Product Reviews

CyberArmor Builds a System for Personal Firewalls

Central configuration and management options make firewalls an enterprise tool.

Remember when only a few forward-thinking individuals installed virus checkers on their desktop PC's? Now, managed desktop and mail server anti-virus programs are a must. While anti-virus products on every desktop are routine, firewalls are not. Traditional perimeter-based firewalls can do a lot to protect your network from outside attack, but protection is also needed at the individual host. Traveling users with corporate laptops, telecommuters and even computers that never leave the office are all subject to many types of intrusions. Some of the most nefarious attacks come in the form of executable attachments, downloaded files, and unauthorized local host shares and web servers.

But if we have to manage anti-virus products because we can't get users to download simple anti-virus updates; how will they respond to pop-up intrusion detection alerts? You guessed it, they'll call us all in a panic. I shudder to think about that. And how will we handle the flood of calls and potential disasters that turn out to be notifications that the firewall is doing its job?

CyberArmor seeks to provide the answers to these questions. For this review I installed the just-shy-of-release version 2.0 CyberArmor suite in a test network and put it through its paces.

CyberArmor's strength is centralized policy management. This is accomplished by providing not one, but four components (see figure). The CyberArmor client runs on individual PCs. The CyberServer is a database which receives notifications of alarm conditions from the CyberArmor client. Policy Manager ($995 each) is used to create profiles to install on hosts. CyberConsole ($295/seat) can be used to view the database.

To understand CyberArmor you must picture the suite components in your network. The CyberArmor client is configured via a profile from the Policy Manager. Once installed on the client system, the profile blocks the activity designed into the policy. Alarms and notifications can be sent to the CyberServer, a database prepared just for them. You use the CyberConsole to view the activity in the database. (Click image to view larger version.)

The key to making this product work in your environment is your understanding of the policies. Sample policies are included, as are instructions for writing rules. Many rules vary little from basic packet filters; others allow blocking of types of files, specific files, or merely require logging of the suspicious activity you identify. You use Policy Manager to view example rules and policies, and to create your own. Completed policies and basic configuration information are then built into profiles. These profiles become the CyberArmor client when installed on a host system. Profiles can be installed on clients from a network share, or placed on a floppy disk and installed locally. The profile's configuration is password protected. The typical user, of course, should not be adjusting the policy, or stopping its use. Fortunately, changes to policy rules cannot be made from the client system. You can create multiple profiles, each one appropriate for a different group of users.

Once installed, policies can be automatically updated by simply placing new configuration files in the preconfigured web server download area. You can choose whether to auto-download or prompt the user during profile creation. To prevent successful spoofing of a new profile, the downloadable new profile file can be signed. An unsigned or incorrectly signed profile will then be rejected by the client.

If you have few users and do not wish to log alarms and notifications to a central database, your installation of the suite stops here. However, though notifications and alarms can be logged in a local file, and alarms create event log entries, it might be difficult to manage any large number of users this way. CyberServer, which installs an Access database for its use (but can be configured to use your Oracle database server) eases the task. You can install the CyberConsole on the same system as the CyberServer to see data in broad views, or filtered by user, group, or information type. Client installation information is also recorded in the database.

My examination of CyberArmor was basic but showed me enough that I will want to look at it in more detail later. I was able to get the suite up and running. I found the process a little rough around the edges, but much of that can be attributed to the difficulties in installing a complete suite of new products under less than ideal circumstances and my early attempt to attack clients from the CyberServer system. Can you guess what happened? My attacks were unsuccessful and provoked CyberArmor to block any access from or to my IP address for a short period of time. Since I had configured frequent updating of the database the CyberClient's attempts to upload new alarms was blocked - just as it should have been.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.


comments powered by Disqus

Subscribe on YouTube