Integrity Stops Security Leaks
Imagine how hard it would be to defend a hockey net if it were moving randomly around the ice surface while slap shots were coming from every direction. Thats what its like trying to keep secure a corporate network perimeter that includes laptop-equipped mobile workers. Mobile laptops get connected to all kinds of insecure Internet links outside the office (especially by those using home-based connections), then serve as gateways into corporate networks though VPN (virtual private network) connections or just by being plugged back in to an office wall jack the next morning.
Zone Labs Inc.s Zone Labs Integrity 1.0 client firewall and central administration console, which started shipping last month, offers a strong first effort at addressing this problem.
Integrity requires Windows 9x, NT 4.0, 2000 or XP on the client and Windows 2000 Server or NT Server 4.0 on the server. An Oracle Corp. Oracle8 or Microsoft Corp. SQL Server database is also required to store user activity data.
Prices for Integrity start at $80 per user (one server license is free), and volume discounts are available.
In eWeek Labs tests, we were able to deploy Integrity Agent, a modified version of Zone Labs client firewall ZoneAlarm Pro, to clients and then administer and monitor these client firewalls from a central console.
Internet Security Systems Inc.s RealSecure Desktop Protector 3.1s centralized configuration and reporting capabilities are similar to Integritys, but RealSecure Desktop Protector has a significantly weaker firewall, lacking any outbound network controls at all. The built-in firewall in Windows XP has the same limitation.
In contrast, Integrity initially caught our eye because ZoneAlarm Pros top-notch firewall has been a favorite at eWeek Labs since it first came out.
Especially impressive is Integrity Agents (and ZoneAlarm Pros) ability to control Internet access on a program-by-program basis instead of on a port-by-port basis. (RealSecure Desktop Protector 3.5, expected to ship in early May, will have the same ability, ISS officials said.) On the other hand, RealSecure Desktop Protector trumps Integrity on the inbound-protection side by including a client-based IDS (intrusion detection system) that blocks attacks, even for applications that have had incoming network traffic enabled. Integritys firewall doesnt have any IDS features.
Symantec Corp.s Symantec Desktop Firewall corporate firewall offers competitive firewall features but no centralized management. The next version of Integrity will have centralized anti-virus management, officials said.
Quiet Protection
Integrity Agent uses the same engine as ZoneAlarm Pro but lacks its graphical configuration tools—we did all configuration from a central console. Using a combination of command-line parameters and a .ini settings file, we configured the client to install without any user prompts and configure itself with its initial two security configurations (one for when the client is connected to the corporate network and one for when it isnt). ZoneAlarm Pro can also be used together with Integritys client firewall if desired.
On the server, Integrity can import (and reimport at scheduled times) user lists from two user directory systems: Windows 2000/NT domains and Remote Authentication Dial-In User Service server directories. We imported user groups and IDs from two Windows domains, then configured a set of security policies for our users.
Integritys security editor let us configure with precise control exactly what kinds of network traffic should be allowed in and out of network clients. We could limit incoming and outgoing traffic on the basis of network port, IP address or subnet, and specific program.
Integrity Agent also offers some basic e-mail protection—we could select a list of file attachment extensions that would be automatically renamed by Integrity Agent when received and then require a special extraction step by the user to open. E-mail features wont be as useful in the corporate space, though, as they only support Post Office Protocol and IMAP protocols, not the native protocols for Microsoft Exchange or Lotus Notes.
Signature-based scanning is also very important in protecting against e-mail worms, and Integrity lacks this—it cannot replace an anti-virus scanner.
West Coast Technical Director Timothy Dyck can be reached at timothy_dyck@ziffdavis.com.
Zone Labs Integrity 1
.0″>
Zone Labs Integrity 1.0
USABILITY |
A |
CAPABILITY |
C |
PERFORMANCE |
B |
INTEROPERABILITY |
C |
MANAGEABILITY |
B |
Organizations with more than a handful of laptop-equipped workers will find the Zone Labs Integrity client firewall system an important way to keep corporate assets secure. Longer term, we think vendors in this new market segment will need to combine firewall, intrusion detection, anti-virus and privacy features into one centrally managed package to be competitive, but, for now, Integrity does well.
SHORT-TERM BUSINESS IMPACT // Integrity provides a quick way to protect workers connecting at home from network attacks.
LONG-TERM BUSINESS IMPACT // Central management of complex and risky settings such as security settings lowers costs, raises overall security and allows for quick response when new attacks emerge.
PROS // Simple, silent client installation; centralized security policy creation and reporting; top-notch firewall technology.
CONS // No intrusion detection, anti-virus or privacy protection features; e-mail attachment protection weak; doesnt support Exchange or Notes mail server protocols.
Zone Labs Inc., San Francisco; (415) 341-8200; www.zonelabs.com/corpsales/intoverview.html