Integrity Stops Security Leaks

By Timothy Dyck  |  Posted 2002-03-18 Print this article Print

Imagine how hard it would be to defend a hockey net if it were moving randomly around the ice surface while slap shots were coming from every direction. Thats what its like trying to keep secure a corporate network perimeter that includes laptop-equipped mobile workers. Mobile laptops get connected to all kinds of insecure Internet links outside the office (especially by those using home-based connections), then serve as gateways into corporate networks though VPN (virtual private network) connections or just by being plugged back in to an office wall jack the next morning.

Zone Labs Inc.s Zone Labs Integrity 1.0 client firewall and central administration console, which started shipping last month, offers a strong first effort at addressing this problem.

Integrity requires Windows 9x, NT 4.0, 2000 or XP on the client and Windows 2000 Server or NT Server 4.0 on the server. An Oracle Corp. Oracle8 or Microsoft Corp. SQL Server database is also required to store user activity data.

Prices for Integrity start at $80 per user (one server license is free), and volume discounts are available.

In eWeek Labs tests, we were able to deploy Integrity Agent, a modified version of Zone Labs client firewall ZoneAlarm Pro, to clients and then administer and monitor these client firewalls from a central console.

Internet Security Systems Inc.s RealSecure Desktop Protector 3.1s centralized configuration and reporting capabilities are similar to Integritys, but RealSecure Desktop Protector has a significantly weaker firewall, lacking any outbound network controls at all. The built-in firewall in Windows XP has the same limitation.

In contrast, Integrity initially caught our eye because ZoneAlarm Pros top-notch firewall has been a favorite at eWeek Labs since it first came out.

Especially impressive is Integrity Agents (and ZoneAlarm Pros) ability to control Internet access on a program-by-program basis instead of on a port-by-port basis. (RealSecure Desktop Protector 3.5, expected to ship in early May, will have the same ability, ISS officials said.) On the other hand, RealSecure Desktop Protector trumps Integrity on the inbound-protection side by including a client-based IDS (intrusion detection system) that blocks attacks, even for applications that have had incoming network traffic enabled. Integritys firewall doesnt have any IDS features.

Symantec Corp.s Symantec Desktop Firewall corporate firewall offers competitive firewall features but no centralized management. The next version of Integrity will have centralized anti-virus management, officials said.

Quiet Protection

Integrity Agent uses the same engine as ZoneAlarm Pro but lacks its graphical configuration tools—we did all configuration from a central console. Using a combination of command-line parameters and a .ini settings file, we configured the client to install without any user prompts and configure itself with its initial two security configurations (one for when the client is connected to the corporate network and one for when it isnt). ZoneAlarm Pro can also be used together with Integritys client firewall if desired.

On the server, Integrity can import (and reimport at scheduled times) user lists from two user directory systems: Windows 2000/NT domains and Remote Authentication Dial-In User Service server directories. We imported user groups and IDs from two Windows domains, then configured a set of security policies for our users.

Integritys security editor let us configure with precise control exactly what kinds of network traffic should be allowed in and out of network clients. We could limit incoming and outgoing traffic on the basis of network port, IP address or subnet, and specific program.

Integrity Agent also offers some basic e-mail protection—we could select a list of file attachment extensions that would be automatically renamed by Integrity Agent when received and then require a special extraction step by the user to open. E-mail features wont be as useful in the corporate space, though, as they only support Post Office Protocol and IMAP protocols, not the native protocols for Microsoft Exchange or Lotus Notes.

Signature-based scanning is also very important in protecting against e-mail worms, and Integrity lacks this—it cannot replace an anti-virus scanner.

West Coast Technical Director Timothy Dyck can be reached at

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel