 |
|
|
Panda GateDefender is an integrated hardware and software device designed to be installed at the corporate network perimeter to offer complete anti-malware, anti-spam, content-filter, and URL filtering protection for all types of network traffic entering or leaving the company. The anti malware capability includes protection against viruses, spyware, adware, phishing, jokes, diallers and hacking tools. The GateDefender product line consists of three appliances covering a relatively small range of performance options (40Mbps, 80Mbps and 170Mbps) - the model tested here was the 170Mbps GateDefender 8200. The GateDefender 8200 is based on a 1U rack mount platform featuring two 10/100/1000Mbps copper Ethernet ports, for both detection and management. Redundant disk drives and power supplies are not available, though load balancing and fault tolerance is built in to the system. Security effectiveness of the 8200 was excellent, whilst performance was adequate under most traffic loads in most of the tests. SMTP performance was mostly adequate for the intended market, although the performance of the anti-spam module was lower than claimed by Panda in our tests. Anti Malware performance is good, however. Built-in load balancing capability allows performance to scale in a linear fashion by simply installing additional GateDefender appliances. The management system has been well designed to handle management and configuration of a single device. Alert handling and reporting are both basic, but adequate for the task in hand. However, there are no quarantine facilities for either spam or malware in the current release, and no centralised, multi-device management option. The Panda GateDefender appliance-based SCA offering consists of the following components The Panda GateDefender appliance is currently offered in three versions:
All of them are capable of being managed stand-alone via the Web-based management interface - there is no centralised management system available for multiple appliances. The GateDefender 8200 appliance submitted for testing is a 1U rack mount server chassis based on a standard Intel platform. Details of the processor and memory configuration are not available. There are two built-in copper 10/100/1000Mbps ports on the rear panel to handle both detection (internal and external ports) and management (which is possible over either or both ports as required). No dedicated management port is available. GateDefender is Linux-based, running integrated software for Anti Malware (including Anti Virus, Anti Spyware and Anti Phishing), Content Filtering, Anti Spam and Web Category Filtering. Web Filtering is licensed from Cobion/ISS, the Anti Spam engine is licensed from Mailshell, and the Anti Malware and Content Filtering engines are produced by Panda. Each GateDefender appliance includes an integrated Web server allowing it to be managed directly via a standard Web browser over a secure HTTPS connection. This provides a complete single-device management solution out of the box without the need to install a complex three-tier management solution. Naturally, this does not scale well when managing multiple appliances, although an export/import configuration feature at least provides the means to transfer settings between devices. Overall, the GUI is fast and easy to use, although it did prove sensitive to the version of browser and service pack installed on our management PC. GateDefender has a built-in load balancing feature. When load balancing is enabled, GateDefender will look for other units with which it can share the workload. When several appliances are used in load balancing mode, failure of any device causes the rest of the devices in the cluster to assume the workload automatically. The time that passes between one unit failing and the rest taking over its workload is a maximum of than fifteen seconds, and no traffic is passed without being scanned during the failover process. The aim of this section is to verify that the device is capable of operating under normal network conditions whilst effectively detecting and handling a range of virus infections, inappropriate content and spam traffic mixed with normal traffic. With a capacity of over 31,000 TCP connections per second, over 11,000 SMTP sessions per second, and an effective bandwidth of 1Gbps, the basic GateDefender appliance would perform well in a Gigabit environment. Over 1.1 million concurrent TCP connections are supported. Latency is in the region of 67-94�s with 512 byte packets, which is outstanding for a device designed for the network perimeter. As you would expect, performance is at its worst once all modules are enabled. With all modules enabled, maximum TCP connections per second were around 700, and effective bandwidth was 167Mbps. Just over 1100 concurrent TCP connections were supported and SMTP performance was 50 SMTP sessions per second - considerably less than figures claimed by Panda. Panda’s quoted SMTP figures are more applicable to the Anti Malware module (over 300 messages per second, over 1 million per hour, and almost 26 million per day), but once enabled, the Anti Spam module acts as the e-mail bottleneck for the entire system. However, we would still consider this to be adequate for the intended market (50 messages per second, 180,000 per hour, 4.3 million per day). We consider the overall performance to be acceptable for a device of this type. Please refer to the Testing Methodology section for full details of the methodology used and detailed performance results of the individual security modules. The aim of this section is to verify that the device is capable of effectively detecting live virus traffic, inappropriate URLs, inappropriate Web and mail content, and spam e-mail. All inappropriate/infected traffic should be handled properly according to the protocol and applied security policy (blocked, rejected, replaced, etc. URL category filtering was excellent, with 95 per cent of our “bad” URLs being detected and no overblocking evident during our tests. Categorisation appeared to be reasonably accurate. HTTP and SMTP content filtering and file blocking both performed flawlessly, blocking 100 per cent of bad content with no incidents of false positives. All of the WildList virus samples in our test suite were detected and blocked successfully with accurate signatures, whilst 85 per cent of the zoo virus samples were detected successfully, also using signatures (heuristic scanning was not enabled for these tests). This is excellent. The detect & alert and disinfect functions worked flawlessly, and the device successfully detected viruses inside compressed and nested compressed files. There is no quarantine capability. 92 per cent of the live spam samples in our test suite were detected and blocked successfully. This is an excellent score. Both the detect & flag and the accept and discard message functions worked flawlessly - there are no quarantine or reject message capabilities. Please refer to the Testing Methodology section for full details of the methodology used and detailed performance results of the individual security modules. This part of the test procedure consists of a subjective evaluation of the features and capabilities of the product, and covers installation, configuration, policy editing, alert handling, and reporting and analysis. GateDefender is a transparent layer 2 device which passes traffic between its internal and external ports without routing. Since it is not necessary to assign IP addresses to the internal and external ports in order to pass traffic, as you would a firewall, the GateDefender appliance can be installed anywhere inside - or at the perimeter of - the corporate network without having to reconfigure IP addresses internally. It is, however, necessary to assign an IP address to the external port to allow it to communicate with Panda’s update servers, and also to the internal port to provide secure management connectivity from inside the corporate LAN. We would prefer to see a dedicated management port available for these functions, obviating the requirement to assign any IP addresses to the detection ports. All initial configuration of the device is performed via the Web-based GUI (via a secure HTTPS connection), having first set the IP address on the management PC to match the default setting of the GateDefender configuration IP. There are no set-up Wizards, but set-up is so straightforward they are not really necessary. It is possible to restrict management access to specific IP addresses and/or subnets. A recovery CD provides the means to completely re-install the appliance software should that prove necessary (following disk corruption, for example). Once configured, the GateDefender appliance can only be accessed via the Web-based GUI - no direct console or SSH access is provided. Documentation is good, comprising a Quick Install Guide and User Guide - and is provided as PDF files only. The level of detail is good, and we found coverage of all the main features to be reasonably comprehensive and very clear. Configuration is straightforward using the Web-based GUI, which consists of a text-based menu down the left of the screen, and a date-entry pane on the right. Where multiple sub-menus are offered for a main menu entry, these are shown in the data entry portion of the screen as icons. Clicking on an icon takes you to the appropriate data-entry screen.
The System Settings menu option allows the administrator to set the GateDefender name, network (external) IP address, configuration (internal) IP address, user name and password, and load balancing parameters. There is no concept of user accounts or granular access - a single user name and password is all that is available to protect console access. Once all configuration has been performed, it is possible to export settings to a file on the local management PC. These settings can be imported to another device to ensure consistency of security policy, or re-imported to the same device in case of data loss. Updates to both system software and to definition files (for malware, spam and Web filtering) are performed regularly - every 12 hours for system software and every 90 minutes for definition files. An e-mail can be sent to the administrator with the result of each update, and it is also possible to perform an update on demand. The License Management screen allows the administrator to view current license status and to renew licenses for those which are about to expire. GateDefender will only initialise those engines for which it has a current license, and this can cause problems. During our tests, the device was unable to access the Internet from our test network as it booted, meaning it was unable to verify the status of the Web filtering license (this could also happen in a live network, of course, given temporary communications failure during boot-up). The result was that the Web filtering engine failed to start, but there was no indication of this anywhere in the GUI or the log files. It required some advanced troubleshooting to resolve this issue, which is unacceptable - there should be some very prominent warnings on the System Status screen to indicate when engines have failed to initialise for any reason. Other configuration options include the ability to view internal log files, restart the system services (security modules) or restart the entire system, as well as access the following:
It is also possible to customise all of the various warning texts and messages, including Web page replacement text, e-mail warning messages, and so on. There is no centralised management system included with GateDefender, and the Web-based GUI is focussed entirely on managing a single device at a time. For this reason, the concept of “security policies” does not really exist. Each device can be configured directly, and the protection settings can then be exported to an external file. This provides the means not only to backup and restore configuration settings, but also to store off-line multiple different configuration settings for different scenarios and load them as required. It is also possible to transfer standard settings between multiple physical devices by importing a single set of configuration settings to each one, and just changing IP addressing information accordingly.
Once the various modules have been configured, the Status screen shows very clearly, with a grid composed of green ticks and red crosses, exactly which protection modules have been enabled and disabled. This screen also shows the date of last update, current license status, and a list of warnings which require action from the administrator (such as “default password not changed” or “cannot connect to the update server”) Anti Malware The Anti Malware engine on GateDefender is written by Panda, and the database is updated automatically on a regular (often daily) basis. The Anti Malware software intercepts and scans HTTP, FTP, SMTP, POP3, IMAP4 and NNTP traffic for a wide range of threats, including :
Most of these threats have their own check boxes, allowing the administrator to disable scanning for jokes, for example. It is also possible to enable or disable scanning of individual protocols. Viruses can be detected via specific signatures or heuristic scanning, the latter being designed to intercept suspicious virus-like traffic for which there is no signature available. We found the heuristic scanning to be fairly inaccurate, and it was disabled for these tests for performance reasons. In comparison, the signatures appeared to be very accurate, and overall coverage was excellent. The product also scans in compressed archive files and nested archives, and trusted sites and domains can be specified to allow mail traffic from those domains to pass without scanning.
The Anti Malware engine can scan files with specific extensions only, if required, or can scan all file extensions. When scanning specific file extensions, an extensive list of “suspicious” extensions is already entered into the GUI (it can be amended easily), but it would be nice to have the ability to have an exclude list, thus scanning all extensions except for those listed. The only other setting required is the action to take when malicious code is detected. These options are:
GateDefender implements intelligent restriction of “fake-from” messages and messages sent by mass-mailing worms, which are deleted automatically when they are detected, regardless of the action configured by the user. These messages are fake messages generated by worms. When messages are deleted, GateDefender will reply to the mail server trying to send the message carrying the malicious code so that it thinks that the message has been correctly sent and does not retry constantly. There is no quarantine capability in the current release, which some may see as a serious shortcoming. This capability will be added in a future release. Anti Spam Anti Spam software prevents undesired advertisement or offensive e-mails from entering the network undetected.
GateDefender will scan for spam on SMTP, POP3 and IMAP4 protocols - a check box against each allows the administrator to enable or disable as required. GateDefender will scan all mail which passes through it by default, but if internal domains are configured correctly, it is possible to scan either inbound mail, outbound mail, or both. The sensitivity level of the anti-spam protection specifies the tolerance level of the protection to suspicious files. The higher the level of sensitivity, the higher the protection, but the risk of a legitimate message being classified as suspicious is increased. This setting also affects whether a message is flagged as “spam” or “probably spam”, depending on the content scanned. During testing, we checked the “Medium Sensitivity” box, which gave a good balance between detecting genuine spam and allowing legitimate e-mail to pass. When spam is detected, GateDefender can perform the following actions:
The Whitelist and Blacklist options can be used to control which domains or e-mail addresses the appliance always identifies as spam, or never checks for spam. Unfortunately, wildcards cannot be used in these lists, and nor are per-user WBL available in the current release. Spam is often linked with senders or domains that are included in the Web Filter or includes content that is defined as unwanted in the Content Filtering module. We thus found that, even with the Anti Spam module disabled, GateDefender still detected a significant amount of our spam corpus via the remaining modules. As with the Anti Malware module, there is no quarantine capability in the current release, making it very difficult to rely on GateDefender to delete e-mails - most will probably prefer to have it flag messages as spam and have them dealt with by a desktop filtering solution. Quarantine capabilities will be added in a future release. Content Filtering Content Filtering in GateDefender is actually split into two separate engines - Web Filtering and Content Filtering. Unlike other anti-malware protection, Web filtering can be enabled even when the Anti Virus engine is disabled. Web Filtering enables GateDefender to block or allow access to Web sites based on criteria selected by the administrator. Internet content is divided into a number of Categories and sub-Categories, and all that is necessary is for the administrator to check the “Enable” box, and check the Categories or sub-Categories which are to be restricted. When a computer in the protected network attempts to access a Web site, the appliance references the Web Filter database and enforces the actions defined for the selected Categories. Access can be blocked (with the target page replaced by a customisable warning), blocked and logged, or logged only. Pages can be reported as false positives via a hyperlink on the Web Filtering report.
White lists and black lists are available to override URLs, domains or IP addresses to always block, or always allow access. It is also possible to create a list of “VIP users” for whom no access restrictions will be applied. One element of the implementation which caused us problems is that it is currently necessary to have an active Internet connection before the Web Filter module will initialise. If the module is activated without a connection, the engine cannot authenticate and Web Filtering will not operate. Unfortunately, this state is not reflected on the Status screen - the module still shows as being activated, and it is actually quite difficult to determine that it is not. It would be better if the Status screen showed not only which modules have been configured to be active, but which ones are really active at any given point in time. Via the Content Filter module, GateDefender is also capable of monitoring and filtering the content of e-mail attachments, Web sites, FTP transfers and newsgroups. Each of the protocols (HTTP, FTP, SMTP, POP3, IMAP4 and NNTP) is enabled or disabled using check boxes. This module goes much further than many of the basic content filtering modules included with the competition, however. The File Filter option, for example, ensures that any files transferred via HTTP or FTP are safe by prohibiting the following:
The HTML Page Filter deletes potentially dangerous items from HTML files. If this filter is enabled, it can be configured to delete embedded scripts in the code of HTML pages or delete references to external scripts.
The mail and news protection within the Content Filter engine allows GateDefender to control those messages and attachments allowed in and out of the corporate network. For each mail protocol (SMTP, POP3 and IMAP4), it is possible to select the mail type (Inbound or Outbound) and enable the following filters:
The following actions are possible when malicious content is detected:
It is possible to specify Trusted Sites and Domains to allow traffic from certain domains or Web sites to be excluded from scanning by the Content Filter engine. Whenever GateDefender has been configured to produce a report, an entry is created for the specific module which detected the malicious traffic:
A summary of all events is displayed on the Activity screen, under the following headings:
A button allows counter values to be reset at any time. A hyperlink against each section (excluding System Activity and Card Traffic) provides a direct link to the detailed reports for that module (see following section).
There are no specific alert handling capabilities, however. It would be nice to see a single alert screen where the most recent events from all modules can be viewed and manipulated, sorting on different columns, filtering to show all alerts from a specific IP address, and so on. GateDefender generates a series of reports that contain the events detected by each security module, as well as system messages:
These can be accessed directly from the Activity screen, or via the Reports menu option. Each report is a basic HTML page with a plain text list of the events detected. Naturally, the information presented by each module is different, but each event generally contains the date and time, description of the event (the virus name or the spam subject line, for example), file name, sender/recipient (in the case of e-mails), action taken (blocked, redirected, logged, and so on) and protocol. A hyperlink alongside each event provides access to a display of all the data fields for that event - far more readable when investigating individual alerts. The columns are all fixed-width, and cannot be expanded or reduced if the data is too wide for the column, which is occasionally inconvenient. The report can be sorted on any particular data field by clicking on the hyperlink at the top of the required column.
A filter can be applied, allowing the administrator to select a subset of records based on a date range, virus type, subject line, sender, recipient, protocol, URL, Web Filter category, source IP, action taken, and so on (different selection criteria are presented for each different security module). Once the filter has been applied, the new report contents are displayed. It is possible to save a filter as the default, meaning it will be applied automatically each time a report for that security module is run. However, it is not possible to save multiple filters for recall - only a single default filter can be saved. The contents of the report can be cleared by clicking on the “Clear Report” button at the bottom of the window. However, when each report is cleared, the data is lost forever - there is no long-term trending or analysis. In fact, these reports are more suited to daily alert handling. There are no graphical or trending reports for management, and no capability for scheduling reports for production on a regular basis, or storing them/exporting them elsewhere in different formats (HTML, PDF, and so on). Overall, we would consider the reporting capabilities to be very basic. Performance With a capacity of over 31,000 TCP connections per second, over 11,000 SMTP sessions per second, and an effective bandwidth of 1Gbps, the basic GateDefender appliance would perform well in a Gigabit environment. Over 1.1 million concurrent TCP connections are supported. Latency is in the region of 67-94�s with 512 byte packets, which is outstanding for a device designed for the network perimeter. As you would expect, performance is at its worst once all modules are enabled. With all modules enabled, maximum TCP connections per second were around 700, and effective bandwidth was 167Mbps. However, we consider the overall performance to be acceptable for a device of this type. Security Effectiveness GateDefender was very straightforward to configure, though the Web-based GUI is restricted to managing a single device at a time. URL category filtering was excellent, with 95 per cent of our “bad” URLs being detected and no overblocking evident during our tests. Categorisation seemed to be reasonably accurate. HTTP and SMTP content filtering and file blocking both performed flawlessly, blocking 100 per cent of bad content with no incidents of false positives. The Content Filtering module is very powerful and flexible. Malware scanning was excellent, with 100 per cent of our WildList virus samples detected and blocked successfully with accurate signatures, whilst 85 per cent of the zoo virus samples were detected successfully. Finally, Anti Spam capabilities also performed well, with 92 per cent of the live spam samples in our test suite detected and blocked successfully. Usability The main omissions from the current product are the quarantine facilities for the Anti Malware and Anti Spam modules. The administrator needs to place a great deal of trust in these if he wishes to prevent malicious traffic from reaching the end user, without risking losing valuable data via false positives. We are told that this capability will be added to a future release, however. We also found alert handling to be almost non-existent, and reporting to be very basic. Although some would argue that a prevention device such as this needs only prevent the intrusions and not report on them, we believe that many administrators would benefit from more extensive tools than are available with GateDefender. For alerts, a simple list of the most recent alerts for all modules and the ability to drill down from that list and save filters for re-use would be useful. Clearing data from this list should not clear all historical data. Reporting needs to be more flexible, providing historical reporting and trend analysis, perhaps with graphical reports for management, and the ability to define and save custom reports and schedule regular report runs. Finally, there is no centralised management and reporting capability for those sites which deploy multiple devices. Apart from this, the GateDefender GUI is extremely intuitive and very straightforward to use without ever having to resort to the manual. It is always hard to understand how some vendors can make their management interfaces so opaque and obscure - they need to take a look at GateDefender to see how to make life simple for the administrator. The operation is fast and does not rely on Java, making it easy to run from almost any browser on the network. On this point, we would prefer to see a dedicated management port rather than rely on managing and updating via the sensor ports. Configuring the device is simple - we were up and running within 10 minutes - and all configuration settings can be exported as a backup or for importing into additional GateDefender appliances. Company
name: Panda Software
International Click here to return to the SCA Index Section |
Security Testing |
Send mail to webmaster
with questions or
|
