e500 Built For Performance

The e500 comes in a 1U rack mountable package for IT departments to install into their rack systems. It is based upon Supermicro's 6010H SuperServer (www.supermicro.com) platform. The e500 is built for performance and includes:

Dual Pentium III @ 1GHz 256 MB SDRAM (2) 17.5 GB SCSI HD Adaptec I2O RAID Controller Providing Hot-Swappable Mirroring (2) Ethernet (10/100) RJ45 ports Video port PS/2 connections for keyboard and mouse Serial RS232 DB9 port

e500 1U Rack System

The software is based upon a Bastille hardened Red Hat Linux v7.0 with the 2.2.26-22 kernel. Bastille is a set of scripts that configure Linux to be more secure. It has an X Windows-based configuration GUI for simplified, automated security administration. McAfee used Bastille to tighten security on the system. This is prepacked into the system so that out of the box the end user will not have to deal with these issues. As a matter of fact, McAfee has simplified the system to such a degree that the user cannot access the system through the local interface. They've created a easy to use Web page interface that provides a simple template for customizing the anti-virus scanning.

"Bastille-Linux should be a Red Hat user's FIRST download. Every healthcare organization utilizing Red Hat in any capacity should place running the Bastille-Linux scripts at the top of their "must-do" list for information security." James Haughom, C.T.O., Heathcare Information Sharing and Analysis Center

Bastille X-Windows Scripting GUI

In addition to the Linux OS the e500 uses McAfee's virus scanning engine. The managment web site uses SSL to provide a secure connection. These web pages utilize Java Applets for additional security and protection. Software features include:

Anti-Virus Software

Appliance software needs continual updates to protect against new variants that are appearing at a rate of about 500 a month. McAfee's VirusScan engine processes Virus Definition Drivers (DAT files) to detect virus signatures. Virus signatures are binary (1's and 0's) patterns that are characteristic to given viruses. McAfee continually updates these files to catch the latest viruses. Detected viruses can be cleaned, deleted, or quarantined.

As a backup to DAT files, McAfee uses a heuristic technology called ViruLogic to detect viruses that have yet to be classified. Heuristic analysis looks for distinctive virus characteristics to catch new viruses. ViruLogic scans files for software instructions that invoke actions such as unprompted modification of files and self-propagation through emails. It also tries to detect viruses that don't exhibit virus-like behavior or are masked through encryption.

Unfortunately, certain forms of legitimate data encryption techniques resemble virus attacks, and the e500 will block this encrypted data. Microsoft's Integrated Windows Authentication is one such encryption algorithm that is blocked by McAfee's Anti-Virus software, and Websites that rely on Integrated Windows Authentication can not be accessed when McAfee's e500 appliance is checking for viruses within HTTP data.

Standing Guard Against New Viruses

Updating of Virus DAT files can be done manually or automatically. The e500 requests the updates from the McAfee site. This mechanism is a secure transaction to prevent corruption or substitution of the DAT files. Virus security products need continual updates to catch new viruses that appear. The e500 provides an automated DAT file updating mechanism that performs updates on daily, weekly, or monthly basis. Unfortunately, even daily updates can be lengthy. New viruses can appear at any time, and networks must be protected as soon as possible from threats because an infection can cost thousands or even millions of dollars of damage. Therefore updates need to scheduled at an even shorter interval, hourly or by the minute. McAfee's has indicated they will support faster update rates in future versions.

On the e500 appliances only the DAT files are updated automatically. System Software upgrades are done manually. Automated system software updates would be a convenient feature that McAfee should add in future versions.

Installation in a Snap

Local configuration of the e500 isn't allowed. All setup and configuration changes are made through a secure (SSL) management Website. Experienced IT administrators will breeze through the configuration process. For the rest of us, reading up on IT terminology and email administration would be wise. Whether the e500 is setup to scan email or Web traffic, it basically acts the same, as a proxy or a pass-through to examine the data coming into or out of the network.

In the case of email configuration, the e500 is configured to pass incoming email to the mail server and outgoing mail to the SMTP relay server. Any MX (mail exchange) records that point to the mail server need to be redirected to the e500 so that incoming mail goes through it first before ging to the mail server. Finally, the mail server needs to direct outgoing mail through the e500. The e500 email configuration Web pages are rather easy to modify. A minor inconvenience for the novice is that the documentation could be enhanced to provide more details and examples.

For scanning of suspicious data through HTTP and FTP, the e500 will sit between the client computer and the Internet. The client computer will need to have its browser or FTP software configured to use the e500 as a proxy. The e500 will need to be configured to scan incoming and outgoing traffic on the HTTP (80) port and the FTP (21) port. It also can be configured to block content such as:

• ActiveX Components
• Java Applets
• Scripting Languages
• Access to banned sites.

A recovery option for reinstalling the software in case there is a catastrophic software crash or lockup is also included. This feature came in handy during my review of the first beta unit McAfee provided. A bug occurred in the configuration process that crashed the system and prevented access to the management Web pages, but by using the auto recovery CD and updating it to the new released version of the software, the system was restored to its default state. This feature is very useful and as simple as putting the restoration CD into the CD-ROM and rebooting. System settings can and should be backed up to return to the last known good configuration.

Email Protection

Email scanning is the primary function of the e500. Since emails account for an estimated 80% of the virus infections, one of the main requirements of an security system is to stop viruses through emails and attachments. The e500 checks incoming and outgoing emails for viruses by loading the complete email along with the attachment before scanning it. This ensures that the email is thoroughly checked before passing it through to the mail server. If a virus is detected, the email message can be:

• Quarantined
• Deleted
• Cleaned

When a virus is detected, the event is recorded in the appliance's event log, and an email notification can be sent out. An email infected with a virus can be quarantined for analysis. During the review of the e500, it detected and cleaned infected emails that were sent to our email server. The events were logged along with the virus types and senders' email addresses.

Along with anti-virus scanning, the e500 includes features that block spam and prevent email relaying. The e500 provides support for spam lists, like MAPS RBL to block emails from domains and IP addresses listed on spam sites, but this service isn't free. The anti-spamming sites charge a fee to utilize their services. To get around being listed, spammers also use other mail servers to send out or relay messages to their mail lists. This is known as "email relaying". The e500 includes anti-relaying to prevent spammers from using mail servers as a relay and to avoid anti-spamming filters and lists.

Rule checking is also used to block emails. Rules specify properties that emails must abide by or the e500 will block delivery. This comes in pretty handy to block spam sales messages or messages from porn sites. For example one can set up a rule to block any email with the word "sex" in it. Any email containing "sex" will then be blocked.

Web Scanning

Scanning of data through HTTP or FTP protocols is similar to email scanning. The entire file is downloaded and scanned before being delivered to the client computer. In addition certain content types can be blocked and specific sites can be denied access. However, streaming data causes problems for the e500. The scanning engine relies on the complete download of files before scanning. Streaming media allows audio and video files to be played before the entire file has been downloaded. This contradicts how the e500 scans for viruses; therefore, if streaming media is allowed, it won't be scanned. Unfortunately, you can bet your last dollar that as these appliances become popular and reduce the damage caused by viruses, new strains of viruses will be developed that are passed through streaming media to take advantage of this limitation.

New viruses such as Code Red and Nimda are penetrating networks by attacking through Web servers. They exhibit worm or probe like behavior by searching out Web servers on a network and depositing viruses onto these machines through back doors in the Web server. The e500 doesn't yet protect against these types of attack, but it would seem that the system could be setup in a similar manner to the way it protects HTTP clients. Since these types of viruses are gaining in popularity, future versions of the e500 software may support this type of protection.

The Bottom Line

The e500 is a true IT appliance. It performs one specific application and it protects networks against attacks from viruses. While its price tag is somewhat steep, it is backed by a high performance platform and scanning engine and is meant for larger enterprise networks. If the system prevents even one virus infection, it will have paid for itself. The system is easy to setup and maintain. The e500 performs its job very well and would provide an immediate return on investment. It does have three glaring weaknesses that McAfee needs to work on in future generations:

1. Web server protection
2. Faster DAT file update intervals
3. Streaming media scanning

Also, keep in mind that the e500 scans at the gateway and viruses can still be introduced to the internal network by manually loading software from floppies or CDs. Going forward, an Anti-Virus appliance will be a must have item for those serious about network security. One last item to note, for smaller corporate networks or cost sensitive operations, McAfee is introducing the e250 later this year. It has the same basic functionality as the e500 but is made for smaller networks at a reduced cost.