The recent 3.0 release brings together just about every security feature that could be offered via proxy in a straightforward GUI, yet several flaws remain.
Zscaler's self-named cloud security service provides organizations with
security covering integrated Web, instant messaging, peer to peer, Webmail and
SMTP-based e-mail, and it does so without any on-premises hardware or software
installation requirements. Rather, the Zscaler service spreads its proxy and
relay load across the company's 40 data centers and presents administrators
with a rich, flexible, Web-based management interface.
Based on my tests of Zscaler's security services, I'm impressed with its
potential to protect users from HTTP- and SMTP-based threats, which are more
prevalent than ever-particularly due to the increased use of blended malware
threats. (For example, a phishing e-mail drives a user to a site that plants
malware on his PC via a browser exploit.)
The service's policy configuration and reporting options stand out for
their depth, and I expect that the Zscaler service should provide a strong
complement to companies' existing end-point and perimeter security solutions. And,
as a SAAS (software as a service)-based offering, Zscaler provides additional
value by enabling administrators to inspect potentially malicious traffic on
the Web, rather than allowing it to reach their network perimeter, or, perish
the thought, their endpoints.
Zscaler's cloud security services are sold in a number of different
editions, starting from a basic Web filtering edition that's priced at $1.50
per user per month for 100 users, with discounts available at higher volumes.
For more information on the available editions and included functionality,
check out the data sheets at tinyurl.com/23lwjtx.
Zscaler in the Lab
As a hosted service, Zscaler is very easy to install. All I really had
to do was change the administrator password, agree to the terms of service and
remember to save my policy changes. I noticed Zscaler guarantees only 99.99
percent uptime monthly, although a representative said "outside of the
regularly scheduled maintenance windows affecting just the admin-console,
Zscaler has delivered 100 percent availability since launching in August 2008."
Zscaler uses bandwidth from multiple carriers and maintains dedicated
space in multiple data centers operated by different providers. There's a
little more work required to integrate with a directory service or import
users. Plus, browsers need to be configured to use the Zscaler service as a
proxy; firewalls also need to be reconfigured to allow only Web traffic to and
from the Zscaler proxy.
The admin interface launches with a clean, easy-to-read dashboard with
prominent, context-sensitive options for Logout, Support, Getting Started, Help
and Concept. Concept (and the little icons that the company tells me are light
bulbs) is interesting and brings up a Flash demo that shares somewhat helpful
information that was obviously developed by someone on the marketing, rather
than technical, staff.
Help opens in a new window and is pretty useful except that it lacks an
index or search capacity. Clicking Support took me to a page where I could
submit a trouble ticket. I clicked Getting Started, and a new window popped up
that listed configuration steps and provided links to walk through them rapidly.
I easily uploaded the eWEEK logo and customized end-user notification messages
for when sites or files would be blocked.
The default security policy configuration is most likely acceptable for
most organizations. I found it very easy to establish policies for inbound and
outbound traffic inspection, scanning different file types and even
whitelisting sites by URL where all content should be allowed.
Spyware also can be blocked by category. For example, I could allow
password-stealers while blocking all others, although I'm not sure why someone
would do that. Browser control is somewhat interesting. I could easily enforce
policy to block older browsers with known vulnerabilities or simply block a
browser entirely. In my testing, the service blocked about three quarters of
the malware downloads that I attempted over http.
Under Advanced Threats, I found a lot of settings designed to address
today's malware threats. There are settings for blocking botnet traffic to
known command-and-control servers, ActiveX controls, known and suspected
phishing sites, IRC tunneling, anonymizers, Cross-Site Scripting, and also
traffic destined to countries or regions. (It was preconfigured to block China,
and I easily added Russia and Brazil.)
There also are extensive controls for allowing or blocking P2P file
sharing such as BitTorrent and eDonkey, as well as P2P anonymizers such as Tor
and P2P VOIP (voice over IP) such as Skype and Google Talk. For some strange
reason, all this P2P stuff was configured to be allowed by default, but after a
few clicks, I shut it all down. One thing I really liked is a reminder to save
and activate changes: Far too many Web GUIs have allowed me to wander off a
page without saving settings.
It was also very easy for me to set policies to block various content
categories of Websites. It's possible to set different configurations for
different locations, so I could block gambling sites from the office but allow
them to be accessed from outside the office. I could also block or allow access
to various Webmail sites. The same goes for streaming media sites and social
networks and blogs.
Rules can be pretty complex. For example, instead of simply blocking
Twitter, I could configure Zscaler to allow reading but not posting. However,
content filtering worked about as well as it does with most of the other
products in this category, meaning that the same weaknesses regarding identification
of sites and correctly categorizing them by content and not by URL are present.
For instance, blogs hosting image thumbnails of pornography are not correctly
classified as pornography.