Fortifying network armor

For the first line of defense against viruses and break-in attempts, every agency counts on antivirus software, firewalls and, if it's lucky, an intrusion-detection engine. Unfortunately for the information technology professional, this means managing and monitoring disparate pieces of equipment, applications and logs.

For starters, antivirus software must be constantly updated with the latest virus definitions to ensure that malicious e-mail messages and files are kept at bay. Chinks in front-line armor can and will be exploited, so rules and filters for firewalls and intrusion-detection systems must be tweaked and their logs monitored.

What if this burden could be eased without compromising the agency's security? Symantec Corp. may have the answer with its Client Security product. Reasonably priced for stand-alone use or as an upgrade to existing Symantec antivirus deployments, Client Security integrates the company's solid antivirus engine with a host-based firewall and intrusion-detection engine. To complete the combination, Client Security offers a single management console for deploying, managing and monitoring hosts running Client Security.

Symantec has been known for its solid Norton AntiVirus software for years. The tool's LiveUpdate feature keeps users up-to-date with the latest virus signatures by connecting to an antivirus server within the organization or connecting directly to Symantec's Web site. Client Security takes that solid base for antivirus management a step further by creating a set of servers that manage and monitor Client Security software on each host.

We found it easy to install the client portion of Client Security. During the installation, we had the option of installing it as managed or unmanaged. We wanted to test it as a stand-alone program, so we chose unmanaged. If we had used the included Packager administration tool, we could have customized the client installation on the host computer as visible to the user in the system tray or as an invisible addition to that host computer.

The installation was straightforward, although we were a little disappointed to find that the LiveUpdate operation must be performed separately for the antivirus and firewall modules. It would be helpful to be able to update all modules at once from either the antivirus or firewall/intrusion-detection components.

That said, Symantec's antivirus component doesn't seem to have changed much from previous versions. The firewall/intrusion-detection component offers a solid user interface with an added AlertTracker applet that sits off to the side on the desktop and notifies the user of small events that occur, such as the completion of a LiveUpdate session. When more serious events occur, such as a hacker's scan of the host machine's ports, a screen pops up to notify the user of the event and its severity level.

The client front end consists of three components: Internet Status, Client Firewall and Privacy Control. Internet Status displays current information on attack or penetration attempts pertinent to the user, such as port scans.

The Client Firewall component shows data on recent attack and intrusion attempts, while the Privacy Control portion of the client lists information on Web sites that request or generate cookies on the user's computer.

One component of the client front end that we found interesting and useful is the statistics window, which came up whenever we requested more information on a specific portion of the client. That window, split into seven panes, contains information on the network (including TCP and User Diagram Protocol connections and bytes sent and received), firewall TCP connections, firewall rules (with a list of matched, unmatched and blocked rules), a graph of HTTP bytes and connections in the past 60 seconds, Web graphics and cookies blocked, and inbound and outbound network connections. We found the detailed information on overall intrusion-detection performance a nice touch.

Client Security was easy to modify when it came to default firewall rules and intrusion-detection signatures to watch for. We also liked the fact that the intrusion- detection engine includes AutoBlock. The main focus of such a system is to compare possible attacks against an attack signature database to see if there's a match and then take appropriate action. AutoBlock goes a step further. If it detects an attack from a source previously considered "trusted," it will automatically discard all incoming information from that attacking computer for a set period of time.

We also found it easy to ignore traffic that seemed to be an attack but wasn't, or to exclude computers or networks from monitoring by the intrusion-detection system.

The system also includes a suite of administrative modules, each of which we found to be well-documented and easy to use. The System Center manages groups and policies and locks client settings so users can't change them.

The Packager customizes installation deployments. It has three preconfigured installations: fully managed, lightly managed and not managed. Lightly managed does not include the pieces needed for central management, which you would get with the fully managed installation, but you can deploy policies and update other information needed at the client level.

We liked that we were able to customize the Packager, which allowed us to deploy a client configuration based on our particular needs.

Other tools are the Client Firewall Administrator, the Central Quarantine Server and Console (for the antivirus component of Client Security) and the LiveUpdate administrator.

Unfortunately, we'll have to wait until later in the year for Symantec to add a central information management server, which will consolidate alerts, logs and reports on a single console. Based on what we have seen of that server, we are impressed with its potential capabilities.

Overall, the software worked to our satisfaction, but our testing wasn't without glitches. We had some problems using Client Security on a test machine that was running Microsoft Corp.'s Windows 98. Client Security seemed to cause a stack fault error intermittently when we looked at the intrusion-detection portion of the client.

The problem turned out to be an incompatibility between Client Security and another third-party application installed on the computer.

The Laptop Connection

One of the major problems for security administrators is deploying and managing antivirus, virtual private network and firewall software on laptop computers. Laptops that connect remotely to an enterprise must have a secure VPN connection, as well as reliable antivirus software and a decent firewall for Internet connectivity. Client Security fills the bill for all three of those previously disparate software packages.

Client Security has a number of ways to keep a laptop's antivirus, firewall and intrusion-detection signature files and rules up-to-date. It performs these functions by pulling the latest software from a centrally managed server every time the laptop is connected to the network, or it can pull updates from the server after a specified number of days have elapsed.

Although there are other strong offerings for portable firewall software — Zone Labs Inc.'s ZoneAlarm comes to mind — some of the primary headaches for IT staff members are deploying and managing multiple pieces of software throughout the enterprise, on fixed and mobile devices. Client Security offers a way to diminish the laptop security nightmare so IT staff can focus on other important issues.

The Bottom Line

Overall, Client Security is a solid product. The LiveUpdate model that works well for antivirus software also performs in a broader security product. Our only disappointment was the fact that Symantec hasn't released its central information management server yet.

It would make a great finishing touch to a solid security bundle.

Garza is a freelance author and network security consultant in the Silicon Valley area of California.

***

What's in store

Last week, Symantec Corp. announced plans to enhance its Client Security product by integrating it with its ManHunt intrusion-detection system, recently acquired from Recourse Technologies.

ManHunt is a network-based intrusion-detection solution that flags suspicious events on the network. Specifically, it provides protocol anomaly detection for known and unknown attacks, signature detection with custom signature support, and behavioral anomaly analysis or statistical flow analysis intrusion detection for denial of service attacks, at speeds of up to 2 gigabits/second.

The company also plans to integrate ManHunt and Symantec Host IDS to provide better recognition and response to attacks by correlating intrusion-detection system data from the host and the network. Host IDS 4.0, scheduled for release next month, provides real-time monitoring and detection of and response to security breaches.

Also slated for integration with ManHunt is Gateway Security, which secures the gateway between the Internet and corporate networks or between network segments. It combines firewall, antivirus, Internet content filtering, intrusion detection and virtual private networking technologies in one appliance.