff find                               particular visit. In the last few years, this has been a                                                                                      than current malware detection capabilities, it’s also
themselves facing a tidal wave of new threats without                                tactic which has proved increasingly popular with             As anti-malware products have begun to include more                             about the extent of a vendor’s product research and
extra personnel or resources. They need security                                     malware authors, increasing their reach as the market         wide-ranging technologies, including ones which                                 development strategy that anticipates threats and
software to work faster, harder and require less manual                              share of new technology increases.                            are initiated upon execution of a file, testing must                            trends to ensure proactive network protection. It can
interaction while providing detailed reports as to what                                                                                            incorporate dynamic functionality by running threats                            be further defined as the extent to which malware
actions have been taken. Machines which are infected                                 Obviously, anti-malware products had to change with           on test machines. This naturally takes more time than                           protection is delivered for a multiplatform infrastructure
need to be cleaned completely to get systems back                                    the times as the onslaught of malware has increased           scanning an immobile directory of files, so one must                            through efficient and easily managed solutions with
up and running quickly and painlessly. Anti-malware                                  and the tactics of malware authors has shifted. The           take care to select the most relevant sample set which                          wide interoperability capabilities. ‘Protection’ is also
software is only as good as its research and support                                 first anti-malware products were designed strictly            a customer is most likely to encounter. This takes                              about the extent to which business interests are
departments. They are vital in order to have excellent                               as signature scanners, which only ran when a user             into account not just prevalence, but attack vector                             protected through vendor service strategies that
response times to new threats and to provide top-                                    specifically initiated a scan. In short order, this was       popularity on which it’s spread, potential for damage                           now include optimized and cost-effective security
notch customer assistance. As focus in corporate                                     changed to allow the scanner to run continuously in           on an infected system, as well as geography.                                    plans tailored to individual corporations’ needs
networks shifts away from the desktop into mobile,                                   the background so that each file was examined as it                                                                                           for maximizing business productivity, lowering the
cloud and virtual computing resources, security                                      was accessed, without users having to think about             Malware authors are always abreast of technology                                total cost of ownership and maximizing the return
software needs to protect these environments too.                                    it. This approach has become more widespread, so              trends – where do people share their information, how                           on investment. Also, given that corporations are
                                                                                     that products require little interaction – users can          do people share files? At West Coast Labs, we’ve                                operating in a worldwide ‘e-economy’ all this needs
The way malware spreads has also changed – there                                     automatically have the most up-to-date protection             already begun to see an increase of attacks on things                           to be supported by trusted and responsive global
is less concern for infecting oneself with a floppy disk                             running at all times.                                         like digital picture frames, USB thumb drives, mobile                           support plans.
                                                                                                                                                   phones and on popular Web 2.0 sites. So, suffice to
                                                                                     No longer are anti-malware products simply signature-         say, if you know a few people who use one or other                              Yes, the threat landscape is continuing to evolve
                                                                                     based scanners. They now include advanced heuristic           or all – malware authors are looking to exploit them                            with new malware threats spawned at an alarming
                                                                                     technologies and generic signatures which can                 for financial gain. Likewise, anti-malware vendors are                          rate, but no longer is malware protection and
                                                                                     proactively detect new variants of existing families          developing technologies to protect them and testers                             information security in general just a technical issue
 VP US Sales: Scott Markle - smarkle@westcoast.com
                                                                                     and new malware families. The best products include           like West Coast Labs are developing methodologies                               – it’s a business issue. That’s why vendors’ product
 US Sales: Rochelle Carter - rcarter@westcoast.com
                                                                                     a variety of security features, such as web or spam           to mirror the user’s risk and potential infection                               and service solutions are evolving to suit these
 UK/Europe Sales: Sebastian Stoughton - sstoughton@westcoast.com
                                                                                     filtering, behavioral analysis or a firewall technology       experience. In order to keep up to date on the evolving                         changing needs and West Coast Labs is developing
 China/Japan Sales: Jesse Song - jsong@westcoast.com
                                                                                     which can help protect against brand new threats. With        malware landscape, one need only see which new                                  independent product performance programs that
 India/ROW Sales: Chris Thomas - cthomas@westcoast.com
                                                                                     these new, intensive scanning technologies, vendors           widgets are being used in home and business network                             ensure that these products and services are tested
                                                                                     have come up with many ways to decrease the overall           environments.                                                                   and validated accordingly.                          n

1 Technology Report                                                                                                     www.westcoastlabs.com      www.westcoastlabs.com                                                                                                Technology Report 2
                                                                                                                                         Technology Report                                                                              Test Networks
                                                                                                                                                                                                                                        and Methodology


Kaspersky Lab Corporate Security Solutions
                                                                                                                                                                                                Kaspersky Security 8.0 update           In a heterogeneous network situation
                                                                                                                                                                                                process                                 it is important to know that a security
                                                                                                                                                                                                                                        solution is both compliant and
                                                                                                                                                                                                                                        compatible.

                                                                                                                                                                                                                                        Throughout the comparative test
DEVELOPER'S STATEMENT                                                                                                                                                                                                                   program for ISA/TMG, Linux, Lotus
Kaspersky Lab has developed highly-effective anti-malware solutions for use in medium
and large-scale corporate networks with complex topologies and heavy loads. Combining
                                                                                          Kaspersky Security 8.0                                                                                                                        Domino and WSEE, WCL utilized
                                                                                                                                                                                                                                        the following network configuration
ease of use with high standards of performance across multiple attack vectors, the        for Microsoft Exchange                                                                                                                        to simulate a corporate network
products are cost-effective solutions which                                                                                                                                                                                             environment:
meet both business and technical needs
                                                                                          Servers (Kaspersky
worldwide.                                                                                Security 8.0)                                                                                                                                 • 64-bit Windows 2008 machine
                                                                                                                                                                                                                                          running as a gateway/DNS server
                                                                                                                                                                                                                                          hosting Forefront TMG/ISA Server
WEST COAST LABS' EXECUTIVE SUMMARY REPORT                                                 Kaspersky Security 8.0 provides anti-          In the ongoing Checkmark Certification       Installation of Kaspersky Anti-Virus 8.0 is       • 32-bit Windows 2003 machine
                                                                                          malware and anti-spam protection for           Static and Real Time tests, like all the     simple, using a standard Windows Installer          running Lotus Domino mail server
The launch of the Kaspersky Lab’s           Details of the specific tests to which the    mail traffic on corporate networks. Its        Kaspersky products, this solution has        and settings imported from TMG during             • 64-bit servers running Linux and
range of anti-malware products for the      products are exposed are published            integration with Exchange allows for           achieved consistently high standards         the install process. The default settings           Windows 2008, both acting as file
corporate network environment provides      elsewhere in this report, but the overall     detection and removal of malware and           of performance. For the comparative          provide fast protection, but a more tailored        servers. While each of the solutions
security managers with an extended          outcome of the certification testing is the   spam at the gateway level.                     performance testing to measure the           installation can be achieved if required.           were tested independently of one
choice of effective solutions for dealing   achievement of the Platinum Product                                                          product’s     detection     capability of                                                        another, results of these tests and
with threats in attack vectors across       Award for these products, which is the        The product is easy to install and its user-   malware known to propagate over              The solution is managed via MMC with an             the observations made point to the
multiple operating systems.                 highest level of independent validation       friendly interface, flexible administration    SMTP, Kaspersky Security 8.0 achieved        additional central monitoring screen and            various Kaspersky Lab solutions
                                            possible for an anti-malware solution from    and      straightforward      configuration    100% detection rate of the 8,042             network policies which can be be added              providing a multi-faceted security
West Coast Labs’ independent testing        West Coast Labs.                              and reporting system does not place            malware samples used in the test. This       to complement those of TMG; making                  framework for a corporate network.
and performance      validation of the                                                    excessive demand upon administrator’s          performance is equivalent to and matches     the whole process of management,
products confirm that they combine          This is complemented by very respectable      time. No extra setup is required on            that of the competitor products included     administration and ongoing use very               Taking a hypothetical network into
ease of use and management with high        malware detection test results which          Exchange and malware protection began          in the test. We also test HTTPS.       n     straightforward.                                  account, as below, one can see how
levels of performance, all of which is      position the performance of Kaspersky         immediately.                                                                                                                                  each of the solutions would interact
driven by Kaspersky Lab’s own research,     Lab products very favorably alongside                                                                                                     Kaspersky        Anti-Virus     8.0    allows     with and secure the network. Anti-
development and customer support            more widely recognized corporate              Management of the solution is simple           Kaspersky Anti-Virus 8.0                     permission or denial of various traffic           malware protection, at the gateway
programs.                                   security solutions.                           as Kaspersky Security 8.0 employs a                                                         types – HTTP, FTP, SMTP and POP3 –                level, is provided by scanning email
                                                                                          Microsoft Management Console (MMC)             for Microsoft ISA Server                     plus the ability to define what, if any, of the   coming into the ‘corporate network’
Kaspersky Lab has made a significant
commitment to the            independent
                                            The specific malware detection capability
                                            testing of both Kaspersky Lab and a
                                                                                          snap-in, providing an intuitive interface
                                                                                          with full access to all features. Database
                                                                                                                                         and Forefront TMG                            protocols should be subject to scanning.
                                                                                                                                                                                      Data on network status – including the
                                                                                                                                                                                                                                        over SMTP with an initial scan by
                                                                                                                                                                                                                                        Kaspersky Anti-Virus 8.0 sitting on the
validation of its products’ efficacy and    number of competitive anti-malware            and signature updates run automatically,       Standard Edition                             protocols which are being blocked,                TMG server. In turn, the email is then
performance through West Coast Labs’        solutions was carried out in September        as often as every two hours, but if required                                                numbers of files scanned, and the number          received by the Exchange or Domino
Checkmark Certification System. This        and October 2010 while the Checkmark          may be run on-demand. Although there           Kaspersky Anti-Virus 8.0 sits on top of      of resulting infections, is readily available.    server and a further scan conducted
provides a range of static, dynamic         Certification testing of its products is      are fewer options available compared to        Microsoft Forefront TMG 2010. While                                                            by the appropriate solution. Should
and real-time tests which make these        performed on an ongoing basis with            other corporate products on the market,        TMG acts as a standalone security            In the performance testing over the HTTP          any user require the downloading of
Kaspersky solutions possibly the most       confirmation of the results available at      it can be argued that all the necessary        solution in its own right, the addition of   and FTP attack vectors, the combination of        email from an external POP3 server, the
intensively tested corporate anti-malware   www.westcoastlabs.com.                 n      options are available thus leading to a        Kaspersky Anti-Virus 8.0 provides a multi-   Kaspersky Anti-Virus 8.0 and TMG provided         Kaspersky for TMG solution scans the
solutions available anywhere in the world                                                 streamlined user experience.                   layered security solution.                   99% detection of the range of malware             traffic as it passes through the gateway.
                                                                                                                                   t




today.                                                                                                                                                                                samples which were included in the test. n
                                                                                                                                                                                                                                        When dealing with any files that are
                                                                                                                                                                                                                                        downloaded over HTTP/FTP, they are
                                                                                                                                                                                                                                        scanned on the TMG/KAV combined
                                                                                                                                                                                                                                        server. Should any network user then
                                                                                                                                                                                                                                        attempt to upload any files to either a
                                                                                                                                                                                                                                        Windows or Linux based file server,
                                                                                                                                                                                                                                        then here the respective Kaspersky Lab
                                                                                                                                                                                                                                        solution will provide further defense-
                                                                                                                                                                                                                                        in-depth.

3 Technology Report                                                                                             www.westcoastlabs.com    www.westcoastlabs.com                                                                                               Technology Report 4
                                                                                                                                                   Technology Report

                                                                                                                                                   Domino 8.5 on Windows 2003 that each                                                                                  Update process
                                                                                                                                                   picked up emails for a FQDN owned                                                                                     on Kaspersky
                                                                                                                                                   and controlled by WCL. Client machines                                                                                Anti-Virus WSEE
                                                                                                                                                   running Lotus Notes 8.5 were used to
                                                                                                                                                   pick up the messages from the Domino
                                                                                                                                                   servers and analyzed the attachments
                                                                                                                                                   to aid calculation of the overall detection
                                                                                                                                                   rate which for Kaspersky Anti-Virus 8.0
                                                                                                                                                   was of a particularly high standard which
                                                                                                                                                   mirrored that of the competitor products
                                                                                                                                                   included in the test program.

                                                                                                                                                   All solutions attained a 100% detection
                                                                                                                                                   rate during the test period.          n

Application interface of KAV for ISA                                 KAV 8.0 for Linux File Server interface

                                                  within the product interface to review any     Kaspersky Anti-Virus 8.0 sets itself apart
                                                                                                                                                   Kaspersky Anti- Virus
Kaspersky Anti-Virus 8.0                          malware logged and thus decide what            in this regard. It is well implemented,           8.0 for Windows Servers                                                                                               Licensing process
for Linux File Server                             actions to take.                               as demonstrated in the comparative
                                                                                                 performance tests where it led with a             Enterprise Edition                                                                                                    on Kaspersky
                                                                                                                                                                                                                                                                         Anti-Virus for
                                                  Given the complexities involved with           99.95% detection rate on the 25,640               Kaspersky Anti-Virus 8.0 for WSEE uses                                                                                Lotus
Kaspersky Anti-Virus 8.0 for Linux installs       porting anti-malware solutions to Linux,       malware samples tested compared to an             the standard Windows Installer interface.
from the command line, using a shell-             it is not always possible to ensure            average performance rate of 99.52% for five       Two installations are required, one for
script installer. Although some degree            consistency of performance. However,           other leading corporate solutions.       n        the administration tools and one for the
of familiarity with Linux is required, even                                                                                                        solution itself. However, importing an
junior network administrators with a                                                                                                               existing configuration file to keep existing
basic understanding of Linux should be
comfortable with the process.
                                                  Kaspersky Anti- Virus 8.0                      some of the other vendor products
                                                                                                 included in the comparative performance
                                                                                                                                                   settings is possible when upgrading a
                                                                                                                                                   previous version. Installation is quick and
                                                  for Lotus Domino                               review, Kaspersky Anti-Virus 8.0 does             trouble-free.
Managed via a web-based GUI running                                                              not need the installation of a desktop
on a non-standard port, Kaspersky Anti-           Anyone familiar with Lotus Domino will         anti-malware product to be able to use            Managed through an MMC snap-in,
Virus 8.0 is configured from the GUI.             find the installation straightforward. It is   the desktop product’s scanning engine             the product allows product updates to
No secondary interfaces or files need             performed using a Lotus .nsf database          signature files.                                  be rolled back if needed. It provides a
to be changed and updates are either              file which is opened through Lotus Notes                                                         quarantine area and a backup facility just
scheduled or run on-demand.                       to run. Administrators can set various         In the comparative testing against five           in case the administrator deletes a file
                                                  actions to be performed when malware           other leading corporate solutions, the            that needs to be restored. The interface,      On Demand scans can be set to a pre-           an overall detection rate for Kaspersky
For security admin staff who may be               is detected, however, they will need to be     test methodology employed sender                  as a whole, provides a rapid means of          defined security level or customized to        Anti-Virus 8.0 of 99.68% compared to an
familiar with a file-server anti-malware          familiar with Lotus in order to get the best   machines running a Linux distribution.            implementing malware security policies         meet the demands of the organization.          average performance of 99.51% for the
product, the make-up of the interface is          out of the solution when rolling Kaspersky     Scripts developed by WCL were used                on the solution.                               Similarly, On Access protection can be         other five security solutions included. n
very familiar – it is both clear and intuitive.   Anti-Virus 8.0 out to a Domino server.         to send the emails that contained                                                                set with a preference for either high speed
                                                                                                 infected attachments over a live internet         All of the available features are easy to      scans or high protection levels.
On-Access and On-demand protection                Delete or quarantine actions are easily        connection.                                       locate without the need for drilling down
are available as standard. Administrators         defined for detected malware and for                                                             through multiple options screens or            Throughout the comparative test program,
can browse the Quarantine folder from             deleting infected attachments. Unlike          Emails were sent to servers running Lotus         hunting for a required setting.                WCL found the scans ran quickly with
                                                                                                                                               t




                                                                                                                                                                                                  WEST COAST LABS VERDICT
                                                                                                                                                                                                  Combining ease of use with high levels of performance, the Kaspersky Lab solutions under
                                                                                                                                                                                                  test have delivered comparable and at times, better detection rates to equivalent products.
                                                                                                                                                                                                  With a consistent level of anti-malware protection across the network topology, users
                                                                                                                                                                                                  of the Kaspersky Lab products featured in this report can be confident that they are all
                                                                                                                                                                                                  rigorously tested through the Checkmark Certification and the Real Time testing.

5 Technology Report                                                                                                    www.westcoastlabs.com       www.westcoastlabs.com                                                                                                  Technology Report 6
                                                                                                                                              Technology Report


Threat Manager r12                                                                                                                            TrustPort AV
CA                                                                                                                                            TrustPort
DEVELOPER'S STATEMENT                                                                        also saves valuable administration time          DEVELOPER'S STATEMENT                                                                               usual scheduling as required, or if preferred
Threat Manager combines a full-featured                                                      and resources easing the burden on any           TrustPort AV detects viruses and spyware                                                            they can be run on-demand. TrustPort also
network anti-virus solution with policy-                                                     overstretched IT department.                     at all entry points to the computer and                                                             allows various actions to be configured for
driven endpoint access control to protect                                                                                                     prevents attempts by hackers to access                                                              detected malware samples. WCL noted
networks from malicious software and                                                         The client is locally managed from either        the computer. It enables not only the                                                               that the product management is in keeping
unauthorized access.                                                                         an intuitive GUI interface or from a central     continuous monitoring of files being                                                                with other products traditionally found in
                                                                                             server, depending on the individual              opened, but at the same time also scans                                                             this category, however, it should be noted
                                                                                             administrator's preference and the security      files from incoming electronic mail or                                                              that what it actually does, it does very well.
CA Threat Manager is specifically                                                            policies are created and deployed from           downloaded from the web.
recommended for small to medium                                                              the Threat Manager server. There is also                                                                                                             TrustPort is a security ‘bundle’ providing
sized business models and is designed                                                        an update option, which enables the                                                                                                                  anti-malware protection for local files,
essentially to protect client machines                                                       administrator to either run updates on-          This particular security solution is designed                                                       email, and web. It also includes URL
residing on a corporate network. With                                                        demand or decide to schedule them to             for home users and could also provide                                                               blocking and a firewall, enabling control of
its anti-malware protection, CA Threat                                                       suit.                                            an invaluable layer of security for home                                                            what can be viewed on the client.
Manager will provide an important and                                                                                                         workers or the self-employed. With its low
much needed extra layer of security your                                                     Settings and options are available on the        system requirements, TrustPort is an ideal                                                          The URL filter contains a variety of site
business deserves.                                                                           central server and if you are looking for a      solution for providing malware protection                                                           classifications, such as adult and gambling,
                                                                                             solution that provides a ‘good-fit’ with any     for local files, web downloads and email,                                                           to prevent viewing this type of content
The CA Threat Manager can be installed                                                       existing network architecture, then CA           and also offers firewall protection along                                                           if required and this product includes a
and managed via a central server, giving                                                     Threat Manager can provide this.                 with a URL filter. TrustPort is installed and         Product                                       ‘Portable Antivirus’ solution that allows a
the administrator more time to concentrate                                                                                                    managed directly on the client as it is purely        TrustPort AV                                  version of the TrustPort AV solution to be
on other tasks on the IT infrastructure.                                                     The test engineer recommends that for            a client-side-only solution, making it user           Manufacturer                                  deployed to a USB stick, thus protecting
                                                  Product
                                                                                             a uniform security policy set, across the        friendly for the less well initiated.                 TrustPort                                     any files you wish to transport; excellent for
                                                  Threat Manager r12
CA Threat Manager is a server-client                                                         network, then CA Threat Manager is best                                                                Contact Details                               those on the move.
solution and the installation can be              Manufacturer                               managed from the server, however it can          Users can purchase and install TrustPort              www.trustport.com
managed via a separate executable                 CA                                         be accomplished via the client, making it        from a separate executable that is                                                                  Observations from the WCL engineers
                                                                                                                                                                                                    Certification
installation. Alternatively, CA Threat            Contact Details                            pretty flexible.                                 downloaded from the TrustPort website,                                                              include comments on TrustPort being a
                                                                                                                                                                                                    www.westcoastlabs.com
Manager can be installed from a central           www.ca.com                                                                                  with the license provided at the point of                                                           really good all-round package with the
server and as it is extremely straightforward     Certification                              With CA Threat Manager there is further          sale; making it extremely accessible. We                                                            ‘Portable Antivirus’ helping it stand out in
and well documented, which is always              www.westcoastlabs.com                      flexibility with On-Access scanning that         all know the importance of ease of use with                                                         an already crowded market.
an added benefit, the process can be                                                         can be scheduled to suit the needs of            the single user client-based products and           to tinker, all of the default options happily
accomplished with relative ease.                                                             the network or permanently activated/            TrustPort doesn’t disappoint with a quick           suffice. TrustPort supports all the usual       This type of capability is important for
                                                there are practically no pre-requisites      deactivated. Also, On-Demand scans can           and painless installation that is easy to           Windows client platforms and the West           anyone relying on technology when on the
This installation can be automated from         needed other than those already found on     be launched locally or via the central server.   follow.                                             Coast Lab’s (WCL) engineer stated that this     move, and should not be underestimated
a network-wide roll out and though the          a standard client machine for instance SP2   CA Threat Manager additionally provides                                                              traditional client-side installation manages    as it will protect their credibility and keep
default options suffice there is some           on XP Professional. CA Threat Manager        real-time reports, giving users at-a-glance      The available options contain good                  everything with minimal fuss.                   their security in one piece when it could
flexibility in the install options available.   can also be configured to automatically      updates of the current network state while       descriptions and there is also some                                                                 otherwise be compromised.
With a good variety of installation methods     deploy to any systems joining the network    also offering all the options you would          flexibility in the installation options available   The client is managed via a local GUI
available and wide ranging system-support,      for the first time for instance DHCP; this   expect from this type of solution.               to the user, however if you are happy not           interface with the updates capable of the




                                                WEST COAST LABS VERDICT                                                                                         WEST COAST LABS VERDICT
                                                CA Threat Manager offers a variety of deployment models and offers endpoint                                     TrustPort AV is aimed at home users, but can equally offer protection for SOHO workers. Including anti-malware
                                                protection against malware. The central management console offers flexibility                                   protection in the suite of protection that it offers, the solution is well documented and is easy to configure for
                                                combined with good reporting over and allows for the overview of endpoints on a                                 flexible protection levels dependent upon the requirements of the individual user.
                                                corporate network of small to medium size.


7 Technology Report                                                                                                  www.westcoastlabs.com    www.westcoastlabs.com                                                                                                          Technology Report 8
                                                                                                                                                         Technology Report


IMSVA v5.1                                                                                                                                               IWSVA v5.1
Trend Micro                                                                                                                                              Trend Micro
DEVELOPER'S STATEMENT                                                                                 On the initial configuration of IMSVA, local       DEVELOPER'S STATEMENT                                                                         not so experienced, it should still prove
Trend Micro InterScan Messaging Security                                                              firewall rules permitting, customization of        Trend Micro InterScan Web Security                                                            easy to use and therefore it does not limit
Virtual Appliance is a hybrid SaaS email                                                              the solution is carried out via the web-based      Virtual Appliance is a consolidated web                                                       you to a specific member of your IT staff
security solution that integrates an on-                                                              GUI, which can be accessed anywhere on             security solution that combines award-                                                        being on hand.
premise virtual appliance with in-the-cloud                                                           the network.                                       winning malware scanning, real-time web
SaaS email security.                                                                                                                                     reputation, powerful URL filtering, and                                                       This, as described by the WCL engineer,
                                                                                                      The West Coast Lab’s engineer again                integrated caching.                                                                           is again a good user-friendly web-based
                                                                                                      commented on the excellent web-based                                                                                                             GUI, but he also observed that access to
IMSVA is designed specifically for enterprise                                                         GUI, however, emphasized that access to                                                                                                          the management interface will depend
size business models. It provides traditional                                                         the management interface will depend upon          As with IMSVA, IWSVA is designed for                                                          upon any existing firewall rules, which is
malware protection, but it does not stop                                                              existing firewall rules.                           the enterprise. IWSVA is installed and                                                        important to remember when setting up
there, with the addition of extended                                                                                                                     managed directly on the server with no                                                        IWSVA for the first time.
technologies, such as firewall, web threats                                                           Providing full anti-malware capability, as well    further client installations necessary. The
and POP3 scanning.                                                                                    as providing URL filtering for those URLs          security policies are also managed on                                                         IWSVA not only provides full anti-malware
                                                                                                      found inside emails, IMSVA has the same            the central server and pushed out to the                                                      capability, but also provides URL filtering;
IMSVA ensures a cloak of security for any                                                             malware capability as IWSVA while also             client machines to allow IWSVA to provide                                                     it also offers the same malware capability
credible business looking to secure itself            Product                                         providing anti-spam support.                       traditional malware protection, as well         Product                                       as IMSVA.
from potentially damaging security breaches.          IMSVA v5.1                                                                                         as incorporating extended technologies          IWSVA v5.1
This also gives the administrator peace of            Manufacturer                                    Working at the gateway level, IMSVA scans          such as firewall, web threats and POP3          Manufacturer                                  Working at the gateway level, IWSVA
mind in knowing that no glitches will occur in        Trend Micro                                     inbound traffic before it reaches the endpoint     scanning.                                       Trend Micro                                   scans all of your enterprise's inbound
this security as there will not be any issues         Contact Details                                 and blocks any traffic it finds to be malicious,                                                   Contact Details                               traffic before it reaches the endpoint and
with compatibility.                                   www.trendmicro.com                              thus protecting the whole enterprise. This         These are all indispensable components          www.trendmicro.com                            blocks any traffic it finds suspicious so
                                                      Certification                                   ensures nothing is left to chance and end-         of a versatile security solution and the        Certification                                 that malicious entities are blocked and
The IMSVA solution is initially installed on the                                                      users are not bogged down with header              centralization provides the ease of use         www.westcoastlabs.com                         your systems remain secure. This requires
                                                      www.westcoastlabs.com
server and can then be managed from there;                                                            messages they understand little about or           and flexibility administrators have come to                                                   no client-side intervention and is therefore
                                                      http://www.cctmark.gov.uk/                                                                                                                         http://www.cctmark.gov.uk/
this is prior to rollout to the endpoint clients.                                                     decisions on what is expected of them in           expect, especially useful when running a                                                      less prone to user error.
                                                                                                      respect of malicious and unwanted email.           large network efficiently.
The security policies are also managed on                                                                                                                                                                                                              West Coast Labs found that during test that
the central server then pushed out to the                                                             The West Coast Labs' engineer also                 Designed      for    VMware       ESX/ESXi    based GUI.                                      this was again a solid, reliable gateway-
client machines, so the administrator does          As our engineer observed during his initial       commented on the product's overall                 servers, this is a virtual machine, with                                                      level defense solution worthy of the job
not have to configure each individual client        encounter with it, the IMSVA setup and            ability as a solid, reliable gateway-level         the virtual images being placed on the        With the ability of accessing it anywhere on    in hand. So overall, IWSVA offers a well-
machine, saving time and money.                     configuration is carried out via a web-based      defense. This is an important point, as any        ESX Hypervisor server. IWSVA requires         the network, local firewall rules permitting,   rounded security blanket protecting the
                                                    GUI. Of course, for any administrators            experienced IT manager will tell you, having       some fairly basic setup via a Linux-based     IWSVA customization may be carried out          enterprise at the gateway, which frees up
Designed for VMware ESX/ESXi servers                with experience of Trend's IMSS and IWSS          full confidence in the security product's          command line when you run the virtual         via the web-based GUI once the initial          IT staff to concentrate on other business at
IMSVA is a virtual machine with the images          solutions, utilizing a web GUI will already be    capability along with ease of use goes a long      machine for the first time, but again,        configuration has been accomplished.            hand.
being loaded into the ESX Hypervisor server.        familiar to them, and for those with limited      way when you have a large network to run.          this is an uncomplicated process; and
IMSVA does require some basic setup via a           or no such experience, it still offers ease-of-                                                      as you’d expect with a virtual machine-       For any administrators familiar with Trend's
Linux-based command line when running               use.                                                                                                 based technology the product's setup          IMSS and IWSS solutions they will be
the virtual machine for the first time.                                                                                                                  and configuration is carried out via a web-   accustomed to the web GUI, but for those




                  WEST COAST LABS VERDICT                                                                                                                               WEST COAST LABS VERDICT
                  Trend Micro's IMSVA solution comprises a virtual machine that handles messaging traffic                                                               Trend Micro's IWSVA solution offers the ease of virtualization and the flexibility to handle
                  and includes a number of core technologies, such as spam, anti-malware and anti-phishing.                                                             web traffic in a number of types of network. The technologies at work that contribute to the
                  These are combined to offer a scalable and flexible solution which can be deployed in a                                                               operation of this solution include anti-malware, and URL content filtering, and allow for very
                  number of network scenarios.                                                                                                                          fine grained control.


9 Technology Report                                                                                                            www.westcoastlabs.com     www.westcoastlabs.com                                                                                                 Technology Report 10
                                                                                                                                                    Technology Report


OfficeScan v10.0                                                                                                                                    ScanMail for Exchange v10.0
Trend Micro                                                                                                                                         Trend Micro
DEVELOPER'S STATEMENT                                                                            It was also noted that OfficeScans has             DEVELOPER'S STATEMENT
Trend Micro OfficeScan is a comprehensive                                                        pretty low system requirements and that            Trend Micro ScanMail for Microsoft                                                                The engineer commented on ScanMail
endpoint security and malware protection                                                         it also offers good support to the virtual         Exchange       provides   Industry-leading                                                        for Exchange's good installation routine,
solution for medium sized businesses and                                                         desktops.                                          scan engines to help stop the widest                                                              effective deployment and integration
enterprises and is normally used in a client-                                                                                                       possible range of threats, while innovative                                                       options; something to be considered when
server configuration.                                                                            OfficeScan is managed via an MMC-                  Web Reputation and Email Reputation                                                               deciding on time to deploy.
                                                                                                 style interface with all common options            technologies use a unique cloud-client
                                                                                                 available, such as scanning actions,               architecture accessing up-to-the-minute                                                           Managed via an MMC-style interface,
If you are an administrator running an                                                           schedules and targets, with various                threat intelligence to thwart the latest                                                          ScanMail for Exchange offers numerous
enterprise and you are charged with                                                              security policies being catered for; so in all     attacks.                                                                                          options for each of the available features,
finding a suitable security solution, how                                                        this is a versatile product. Although there                                                                                                          which can be tailored to fit a range of
do you weigh up the protection you require                                                       is nothing revolutionary in the way that                                                                                                             company security policies. Of course,
without compromise? With OfficeScan                                                              OfficeScan is managed, it certainly does           ScanMail for Exchange is designed as an                                                           all the usual options are available, such
you can protect the enterprise by                                                                not detract from the solution in any way. It       umbrella for email protection, including                                                          as scanning, schedules and targets.
providing traditional malware protection,                                                        does however seem to pack a lot into one           content filtering, spam, recipient filtering,                                                     Administrators take note, the engineer
incorporating extended technologies                Product                                       package.                                           URL detection (within emails) and                   Product                                       says the numerous configuration options
– such as firewall, protection from web            OfficeScan v10.0                                                                                 phishing, which is specifically produced            ScanMail for Exchange v10.0                   are very useful and will help tailor the
threats and POP3 scanning – all in one             Manufacturer                                  As its name suggests, OfficeScan provides          for enterprises running Exchange servers.           Manufacturer                                  protection on offer, so you can ensure your
solution.                                          Trend Micro                                   protection against viruses, trojans, spyware       ScanMail for Exchange is an obvious                 Trend Micro                                   systems are protected to the enterprise's
                                                   Contact Details                               and rootkits, with the further inclusion           choice for securing your incoming content           Contact Details                               requirements.
This must make OfficeScan one                      www.trendmicro.com                            of firewall, web threats and a host-               as the system requirements are relatively           www.trendmicro.com
such product worthy of noting to IT                Certification                                 intrusion prevention, so in all this is a fairly   low when considering the security this              Certification                                 ScanMail for Exchange also provides
administrators. OfficeScan is installed and        www.westcoastlabs.com                         comprehensive barrier against potential            solution provides and the market it's aimed         www.westcoastlabs.com                         protection in an email ‘reputation filter.'
managed on the server, and when ready                                                            threats. OfficeScan can also scan inbound          at.                                                                                               This allows emails from a list of known
                                                   http://www.cctmark.gov.uk/                                                                                                                           http://www.cctmark.gov.uk/
to deploy it is simply rolled out to your                                                        POP3 traffic.                                                                                                                                        ‘unwanted senders’ to be automatically
endpoint clients to provide the layer and                                                                                                           This particular product is installed and                                                          blocked, saving valuable time and
level of security required. With security                                                        This product utilizes the Trend SPN system         managed on the server. While ScanMail                                                             resources. With the ability to scan emails
policies managed on the central server,          package to the client, or by incorporating      to provide cloud-based detection of                for Exchange can be deployed to the               configurations can be achieved, however         for URLs/links to known-bad or malicious
the administrator can push them out to the       the solution utilizing the Active Directory.    malware.                                           Exchange server if necessary, it is also a        the main installation routine itself is well-   websites and to block any that are found,
client machines, making it an easy task to       The client installation is silent, so neither                                                      server-based solution with no client-side         documented.                                     this increases its effectiveness somewhat.
accomplish - job done.                           the administrator nor the end-user has          During WCL’s extensive testing, the                aspect.
                                                 to intervene on the client machine and,         engineer observed that OfficeScan really                                                             Although, some experience with Exchange-        According to the West Coast Lab
Simply put, OfficeScan is a server-client        as you’d expect, OfficeScan supports all        did offer a good level of defense and he           The installation itself is carried out directly   based systems will be necessary, this is        engineers, ScanMail for Exchange
solution and OfficeScan is initially installed   common Windows client platforms, as well        also said it was in-depth, with numerous           on the server and can be placed on the            assumed given the target market. ScanMail       incorporates into Trend Micro's Smart
on a central server before being sent out to     as VMware workstations.                         combined security technologies included.           Exchange server, however this is not              for Exchange supports a number of               Protection Network (SPN) which adds to
the client machines around the network.                                                          That has to put OfficeScan in a strong             recommended for the larger business               Windows server platforms and Exchange           the level of protection on offer.
Deployment can be carried out either by          During     installation,    the   engineer      position, with its comprehensive security,         model because of the impact on resources,         versions, providing support for various
targeting specific client machines from the      commented on the various choices and            as being a solution worthy of a place in any       but if so required, the option is there. At the   network configurations, such as Server
server console, downloading the install          variables available as deployment methods.      security-conscious enterprise.                     installation stage, a number of possible          2000/3/8 and Exchange 2003/7/10.




                 WEST COAST LABS VERDICT                                                                                                                             WEST COAST LABS VERDICT
                 Trend Micro's OfficeScan offers anti-malware technology at its core, with the possibility                                                           Trend Micro's ScanMail – here considered in the integration with Microsoft Exchange Server
                 of central reporting and administration in an enterprise level setting. The deployment and                                                          – offers gateway protection against email-borne threats. It includes all the components that
                 management of remote endpoints is streamlined through the central management GUI                                                                    might be expected, such as anti-spam, anti-malware and phishing protection, administered
                 offering an easy way for IT staff to ensure that hosts are protected.                                                                               with ease through a central management console.


11 Technology Report                                                                                                     www.westcoastlabs.com      www.westcoastlabs.com                                                                                                    Technology Report 12
                                                                                                                                                 Technology Report


SecureWeb                                                                                                                                        Webroot Web Security Service
K7 Computing                                                                                                                                     Webroot
DEVELOPER'S STATEMENT                                                                           SecureWeb address space and as such all          DEVELOPER'S STATEMENT
K7 SecureWeb provides end-to-end                                                                user data remained protected.                    With up to 85% of malware now distributed                                                          The scanning and features available to
protection for personal information                                                                                                              via the web, proactive web security is a                                                           the network include provision for URL
right from the keyboard to the website                                                          SecureWeb also protects against the threat       necessity. Webroot Web Security Service                                                            and content filtering, and uses preset
and specifically aims to secure online                                                          of DNS poisoning, which alters the IP            provides better manageability and better            Product                                        categories. Vulnerability scanning has
transactions.                                                                                   address associated with the URLs for such        malware protection than on-premise                  Webroot® Web Security Service                  also been added to the service, however,
                                                                                                sites, so that a user is instead directed to a   solutions. Organizations can get the most           Manufacturer                                   this aspect was not tested by WCL. In
                                                                                                website controlled by the attacker.              advanced protection against viruses,                Webroot                                        addition, WWSS also provides anti-
Designed to provide end-to-end protection                                                                                                        spyware, phishing and data loss while               Contact Details                                phishing protection as well as standard
for personal information – such as                                                              To test, a list of well-known e-commerce         easily enforcing internet acceptable use            www.webroot.com                                malware scanning. During testing, WCL’s
username, password, and credit card –                                                           and financial domain names were added to         policy—all without the hassle of purchasing                                                        observation was that it offered a good
                                                                                                                                                                                                     Certification
right from the keyboard to the website, and                                                     the host's file. Each domain was associated      and managing additional hardware and                                                               multilayered protection against a range of
                                                                                                                                                                                                     www.westcoastlabs.com
to secure online financial transactions. In       Product                                       with an IP address of various web servers        software.                                                                                          web-based threats.
addition to protecting internet users against     SecureWeb                                     owned and controlled by WCL. However,
various threats, such as screenscrapping                                                        SecureWeb does not rely on information                                                                                                              The Checkmark testing WWSS underwent
                                                  Manufacturer
and keylogging, SecureWeb also provides                                                         contained within the system's host files.        Webroot Web Security Service is                   company's individual internet acceptable         was on the AV Gateway certification, the
                                                  K7 Computing
SSL certificate verification and website                                                        All attempts to redirect SecureWeb to an         recommended for the larger business and           use policy. The deployment to client             Real Time system for malicious URLs and
authentication. And the automatic browser         Contact Details                               incorrect webserver/webpage proved               enterprise-sized models and as its name           machines is also completed quickly and           WWSS also passed WCL's Web Threats
launch is a great feature as it prompts users     www.k7computing.com                           unsuccessful.                                    suggests is a managed solution, therefore         as already noted, as a managed service           certification making it a platinum product.
whenever they browse to online bank and           Certification                                                                                  there is no hardware requirement. Webroot         the installation is almost non-existent. The
shopping websites.                                www.westcoastlabs.com                         Many transaction websites use SSL                Web Security Service (WWSS) provides              West Coast Lab’s engineer commented              WWSS promises fast internet browsing
                                                                                                certificates (HTTPS) for privacy assurance.      gateway-level security to protect against         that once the account has been finalized         with minimal latency, a proactive scan
SecureWeb was tested using a network                                                            But, attackers will often try to create          web-based threats as a managed service.           with Webroot, end-user machines simply           ahead and safe search facility that color-
consisting of a primary network attached        Labs found that each screenshot was             fraudulent certificates to pass-off spoofed      These threats could include file downloads        have to be configured to begin using the         codes search engine results to allow users
directly to the internet and a secondary,       redacted so that any potential attacker         versions as legitimate.                          and URL filtering, which can be a real            Webroot service.                                 to see if the sites are allowed, blocked or
aggressor network. A standard desktop           captures a blank screen.                                                                         headache for corporate credibility.                                                                could contain malware. There is also real-
machine was used as the host for                                                                SecureWeb provides a means of checking                                                             As far as the management of the service,         time reporting and web activity logging;
SecureWeb housed on the primary                 DLL injection can disrupt a security solution   the authenticity of SSL certificates,            WWSS is managed from a web-based                  this is accomplished remotely by logging         this can be used to view the network or
network.                                        and lead to the theft of user data. Attackers   reporting if they are self-signed and            interface with each client machine being          into the Webroot management portal               individual users or groups, providing
                                                will often target the solutions themselves      therefore not legitimate. To display this        directed to use the proxy address of              allowing protection and internet use             flexible viewing of network activity. Add
To prevent theft of passwords and bank          as a first port of call to try to circumvent    information, SecureWeb employs a                 WWSS. As far as setting up the service, it        policies to be created and rolled out rapidly.   all that to the rapid deployment of WWSS
details SecureWeb provides an additional        protection on a local machine, whether this     SiteBand™ that uses colored warnings to          is an extremely quick and easy affair and         As the service is hosted by Webroot, there       across your entire network, which requires
layer of security. It does not provide anti-    is anti-virus, URL/website filtering or data    provide an at-a-glance report on whether         requires an administrator providing basic         is no need for the administrator to run          no software or hardware purchase, and the
virus or URL filtering, however, what it        protection. In order to protect against this,   the site can be trusted or not.                  network information to Webroot.                   updates for either software or security          ability to use preconfigured policy options
protects is done extremely well.                SecureWeb continuously monitors its own                                                                                                            definitions, making it less time-consuming.      based on your chosen level of security,
                                                processes for signs of malicious behavior.      Throughout testing, SecureWeb accurately         Various settings can be defined by                As WCL’s engineer pointed out, although          and you can see that all in all a managed
To protect against keyloggers, SecureWeb                                                        identified those sites that were using           the administrator, such as which URL              management is only possible via the web          service could provide a viable alternative
encrypts all keystrokes so that any data        WCL's engineers attempted to load               legitimate SSL certificates from those that      categories to block, the amount of time           interface, the options available do allow for    to reduce IT resources and offer cost-
that is captured is unintelligible. When        malicious and harmful DLLs, but were            weren't.                                         each user is permitted to spend online as         a tailored approach.                             effective security fast.
dealing with screen grabbers, West Coast        unable to inject malicious code into the                                                         well as giving information to the user of their


                                                WEST COAST LABS VERDICT                                                                                                           WEST COAST LABS VERDICT
                                                K7 SecureWeb is a good example of a solution to a specific problem that fulfills its                                              Webroot’s Web Security Service offers web threat protection as a managed service and protects
                                                remit very well. This is not a general use web browser, but in terms of protecting                                                against a variety of threats whilst allowing the administrator central control through a web portal.
                                                users when entering financial details it has been shown to succeed.                                                               The use of a managed service also means that administrators no longer need concern themselves
                                                                                                                                                                                  with remembering updates.


13 Technology Report                                                                                                   www.westcoastlabs.com     www.westcoastlabs.com                                                                                                      Technology Report 14
                                                                                                                                            Technology Report


Shell Control Box (SCB)                                                                                                                     syslog-ng Store Box (SSB)
BalaBit                                                                                                                                     BalaBit
DEVELOPER'S STATEMENT                                                                        like a movie using the aforementioned          DEVELOPER'S STATEMENT                                                                         and various servers. These logs can be
The Shell Control Box by BalaBit is an                                                       Audit Player enabling a review of events       The syslog-ng Store Box (SSB) from                                                            either analyzed, using integral tools,
activity monitoring solution for privileged                                                  exactly as they occurred. The audit trail is   BalaBit is a network log server that offers                                                   or stored for later retrieval. Use of a
access that controls access to remote                                                        indexed to make searching for events and       the capability to remotely collect and store                                                  proprietary encryption algorithm means
servers, virtual desktops, or networking                                                     automatic reporting possible, enabling         logging entries and records from a variety                                                    that only authorized personnel can access
devices, and records the activities of the       Product                                     identification of misconfigurations and        of sources, including syslog and SNMP,           Product                                      information via the SSB interface.
users accessing these systems.                   Shell Control Box (SCB)                     other human errors during forensics            and is designed to run alongside other           syslog-ng Store Box
                                                 Manufacturer                                analysis. SCB works in conjunction with        security products.                               Manufacturer                                 Log files can also be redirected to either a
                                                 BalaBit                                     network firewalls and can supplement                                                            BalaBit                                      separate analysis device, or to a different
One of the two BalaBit products to be            Contact Details                             further security devices benefiting                                                             Contact Details                              log server.
reviewed under West Coast Lab’s (WCL)            www.balabit.com                             network and IT security administrators by      As part of its Performance Validated testing     www.balabit.com
new Performance Validated program is             Certification                               controlling all remote connections on a        program, West Coast Labs (WCL) reviewed          Certification                                To test SSB’s ability to correctly receive log
Shell Control Box (SCB). As with syslog-         www.westcoastlabs.com                       given network.                                 the syslog-ng Store Box (SSB) solution           www.westcoastlabs.com                        files, traffic from client machines residing
ng Store Box, the SCB test allowed WCL                                                                                                      from BalaBit. The aim of the testing was                                                      on the Real Time system were configured
to provide an independent review of the                                                      SCB acts as a proxy gateway, and any           to provide an independent means of                                                            so that logs relating to system restarts,
solution.                                                                                    transferred connections and traffic            validating the features and capabilities of                                                   network events and so on were redirected
                                               to integrate with ease, offering high         are inspected on the application level         SSB.                                           The test networks on which SSB was             to SSB. Gateway security appliances,
To test SCB, WCL was provided with a           availability and is configured via a clean,   (Layer 7 in the OSI model) giving control                                                     evaluated contained client machines            one on the Real Time system and one on
x2200 Sun Microsystems server running          intuitive web interface. The roles of each    over protocol features such as the             To test SSB, WCL was provided with a           running Windows XP along with AV               a separate network, were configured to
SCB. WCL also tested a virtual version of      SCB administrator are clearly defined         authentication and encryption methods or       x2200 Sun Microsystems server running          software, various network security             deliver all logs to SSB. A group of client
SCB.                                           using a set of privileges. SCB receives       permitted channels.                            SSB. WCL tested a virtual version of SSB,      appliances, and a number of routers.           machines, residing on a separate WCL
                                               connection attempts for a specific target                                                    deploying the virtual machine SSB image        Added to this were aspects of WCL’s            network, had BalaBit’s client software
Testing of the SCB solution was conducted      host then forwards the connection. The        In order to test SCB it was necessary          that had been downloaded from the              proprietary Real Time system.                  deployed to them in order to capture and
on a custom-built network at WCL’s UK          solution enables the creation of rules        to establish inbound connections over          BalaBit website under the VMware Player                                                       forward client logs to SSB.
facility. The network itself consisted of      allowing the administrator to permit          a network to a specific machine. VNC,          application.                                   SSB’s ability to monitor, in real time, the
a variety of client and server machines        or deny connections based on set              SSH, RDP and Telnet connections were                                                          incoming log files and flag any that do        To validate SSB’s ability to manage
running a range of both Windows and            criteria, and provides for the auditing of    established; each of the connection types      This deployment of the machine was             not match an expected pattern makes            and secure the log files received by the
Linux-based operating systems.                 network connections. SCB also works in        and combinations were tested using             straightforward, and should prove simple       it extremely useful; providing an early        solution, WCL ran tests to ensure all log
                                               conjunction with BalaBit’s Audit Player to    access control lists.                          to anyone familiar with networking or          indicator to any deviation in network          files received from the various networks
WCL downloaded SCB from the BalaBit            allow logged network traffic to be replayed                                                  virtualization technologies. On first          traffic and/or usage. While not a security     were correctly captured. Searches were run
website as a virtual machine, then SCB was     in real time and supports the following       These included machines with various           boot, SSB requires some basic network          solution in its own right, SSB can work in     looking for known, specific log events such
imported onto a server running VMPlayer.       protocols: Secure Shell (SSH), Remote         access permissions and, once connections       configuration, such as designated IP,          conjunction with those security solutions      as machine restarts and network security
Before full deployment, SCB requires basic     Desktop (RDP), Telnet and terminal            had been established, WCL also tested          gateway and DNS addresses along with           already deployed to a given network and        events. WCL also attempted to open log
network configuration (Host IP address,        emulators using the standard TN3270, VNC      the solution’s ability to terminate the        the application of the SSB license key. With   provide a means of monitoring any security     files locally, without the use of the SSB
gateway address, and so on) and the            and VMware View. WCL only examined the        connections successfully. WCL then             this complete, the administrator is free to    events that may occur.                         interface, and found that the controls in
license is imported to SCB at the end of the   following during the test period: VNC, RDP,   replayed the network traffic logs through      log in to SSB, via a web browser, and to                                                      place allowed access only via the interface,
initial configuration.                         SSH, and Telnet.                              the Audit Player for verification.             begin any required customization of the        SSB allows the administrator to capture        as expected. Log files were not human
                                                                                                                                            solution.                                      redirected log files from various devices      readable when accessed directly from the
SCB is an independent appliance designed       The recorded audit trails can be replayed                                                                                                   such as routers, security appliances,          underlying operating system.




                                               WEST COAST LABS VERDICT                                                                                                                     WEST COAST LABS VERDICT
                                               Testing of the SCB virtual machine showed that all connections were received and                                                            SSB received several thousand logs, all from various sources, and WCL concluded
                                               handled correctly, the administrator was able to terminate established connections                                                          that all log files were received with a 100 percent success rate. All log files that were
                                               and the logged files were 100% accurate. Tests also showed the capability of Audit                                                          received were accurately classified and grouped.
                                               Player to recreate the data from the session in an accurate movie-like format.


15 Technology Report                                                                                               www.westcoastlabs.com    www.westcoastlabs.com                                                                                                  Technology Report 16
www.westcoastlabs.com

US Headquarters & Test Facility
West Coast Labs
16842 Von Karman Avenue
Suite 125
Irvine CA 92606 U.S.A.

USA:
Email: smarkle@westcoast.com
Telephone: +1 (347) 403 0374
Email: rcarter@westcoast.com
Telephone: +1 (949) 870 3250

European Headquarters & Test Facility
West Coast Labs
Unit 9 Oak Tree Court
Mulberry Drive
Cardiff Gate Business Park
Cardiff CF23 8RS U.K.

UK/Europe:
Email: sstoughton@westcoast.com
Telephone +44 (0) 208 267 8280

Asia Headquarters & Test Facility
West Coast Labs, A2/9 Lower Ground Floor,
Safdarjung Enclave, Main Africa Avenue Road,
New Delhi 110 029, India.

								
To top