|
Independent Evaluations of Networking Products and Tools |
NETWORK TESTING LABS REVIEWMcAfee Secure Internet Gateway Plus Site Advisor, Barracuda Web Filter, Surf Control Web Defense and Websense Enterprise A categorical look at gateway-architecture anti-malware products. By Barry Nance
Discussion The flood of malware on the Internet is threatening to overwhelm us. Spam, spyware, viruses, trojans, rootkits, phishing attempts and other malware are stealing our credit card data and passwords, throwing up unwanted and inappropriate advertisements on our screens, slowing our computers to a crawl, deleting or modifying our files, tracking our keystrokes, broadcasting e-mail to all the people in our address books, scamming us out of our money and allowing hackers to remotely control our computers. Malware, in the form of spyware, trojans, rootkits, adware, worms and viruses, insinuates itself into the Windows operating environment. Because most people log into Windows with administrator accounts, these programs commonly run with administrator privilege. The unwanted software can thus fully control any aspect of the PC that the malware miscreant programmer wishes. With free rein over a PC’s files and programs, including Windows operating system files, a malware instance can configure a computer to run the malware perpetually and thwart attempts to remove the malware (i.e., a rootkit). The malware thus becomes part of Windows itself. Network administrators spend inordinate amounts of time cleaning up after malware, and the costs of stolen corporate data and lost productivity are staggering. The best place to stop malware is directly at the connection to the Internet. An Internet gateway that keeps malware off the network in the first place is far more effective and less expensive than the after-the-fact cleaning of individual server and desktop computers. To help you decide which anti-malware tool you should use on your network, we tested McAfee’s Secure Internet Gateway model 3300 appliance (which includes McAfee’s SiteAdvisor), Barracuda Network’s Web Filter model 310 appliance, Surf Control’s WebDefense and Websense Enterprise (which includes Websense Security Filtering) in our Alabama lab. The most important criteria in our evaluation was the ability to identify and thwart virtually all malware. We also looked for useful reports, timely alerts, ease of use and ease of deployment. We found that McAfee Secure Internet Gateway exhibited great accuracy, quick performance and ease of use. Its SiteAdvisor module did an excellent job of categorizing Web sites. Secure Internet Gateway kept virtually all malware from penetrating our network, and its effect on the responsiveness of our clients’ Internet experience was negligible. The Secure Internet Gateway wins the Network Testing Labs World Class award for gateway-based Internet security and categorization.
An Intelligent Approach to Malware McAfee Secure Internet Gateway with SiteAdvisor is an integrated answer to both Web-based and e-mail-based malware. In our tests, the appliance turned aside 99% of the malware we threw at it (see Table 1). Impressively, Secure Internet Gateway’s Web site classification (determined by SiteAdvisor) kept nearly all malware-associated Web sites at bay (see Table 2). The device works with such alacrity that client responsiveness was virtually unaffected – our users were unaware the Secure Internet Gateway was filtering Web and e-mail traffic (see Table 3).
Table 1. Ability to block malware.
For HTTP, FTP and SMTP/POP3 Internet traffic, Secure Internet Gateway looks for spyware and viruses by performing a deep, thorough inspection of executable files as they pass through the appliance. To keep users from inadvertently accessing malware-related Web sites, it also detects malware URLs and IP addresses. For SMTP and POP3 traffic, the device identifies and blocks viruses, spam and phishing attempts. This deep content inspection approach protects against malware encountered from “friendly” URLs, such as webmail downloads. The SiteAdvisor component knows which Web sites produce excessive pop-ups, engage in fraudulent practices, contain browser exploits and will target your e-mail address with spam. SiteAdvisor’s database is the result of automatically visiting virtually all Web sites on the Internet and testing each one for malware behavior. In addition to its programmatic evaluation of the Internet, SiteAdvisor uses feedback from customers to characterize Web sites. The model 3300 Secure Internet Gateway appliance we tested was a Dell PowerEdge server model running McAfee’s comprehensive anti-malware modules.
Table 2. Ability to categorize malware Web sites.
Websense Enterprise and its Security Filtering module also thwarted nearly all the malware in our test suite, and, when installed on an especially fast H-P Compaq Proliant server, with nearly the speed of Secure Internet Gateway. Security Filtering’s malware categories include malicious Web sites, spyware, phishing and other frauds, potentially unwanted software, bot networks and keyloggers.
Websense Enterprise flexibly gave us the choice of blocking, allowing, warning, imposing a quota, throttling bandwidth usage and refusing file types to manage our users’ Web access. Websense Enterprise can run pre-defined and custom reports at pre-set intervals or an on-request basis. It e-mails reports to appropriate people and can export its security reports in a variety of formats. Websense Enterprise runs on Windows Server 2000, 2003, Red Hat Linux and Solaris. Surf Control’s WebDefense, with its Access Manager and Threat Manager modules, didn’t fare as well in dealing with malware or categorizing Web sites. Like Secure Internet Gateway with SiteAdvisor, WebDefense’s list of threats is based on an automated examination of Web sites. In addition to its Web filtering, WebDefense guards against viruses, phishing attempts, worms, trojans and other malware. The vendor says a separate module, MailControl, can stop e-mail-borne attacks. The Access Manager module acts to limit employees’ browsing of recreational or illegal content. Threat Manager, on the other hand, tries to filter malware so that it doesn’t reach your users. The Barracuda Web Filter 310 fared worst of all in our tests. We note that Barracuda suggests using the Web Filter 310 to handle up to 300 connections per second for best performance. Web Filter can block access to Web sites based on domain, URL pattern, or content category, block downloads based on file type and block applications that access the Internet.
Table 3. Latency (performance) results.
Ease of Use McAfee’s central console for administering Secure Internet Gateway devices is ePolicy Orchestrator (ePO). This central console greatly increases the scalability of McAfee’s gateway devices because of its span of control, and it consolidates policy management and reporting. ePO gives enterprises a single, central key for controlling, managing and reporting on malware, whether Web-based or e-mail-based. ePO’s tab-folder metaphor is instantly and clearly intuitive, and ePO includes over 60 predefined reports. Deploying Secure Internet Gateway is no more complicated than assigning it an IP address. The documentation is clear, comprehensive and easy to follow.
Conclusion McAfee Secure Internet Gateway appliances are high performance, scalable, robust, reliable and intuitive to use. They’re highly effective roadblocks against malware of all types.
Testbed and Methodology We primarily looked for the ability to identify and block malware (such as viruses, spam, phishing attempts, keystroke loggers, browser hijackers, adware, rootkits, dialers, data miners and Trojans). We wanted a product to prevent malware from sending data from our network (i.e., “phoning home”), identify already-infected clients, scan traffic quickly, receive frequent spyware definition updates and produce helpful reports on infection attempts and traffic statistics. We collected a suite of 200 malware samples, and we moved the collected material to an isolated, quarantined network. We thus were able to simulate the Internet within our lab. The quarantined network consisted of three subnets. Subnet 1 had 25 client machines with a variety of operating systems, including Windows NT, 98, 2000, 2003, ME, XP, Vista, Red Hat Linux and Macintosh OS X. Subnet 2 contained three Web servers (Microsoft IIS, Netscape Enterprise Server and Apache), three e-mail servers (Exchange, Notes and Sendmail), two file servers (Windows 2003 Advanced Server and Netware) and two database servers (Oracle 8i and Microsoft SQL Server). Subnet 3, simulating the "Internet," had Web servers containing the malware instances and which sported “bad guy” IP addresses and URLs. Systems on the first two subnets accessed the third subnet as if it were the real Internet.
To measure performance, we used two time-synchronized protocol analyzers on the Internet and local network sides of the gateway device and examined the resulting packet captures to determine the time taken by a device to forward or discard each network message. Client and server machines started off in a pristine state for each test. Our clients and servers attempted to download malware from the simulated "Internet." We noted how well the products identified malware traffic and blocked attempts by the malware to send data back to the source. We gauged success or failure by examining each machine for malware after each test. We looked for running malware processes, new program files (EXE, DLL or OCX, possibly marked with the “Hidden” attribute) and directories as well as Registry and Start Menu changes.
Security Report Card
Grade scale is A through F, with F = Failing and A = Perfect
|