SkyRecon’s StormShield endpoint protection solution is remarkably flexible when compared to other centrally managed endpoint protection solutions available today.
The easiest way to understand how StormShield works is to think about it in terms that it provides all of the standard protections-software firewall, HIPS, removable storage management, device control, application control, wireless security, network access control, data encryption, and now anti-virus-in a fully scriptable and customizable manner.
Security administrators can develop complex rule sets where conditions are tested and then threat mitigation is automatically launched. For example, if a laptop is not on the corporate network and is instead connected to an open Wi-Fi hotspot, then an administrator can decide that only network traffic from whitelisted applications can be sent over a VPN tunnel, and he can block all other network traffic to and from the laptop.
The conditions can be more complex and so can the actions taken, even to the point where a series of batch files can be launched to perform multiple maintenance tasks.
StormShield has provided this functionality for several years. A recent licensing deal with Panda now rounds out the policy-driven offering by adding effective antivirus and anti-spyware features that can be deployed and managed from a single management console. This final piece launches SkyRecon into head-on competition with the likes of Symantec, McAfee, Trend Micro and eEye Digital Security.
I tested SkyRecon StormShield 5.1.00 beta 2 using Windows Server 2003 Enterprise Edition to host the StormShield Server, Management Console and SQL Server database. These can be deployed on different servers throughout an organization for better scalability. I also used a series of Windows XP Pro workstations ranging from unpatched to SP3 to test client agents. Management Console can manage multiple StormShield Servers and policy can be pushed down through the organization from primary StormShield Servers to secondary StormShield Servers. Administrative capabilities can be fully delegated and can include or exclude different administrative functions so that, for example, certain administrators can control every setting and action while others can only run reports.
SkyRecon officials say the average StormShield Server can accommodate up to 5,000 users, and there are customer deployments with as many as 90,000 seats.
I found StormShield to be one of the most difficult security software products to install, configure and deploy that I have ever used, and I have used hundreds-if not thousands-of similar products. Even with following a detailed walkthrough that the company provided, I still had to spend four to six hours over two days working directly with a sales engineer before I could develop a single policy and deploy to a single workstation. Apparently the price of total customization is having to navigate hundreds of poorly worded (and neither described nor automated) settings.
After Configuration, StormShield Impresses
However, once I got passed this monster hurdle, StormShield really impressed me. It is almost infinitely extensible because of its ability to test for multiple conditions and then apply sophisticated remediation techniques. For example, I configured a security policy to enforce such rules as “if a Word document is being copied from a local or network volume to removable media, then it must be encrypted and prompt the user to encrypt the removable media or abort the operation” and “if the laptop is connected to the internal LAN at 2 AM and CPU utilization is less than 3 percent, then launch a batch file that performs routine system maintenance.”
The coupling of the ability to develop and enforce a security policy as detailed as this is unrivaled on the endpoint protection market today. Management Console is almost a specialized object-oriented development environment in which different settings are checked out, modified, checked back in, and then deployed. This is important in large organizations, where multiple security administrators might be actively working with the same console at once.
The Panda anti-malware software worked like a charm. One of my test machines was absolutely riddled with malware, including Common Name, a Trojan downloader, 2 keyloggers, and 2 viruses. After deploying the StormShield agent with anti-virus policies in place, I walked away for a few hours (to celebrate a successful installation!) and returned to find that the machine had been automatically scanned and cleaned of all threats. All activities were logged and threats were quarantined with no user intervention at all.
In the Management Console, the first thing to do is configure the console itself, especially under Options, Layout, set it to save or else you lose an awful lot of settings every time you restart. In the Environment Manager window, establish Global settings and policies, then create an environment to manage your organization and within that environment create “masters” to manage specific StormShield Servers, branch offices, departments, or user groups.
All of the usual suspects are there and relatively easy to set up in the Security Policy Editor, which is broken out into Network Firewall, Application Rules, Extension Rules, Trusted Rules, Wi-Fi Access Points, and Removable Devices. I was able to enable or disable the use of specific removable devices, block the use of Bluetooth, and allow or disallow using a CD burner. The Wi-Fi policy is an important differentiator as StormShield excels: specific networks can be allowed or blocked, authentication type and encryption levels can be enforced, and under Environment, Configuration, I was able to allow/prevent temporary Web access for a specific duration in minutes for Wi-Fi hotspots. Combining these settings with security policy tools, I was able to set up a rule “if connected to an open Wi-Fi network, then allow temporary Web access for five minutes at which point the user can disconnect or launch the VPN.”
Reports are adequate and provide what you’d expect, listings in either real time or of a specific date of security threats and status by agent, server, policy, network threat, or anti-virus. The high degree of customization found throughout the rest of the product is lacking in the reporting module, as very little customization is available. It is worth noting that complete customization is possible by running custom reports against the logs and databases from outside the Management Console. Logs can be distributed via e-mail or syslog at regular intervals. There is no mechanism for issue security alerts via SMS or e-mail.
The bottom line? Unrivaled endpoint security policy management and enforcement adds top-notch anti-malware, yet installation, configuration, overall GUI, and help/wizard/support shortcomings force me to urge caution.
Matthew D. Sarrel is executive director of Sarrel Group, an IT test lab, editorial services and consulting firm in New York City.