iApplianceWeb.com

EE Times Network
News Flash Appliance Insights Appliance Directory Standards in IA Webcasts


 

McAfee's e500 Draws the Line at the Gateway

By Michael Foley
iApplianceWeb
(11/25/01, 06:32:48 PM EDT)

It's been a busy year for IT professionals. Virus attacks are becoming more sophisticated, lethal, and costly to deal with. The days of retroactively handling viruses after infection are long gone. Nowadays IT departments have to put in place layers of defenses to prevent viruses before widespread damage occurs across networks. To prepare enterprises more fully, McAfee is adding a new layer of Anti-Virus protection at the front-end of networks with its e500 Anti-Virus Appliances. These innovative appliances will play a critical role in securing networks as viruses morph from mischievous annoyances into calculated attacks that affect national security and the economy.

e500 $13,471
e500 ASAP $13,471
e250 NA
The e500 falls into the realm of security appliances that protect networks from external attacks. More specifically, it is an anti-virus appliance that scans incoming and outgoing emails, HTTP traffic, and FTP traffic for virus signatures. When a virus signature is detected, the e500 can clean, block, or quarantine the message or data. In a nutshell, the e500 acts as a vaccine for networks, preventing external infection from
known diseases. The e500 comes in two variations. The first is the e500 self-managed version that allows users to maintain and configure the e500 to scan across email, HTTP, and FTP. The other is the e500 ASAP, which is similar to the self managed e500, except that it only scans email and includes McAfee's ASAP service, which manages the maintenance and configuration of the appliance. Both versions use identical hardware and underlying software. The main difference between the two appliances from a user's standpoint is the configuration options that are exposed through the Web-based management console.

ASAP Service Manages e500 Appliance

Some might question the need for such an anti-virus appliance, particularly if they already have anti-virus software. While in situations where only one or two computers form a network anti-virus software should be sufficient, in the case of corporate or enterprise networks, protection should be tiered. The e500 is a high-end appliance for enterprise level networks and this nature is reflected its cost. An anti-virus appliance at the front end of a network scans the data before it enters the network and acts as a backup to catch breaches that normally happen when computers aren't loaded with the latest anti-virus software, and it prevents internally generated infections from spreading outside the network. Anti-virus appliances are dedicated to one function, scanning for viruses, and they are "hardened" to prevent worms and probes from compromising system security. PCs running anti-virus software, on the other hand, may have applications running that open up security breaches and thereby invalidate the effectiveness of the software's virus protection.

Virus Stats
80% of viruses are spread through email.*

*McAfee

Attacks on Web servers have doubled from 2000 to 2001.**
50% of all companies have experienced Web server attacks in the following breakdown:**
  • 90% suffered worms, viruses, or trojans
  • 40% suffered Denial of Service (DOS)
  • 33% suffered buffer overflow attacks

**Information Security Magazine

The economic costshave been astronomical, including:***
  • An estimated $2.62 billion for the Code Red & Code Red II viruses
  • $11.8 billion total in 2001 as of Sept. 22.

***Computer Economics

The e500 isn't just a PC with some anti-virus software slapped on it. It has been designed with the single purpose of effectively scanning for viruses coming across email or Web traffic. High performance is a built-in feature so that the network throughput isn't degraded by the scanning function. The appliance has also been hardened to close ports or sockets from external access by worms or probes and prevent security breaches. Most importantly, the e500 has been loaded with enough
e500 Scans at the Gateway
memory so that it doesn't just analyze on a packet-by-packet basis, but by downloading the entire content, such as emails with attachments, for more thorough inspections. Out of the box the system runs as an anti-virus appliance. Hardware setup consists of plugging it in and connecting it to the network. Once the appliance's network IP addressing and virus scanning functions are configured through the secure Web-based management console, its ready to go. The system can be up and running in minutes. Yes minutes!

It is important to keep in mind that anti-virus appliances aren't necessarily firewalls. The e500 is, in fact, not a firewall and should work in conjunction with one to provide maximum protection. The difference between anti-virus appliances and firewall appliances is that anti-virus appliances scan for viruses on content flowing through ports and systems exposed out through the firewall, while firewall appliances setup barriers and only allow external systems to access certain points in the network. Hence these systems work together; firewalls provide limited access to the network, and anti-virus appliances scan for viruses coming across these external access connections.

e500 Used in Conjunction With Firewall

e500 Built For Performance

The e500 comes in a 1U rack mountable package for IT departments to install into their rack systems. It is based upon Supermicro's 6010H SuperServer (www.supermicro.com) platform. The e500 is built for performance and includes:

Dual Pentium III @ 1GHz
256 MB SDRAM
(2) 17.5 GB SCSI HD
Adaptec I2O RAID Controller Providing Hot-Swappable Mirroring
(2) Ethernet (10/100) RJ45 ports
Video port
PS/2 connections for keyboard and mouse
Serial RS232 DB9 port
e500 1U Rack System

The software is based upon a Bastille hardened Red Hat Linux v7.0 with the 2.2.26-22 kernel. Bastille is a set of scripts that configure Linux to be more secure. It has an X Windows-based configuration GUI for simplified, automated security administration. McAfee used Bastille to tighten security on the system. This is prepacked into the system so that out of the box the end user will not have to deal with these issues. As a matter of fact, McAfee has simplified the system to such a degree that the user cannot access the system through the local interface. They've created a easy to use Web page interface that provides a simple template for customizing the anti-virus scanning.

"Bastille-Linux should be a Red Hat user's FIRST download. Every healthcare organization utilizing Red Hat in any capacity should place running the Bastille-Linux scripts at the top of their "must-do" list for information security."

James Haughom, C.T.O., Heathcare Information Sharing and Analysis Center

Bastille X-Windows Scripting GUI

In addition to the Linux OS the e500 uses McAfee's virus scanning engine. The managment web site uses SSL to provide a secure connection. These web pages utilize Java Applets for additional security and protection. Software features include:

Mcafee Anti-Virus software
Web-based management console
Secure Website for managing e500
Java Applets for Web-based GUI

Anti-Virus Software

An anti-virus appliance is only as good as its anti-virus software. McAfee is an industry leader in anti-virus software. McAfee's VirusScan engine performs high speed scans in real-time to minimize the throughput delay at the gateway. The
  • Email, HTTP, and FTP scanning
  • Anti-Relay Blocking
  • Anti-Spam Blocking
engine scans all major compression formats and detects boot, macro, multi-partite, stealth, encrypted, and polymorphic viruses. It also provides virus protection against newer types of attacks from ActiveX and Java applets, worms, probes, and Remote Access Trojans (RATs).

Appliance software needs continual updates to protect against new variants that are appearing at a rate of about 500 a month. McAfee's VirusScan engine processes Virus Definition Drivers (DAT files) to detect virus signatures. Virus signatures are binary (1's and 0's) patterns that are characteristic to given viruses. McAfee continually updates these files to catch the latest viruses. Detected viruses can be cleaned, deleted, or quarantined.

As a backup to DAT files, McAfee uses a heuristic technology called ViruLogic to detect viruses that have yet to be classified. Heuristic analysis looks for distinctive virus characteristics to catch new viruses. ViruLogic scans files for software instructions that invoke actions such as unprompted modification of files and self-propagation through emails. It also tries to detect viruses that don't exhibit virus-like behavior or are masked through encryption.

Unfortunately, certain forms of legitimate data encryption techniques resemble virus attacks, and the e500 will block this encrypted data. Microsoft's Integrated Windows Authentication is one such encryption algorithm that is blocked by McAfee's Anti-Virus software, and Websites that rely on Integrated Windows Authentication can not be accessed when McAfee's e500 appliance is checking for viruses within HTTP data.

Standing Guard Against New Viruses

Updating of Virus DAT files can be done manually or automatically. The e500 requests the updates from the McAfee site. This mechanism is a secure transaction to prevent corruption or substitution of the DAT files. Virus security products need continual updates to catch new viruses that appear. The e500 provides an automated DAT file updating mechanism that performs updates on daily, weekly, or monthly basis. Unfortunately, even daily updates can be lengthy. New viruses can appear at any time, and networks must be protected as soon as possible from threats because an infection can cost thousands or even millions of dollars of damage. Therefore updates need to scheduled at an even shorter interval, hourly or by the minute. McAfee's has indicated they will support faster update rates in future versions.

On the e500 appliances only the DAT files are updated automatically. System Software upgrades are done manually. Automated system software updates would be a convenient feature that McAfee should add in future versions.

Installation in a Snap

Local configuration of the e500 isn't allowed. All setup and configuration changes are made through a secure (SSL) management Website. Experienced IT administrators will breeze through the configuration process. For the rest of us, reading up on IT terminology and email administration would be wise. Whether the e500 is setup to scan email or Web traffic, it basically acts the same, as a proxy or a pass-through to examine the data coming into or out of the network.

In the case of email configuration, the e500 is configured to pass incoming email to the mail server and outgoing mail to the SMTP relay server. Any MX (mail exchange) records that point to the mail server need to be redirected to the e500 so that incoming mail goes through it first before ging to the mail server. Finally, the mail server needs to direct outgoing mail through the e500. The e500 email configuration Web pages are rather easy to modify. A minor inconvenience for the novice is that the documentation could be enhanced to provide more details and examples.

For scanning of suspicious data through HTTP and FTP, the e500 will sit between the client computer and the Internet. The client computer will need to have its browser or FTP software configured to use the e500 as a proxy. The e500 will need to be configured to scan incoming and outgoing traffic on the HTTP (80) port and the FTP (21) port. It also can be configured to block content such as:

  • ActiveX Components
  • Java Applets
  • Scripting Languages
  • Access to banned sites.

A recovery option for reinstalling the software in case there is a catastrophic software crash or lockup is also included. This feature came in handy during my review of the first beta unit McAfee provided. A bug occurred in the configuration process that crashed the system and prevented access to the management Web pages, but by using the auto recovery CD and updating it to the new released version of the software, the system was restored to its default state. This feature is very useful and as simple as putting the restoration CD into the CD-ROM and rebooting. System settings can and should be backed up to return to the last known good configuration.

Email Protection

Email scanning is the primary function of the e500. Since emails account for an estimated 80% of the virus infections, one of the main requirements of an security system is to stop viruses through emails and attachments. The e500 checks incoming and outgoing emails for viruses by loading the complete email along with the attachment before scanning it. This ensures that the email is thoroughly checked before passing it through to the mail server. If a virus is detected, the email message can be:

  • Quarantined
  • Deleted
  • Cleaned

When a virus is detected, the event is recorded in the appliance's event log, and an email notification can be sent out. An email infected with a virus can be quarantined for analysis. During the review of the e500, it detected and cleaned infected emails that were sent to our email server. The events were logged along with the virus types and senders' email addresses.

Along with anti-virus scanning, the e500 includes features that block spam and prevent email relaying. The e500 provides support for spam lists, like MAPS RBL to block emails from domains and IP addresses listed on spam sites, but this service isn't free. The anti-spamming sites charge a fee to utilize their services. To get around being listed, spammers also use other mail servers to send out or relay messages to their mail lists. This is known as "email relaying". The e500 includes anti-relaying to prevent spammers from using mail servers as a relay and to avoid anti-spamming filters and lists.

Rule checking is also used to block emails. Rules specify properties that emails must abide by or the e500 will block delivery. This comes in pretty handy to block spam sales messages or messages from porn sites. For example one can set up a rule to block any email with the word "sex" in it. Any email containing "sex" will then be blocked.

Web Scanning

Scanning of data through HTTP or FTP protocols is similar to email scanning. The entire file is downloaded and scanned before being delivered to the client computer. In addition certain content types can be blocked and specific sites can be denied access. However, streaming data causes problems for the e500. The scanning engine relies on the complete download of files before scanning. Streaming media allows audio and video files to be played before the entire file has been downloaded. This contradicts how the e500 scans for viruses; therefore, if streaming media is allowed, it won't be scanned. Unfortunately, you can bet your last dollar that as these appliances become popular and reduce the damage caused by viruses, new strains of viruses will be developed that are passed through streaming media to take advantage of this limitation.

New viruses such as Code Red and Nimda are penetrating networks by attacking through Web servers. They exhibit worm or probe like behavior by searching out Web servers on a network and depositing viruses onto these machines through back doors in the Web server. The e500 doesn't yet protect against these types of attack, but it would seem that the system could be setup in a similar manner to the way it protects HTTP clients. Since these types of viruses are gaining in popularity, future versions of the e500 software may support this type of protection.

CyberInsurance*
Cyberinsurance has been billed as a way for companies to underwrite potential hacking losses for things technology cannot protect. The concept of insuring digital assets has been slow in catching on because the risks and damages are hard to quantify and put a price tag on.

In the past, companies seeking a $25 million policy could find someone to cover them. Now, it's much more difficult. Underwriters who didn't blink at $5 million or $10 million policies would rather insure $1 million policies, according to cyberinsurance brokers.

Industry analysts predict underwriters will push any changes in cyberinsurance offerings and the systems used by policyholders. The first indication of this trend came earlier this year when J.S. Wurzler Underwriting Managers tacked a 5 to 15 percent surcharge on cyberinsurance premiums for users of Windows NT on IIS servers, citing their poor security track record, which makes them more expensive to insure.

*Information Security Magazine, November 2001

The Bottom Line

The e500 is a true IT appliance. It performs one specific application and it protects networks against attacks from viruses. While its price tag is somewhat steep, it is backed by a high performance platform and scanning engine and is meant for larger enterprise networks. If the system prevents even one virus infection, it will have paid for itself. The system is easy to setup and maintain. The e500 performs its job very well and would provide an immediate return on investment. It does have three glaring weaknesses that McAfee needs to work on in future generations:

  1. Web server protection
  2. Faster DAT file update intervals
  3. Streaming media scanning

Also, keep in mind that the e500 scans at the gateway and viruses can still be introduced to the internal network by manually loading software from floppies or CDs. Going forward, an Anti-Virus appliance will be a must have item for those serious about network security. One last item to note, for smaller corporate networks or cost sensitive operations, McAfee is introducing the e250 later this year. It has the same basic functionality as the e500 but is made for smaller networks at a reduced cost.

Product Name WebShield e500 (Video)
Manufacturer McAfee (www.mcafeeb2b.com)
Type Anti-Virus Appliance
Dimension 16.7 x 1.7 x 22 in
Weight 17.6 lb
Processor Dual Intel Pentium III 1GHz
Memory 256 MB SDRAM
Storage (2) 17.5 GB SCSI;
Floppy Drive;
CD-ROM Drive
Operating System Red Hat Linux 7.0 w/Bastille Linux
LAN (2) Ethernet RJ45 (10/100BaseT)
Input/Output (2) DB9 RS232 Serial port;
(2) USB ports;
PS/2 keyboard port;
PS/2 mouse port;
PCI expansion slot;
AGP Video port
Firewall Web Page content Filtering;
URL Filtering
Email Security SMTP virus scanning;
POP3 virus scanning;
Anti-Relay; Anti-Spam;
SMTP Blocking by content scanning;
Attachment Blocking
HTTP Security HTTP virus scanning;
FTP virus scanning
Event Log Virus Detection;
URLs Blocked;
Spam Detection;
Email Content Violation;
Administration Events;
Email Notification;
SNMP Notification
Management Browser based console
Other Features RAID controller for hot-swappable mirroring;
Rapid Recovery;
Heuristic Virus Scanning;
Automatic Updating of Virus Definition Files




Copyright © 2004 Appliance-Lab
Terms and Conditions
Privacy Statement