In-Depth

Web Security Roundup

Here are several ways to protect yourself against dangers on the Web.

We're in an era when the concept of Web security seems to be a contradiction of terms. Even the most careful users are in danger of viruses and worms, often spread by e-mail tricks that run malicious code on desktop computers. And there are users who visit inappropriate sites, by intent or by accident, and download content that can make a sailor blush.

Road warriors are a different breed, in more ways than one. Often free of the corporate tether and attaching to the Internet at a variety of different hotels, Wi-Fi hot spots and customer sites, they are exceptionally vulnerable to malware.

How do you protect these people from the dangers in the wild? Even more important, how do you protect the enterprise from the harm that these users' actions can cause? We're well past the time when installing virus protection software on every computer, and requiring regular updates, is sufficient.

Protection Gone Wrong
The implications of a failure to protect Web browsing and e-mail in an enterprise are enormous. The introduction of malware into an enterprise network can result in destroyed work, theft of proprietary information, poor application performance or the disruption of network service. Any of these can cost an organization millions of dollars in loss or downtime -- and that represents only the most obvious of the costs. Non-business Web browsing can have productivity costs on an organization, as workers buy and sell on eBay or hunt for the perfect holiday present on Amazon. Inappropriate browsing and e-mails can hurt morale and leave the business open to lawsuits and government sanctions. These types of costs may be less measurable, but they can be devastating to the long-term health and business prospects of a company.

An organization must set and enforce some level of standards and protection to both safeguard its business and protect owners, shareholders and employees. In many cases, breaches are inadvertent, but that doesn't mean that IT can't help its users fight against the dangers of the Web. With the appropriate tools and guidance from IT, users can utilize both the Web and company e-mail responsibly. Yet too many restrictions, or too draconian an enforcement strategy, can also hurt. Workers won't be able to do their jobs, and work quality can suffer. They'll also be more likely to move on to an organization with more reasonable policies. Because Web and e-mail activities let users accomplish personal tasks at their choosing, reasonable personal usage policies will almost certainly improve morale and productivity.

Flexibility is a key to enabling protection from malware downloads and inappropriate Web pages and e-mail. Software that lets IT administrators define parameters for specific groups of users and place time of day constraints on different types of browsing activity can both serve the needs of the users while also defining standards of behavior. Creating finely tuned restrictions and permissions lets users do their jobs while not seeming heavy-handed.

Several Secure Options
I looked at several products and services that make it possible to provide a much greater level of security from malware and inappropriate content than individual anti-virus installations. I really liked both of the managed services I tested. Performance was not noticeably affected, although you'll certainly take at least a small hit because of the additional proxy.

The traditional installed solutions also worked well. I downloaded sample virus files for testing from www.eicar.org, and found that all of these products and services came within a percent or two of each other in terms of viruses and malware caught (and the range of percentages was in the high 90s).

Based on my testing, I'm convinced that any of these solutions will likely serve the needs of just about any organization. Your own choice will likely depend on your network environment, users' needs and work patterns, and company policies. If you look beyond the brand-name solutions here, you're likely to find a good fit for just about every situation.

SurfControl
REDMOND RATING
Installation 20%
9.0
Features 20%
9.0
Ease of Administration 20%
9.0
Documentation 20%
8.0
Effectiveness 20%
9.0
Overall Rating:
8.8

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

SurfControl WebDefense and MailControl
SurfControl is a comprehensive managed service that provides enterprises with e-mail and Web surfing security through a proxy that analyzes all incoming traffic for malware and inappropriate content. I had my doubts about the performance of such a solution, but I didn't notice any degradation in Web site access and e-mail was still delivered promptly to several different accounts on my test network.

You set up SurfControl WebDefense and MailControl by visiting the site, enrolling and configuring the proxy to meet your needs. There's also some configuration on your end, to point to the proxy for Web browsing and e-mail. If you already have a proxy, you can just point your proxy to the site's proxy, and you're done. In all, it took me perhaps 15 minutes to set up the service, without assistance or recourse to the documentation. It took another few business hours for SurfControl to accept my configuration and e-mail me back with the proxy information (I registered over the weekend, and didn't get the final information until Monday at noon).

Once you're configured to use the SurfControl proxy, you have a wide variety of other services available. You can select what information you want to be filtered with a fine level of granularity. The Web site has a library of both malware (virus, worms and other malicious files) and content keywords that organizations might want to block. In addition, you can set up your own keywords for blocking.

SurfControl protects both Web browsing and e-mail. For the Web, it doesn't get involved with outgoing requests, but all incoming requests go through its proxy. At that time, it blocks URLs that are on its blocked list. In addition, it looks for keywords on the page being retrieved. In either case, it will block the offending page. In addition, SurfControl can be configured to send a notification to an administrator if one user has more than a specific number of pages blocked.

Figure 2
[Click on image for larger view.]
Figure 1. The SurfControl dashboard provides a comprehensive reporting engine for viewing standard reports or creating your own.

For mail, it scans incoming messages for malware, spam and inappropriate words and language. Once again, you can choose from a cataloged library of terms available on the site, or manually add your own terms. I discovered very few false positives in my quarantine, and only one spurious e-mail got through.

Images are another matter. Apparently, images are being used both on Web sites and in e-mails to contain text. SurfControl attempts to scan images and identify words within those images, but that's not as effective as scanning text (the single spurious e-mail I received was an image with text).

The reports are detailed, and provide the ability to both summarize and drill deeply into specific areas of data. You can look at URLs visited, sites or images blocked, and similar statistics. You can also drill down into specific areas to get more detailed information on smaller subsets of categories. For example, you can check to see how many blocked pages a specific employee has in a given period of time, and determine the URLs of those blocked pages.

I found SurfControl easy to set up and administer for any size network, and highly effective in both Web page filtering and e-mail protection. Other than an unnoticeable performance degradation caused by the need to proxy remotely, I found no downside to the service. Based on my limited testing on a small test network, it appeared to work as advertised and be effective in its tasks.

Security on a Stick

Memory stick, that is. The Yoggie Pico Pro personal security appliance from Yoggie Security Systems ($199) is a complete suite of security products, installed and run from a portable USB flash memory drive. The attraction of this unique approach is that your PC image stays pure (except for a driver), yet you get high performance and portability.

Installation is theoretically an easy process -- insert the USB drive in an open USB port, insert a CD to install the driver, log on to the device, then go to the Yoggie Web site to set up for a license. I had a few problems: First, it shut off my wireless access and wouldn't let me turn it back on initially. Then the Yoggie registration page didn't open for me, and it took me a couple of reboots to get the page to come up and get it registered.

Figure 1
[Click on image for larger view.]
Figure 2. Yoggie Pico Pro provides a dashboard that tells users the security status of their systems at a glance.

Once you're set up, the Yoggie Web page provides a simple but comprehensive interface for setting up and managing security on that system. You choose a security level -- low, medium or high, which represents protection for viruses and other malware -- and also select protection for e-mail. There's no fine-tuning of the security level beyond those three settings. However, those settings worked well for individual use. Over a period of two days, I received no spam on my several e-mail addresses, although I did have several false positives. I tested my virus files and found that they were pretty consistently blocked. And the Yoggie software was unobtrusive in general.

There seems to be really only one downside to Pico. Because it's an attachment to a computer, it can be removed, along with all of the protections it contains. There's a good chance that road warriors will leave it off when they power up, or even lose it entirely. That won't make the system unusable, but it does make it insecure because the security applications are no longer available to guard it. You may not even notice it's not there, because other than a glyph in the Systray, there's no indication that Yoggie is at work.

From an administrative standpoint, the need to install one system at a time is a bit of a disadvantage for a large organization. It may be better in a small business, where there are only a few systems to install and maintain and users tend to be dispersed in different geographic locations. It may also work well for road warriors who plug into a variety of different networks, but don't have the technical background to keep other software or services appropriately proxied.

Overall, I like the concept, and it may have worked a little more smoothly on a system with a clean image. I suspect that most of my problems were due to the fact that this test system (like many computers bought in retail or through small business outlets) already had a fairly comprehensive virus and malware checker installed (McAfee). The documentation warns that such existing software should be disabled first, but McAfee took serious objection to staying disabled through the several reboots. I'd recommend uninstalling any other protection software before installing and configuring the Yoggie Pico. -P.V.

SurfControl also offers both of these services as products for installation on individual computers or on a server for network use, as well as a hardware appliance for a network solution with a single point of administration. I didn't test these, being most interested in the managed services, but I assume that they operate in a similar fashion. I can certainly attest to the ease of use and capability of the managed service option.

ScanSafe
REDMOND RATING
Installation 20%
9.0
Features 20%
7.0
Ease of Administration 20%
9.0
Documentation 20%
8.0
Effectiveness 20%
9.0
Overall Rating:
8.4

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

ScanSafe
ScanSafe is also a managed service for the protection of enterprise e-mail and Web browsing. While its interface was slightly less intuitive than SurfControl's, it offers a similar feature set along with a robust reporting engine. ScanSafe offers Web malware scanning, Web filtering in general and IM-filtering services (the last of which I didn't test). The company has its own staff of virus and malware detection experts who identify, publicize and design protection against malicious code.

The setup process for ScanSafe is similar to that of the SurfControl managed services. One attractive feature for both is that there's no software installation on the client. You go to the ScanSafe Web site, set up your system and network configuration, and you're almost ready to go. Setting up the services takes only 10 to 15 minutes, and you're done.

ScanSafe is highly customizable, with the ability to finely tune settings both across the organization and to individuals. You can select precisely the type of content you'd like to filter, and it does a good job of catching that content. That's true whether the content is on a Web page or in an e-mail. There's a full library of URLs, words and idioms that you can select to specifically filter.

This type of configuration and administration in general is done through the ScanCenter Portal, which lets administrators review statistics of all Web and IM activity and threats blocked, create access policies and apply them to all or to specific groups, customize browser alert pages viewed by users when Web access to a particular site or file is denied, and configure and schedule automated system auditing and forensic reporting.

The service provides dynamic scanning and filtering, which might seem to slow down browsing but wasn't noticeable to me. Thanks to dynamic scanning, a unique feature of ScanSafe is its ability to identify and mark URLs that appear in search engine pages. Through a combination of its database and by examining the search links prior to display, it will label with a small glyph every link on the search results page before you even click on them. This feature helps prevent users from inadvertently clicking on search page links that contain malware or inappropriate content.

Figure 3
[Click on image for larger view.]
Figure 3. ScanSafe notifies the designated admin if a prohibited Web page is accessed.

Like with SurfControl, reporting is also a strength of ScanSafe's. The ability to create literally dozens of unique reports in response to both day-to-day management and special circumstances is one of the true strengths of a managed security service. ScanSafe keeps detailed Web surfing data on its servers for about a month, and summary data for up to a year. Subscribers can use the stock reports, or create their own reports, such as for an individual user or Web site's set of URLs.

The one disadvantage of ScanSafe that came up in this testing was its lack of e-mail filtering services: You'll have to look elsewhere for e-mail protection. As a Web filter and malware protection solution, though, I found it to be very capable.

Perhaps the most enticing part of using a managed service is that you don't have install updates to account for new threats. That takes protection out of the hands of users and places it with professionals whose job it is to ensure security. Such a solution could also be easily configured for a laptop user who travels frequently. As long as the system IP address is known to ScanSafe, it provides the required protection.

AVG Internet Security
REDMOND RATING
Installation 20%
8.0
Features 20%
9.0
Ease of Administration 20%
9.0
Documentation 20%
7.0
Effectiveness 20%
9.0
Overall Rating:
8.2

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

AVG Internet Security
AVG Internet Security provides anti-spyware, anti-spam, firewall and anti-malware for a range of environments, from home to enterprise. These are available separately, but I used them together. In addition, AVG lets you set up a schedule of scans and scan different parts of a system configuration.

Installing and setting up AVG was easy. I ran it on a single computer with proxied access to the Internet, rather than setting it up first on a server. This simplified the installation process somewhat, but by all appearances installation should also be largely automatic on a server for a network solution. During installation, the software identified applications that needed to access the Internet, and also the protocols used, so that it could perform its tasks more or less independent of user intervention.

It also updated the software and malware data files upon first use (AVG comes with a two-year subscription built into the normal price). On my test system, the update seemed to stop before completing, but I forced a reboot and everything seemed fine, and subsequent updates performed normally.

Administering AVG was also easy. The default admin console was straightforward and easy to understand. You can display all facets of protection from within the console, and click on the button representing each of these services in order to customize or configure it. By configuring each of the services, you can create a unique system configuration for spam, system scans, updates and spyware.

Figure 4
[Click on image for larger view.]
Figure 4. The AVG Internet Security management console provides an easy-to-understand set of features, with individual buttons to configure those features.

The anti-spam feature provides a host of configuration settings, including blacklists, whitelists and the ability to query RBL servers in order to get up-to-date information on known spammers. You can also set the spam filtering on a sliding scale based on how aggressive you'd like it to be. As you might imagine, a more aggressive setting will catch more spam at the expense of also catching some legitimate e-mail.

Scanning gave me the opportunity to choose between a slower system scan that didn't appreciably slow down the computer, or a faster scan that did. I used the slower scan, which took almost half a day on my test system (over 120,000 files), but didn't prevent me from working on the system during that period.

AVG also provides a Test Manager interface, which allows you to run tests on your system for malware or other security issues. These tests will examine the entire system or specific parts of the configuration, such as the Registry or disk boot sector. You can use predefined tests, or you can design your own. You can also schedule these tests to run at specific times, or on specific days.

In This Roundup
[Click on image for larger view.]

AVG blocked Web content that it was instructed to block, along with e-mails with malicious content or attachments. In addition, it blocked most of my spam using the defaults; I likely could have gotten better performance using some customization on my part, or setting the filter more aggressively.

AVG Internet Security is quite comprehensive, and my test of its features demonstrated that it was competent in its tasks. I liked it better than the brand-name anti-virus I had running on the test system, at least in part because it wasn't constantly trying to get me to upgrade or add chargeable features. However, it also suffered from some of the drawbacks of an installed security product, such as regular warnings about applications accessing the Internet. But anyone seeking a packaged solution for installation on individual computers or network servers should look at AVG.

comments powered by Disqus
Upcoming Events

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.