Symantec's blended defense

It's not enough to worry about e-mail viruses anymore. The big threat these days, most agencies have learned, is the blended cyberattack, which combines more than one method of penetrating an organization's defenses.

The Code Red and Nimda worms, for example, spread through organizations quickly because they could travel via both e-mail and Web sites.

Symantec Corp.'s answer to these blended attacks is a blended defense.

The Symantec Gateway Security appliance is a single cyber shield composed of a firewall, antivirus software, Internet content filtering, intrusion detection and a virtual private network. We tested Model 5300, the top-of-the-line of Symantec's three models.

Although several other companies have developed multifunction security systems, Symantec is unique in putting so many security functions into a single hardware appliance.

Tweaking Needed

We were concerned at first about whether a single management interface could handle the appliance's five functions without becoming unwieldy. After connecting the appliance to the network and punching a few buttons on the appliance, we installed the Raptor Management Console (RMC) on a remote Microsoft Corp. Windows 2000 PC. The RMC is a standard plug-in for the Microsoft Management Console.

Configuration was easy, with only a couple of hours required to set up basic protection for a network. Nonetheless, plan on spending an entire day tweaking all the features. The product is configured with the most secure settings, but most administrators will likely want to loosen a number of settings.

The hardware appliance, a space- efficient rack unit that stands less than 2 inches tall, is basically Sun Microsystems Inc.'s Cobalt RaQ XTR server appliance with a Linux kernel hardened for security and optimized for firewall operations.

Security appliances that run on a full-featured operating system such as Linux are susceptible to all the vulnerabilities of the underlying operating system. We bombarded the Gateway Security appliance with scans and probes for vulnerabilities to see if we could guess the operating system or find a chink in the appliance's armor.

Our chief tools in this blitzkrieg attack were the Security Administrator's Integrated Network Tool, a common Network Mapper utility (www.wwdsi.com/saint), and the Nessus security scanner (www.nessus.com).

We discovered that the Gateway Security appliance is visible via the Internet using any standard port-scan utility, which could make it easier for hackers to exploit any known vulnerabilities in the system.

But since we found no major weaknesses in the appliance, its visibility made no difference. Likewise, we were not able to guess the operating system of the appliance, which is a real plus, because guessing the operating system of any host is the first step in compromising the system.

Still, although the Symantec unit is tough to penetrate from the outside, it has a chink internally. Despite the industry-proven platform, we would have preferred that the appliance have some type of redundancy for its single hard drive, as well as dual power supplies and redundant network connections.

To be fair, though, the appliance has a failover capability that allows it to immediately pass processing to another Gateway Security appliance unit. And it has load-balancing capabilities to take advantage of the capacity of additional appliances.

Symantec also could improve its reporting tools. I would like to see a few more statistical summary reports, such as the amount of traffic to and from specific IP addresses, broken down by date and time of day.

In short, however, Symantec has done a superb job of integrating several top-of-the-line security functions into one easy-to-use package.

Greer and Bishop are network analysts at a large Texas state agency. They can be reached at Earl.Greer@dhs.state.tx.us.