This month we tested secure content management (SCM) products. As defined for this review, secure content management devices are gateway devices that have multi-feature/multi-purpose functionality, which includes filtering incoming and outgoing traffic for malicious code, inappropriate content and network attacks. These devices are becoming indispensable because they protect an organization from the most likely causes of a security breach.
Secure content management protects an organization from malicious code outbreaks by scanning email, web and file transfer traffic for viruses and worms. SCM devices also protect an organization from unauthorized use of systems. In this case, SCMs protect an organization from client-side exploits.
Client-side exploits are attacks which require a user to visit a site either through email or through web traffic. Once the client arrives at the site, a compromise is launched, which allows the attacker to take complete control of the device. A variation of the client-side exploit is the phishing attack. A phishing attack differs because the attacker is trying to steal the client’s information, such as credit card or Social Security number, as opposed to exploiting the machine to take control of it.
SCM devices also protect an organization from inappropriate use. Inappropriate use can happen in one of two ways. The more common is for a user to access the existing internet connection
to browse inappropriate websites, for example, those sites with adult content or sites which are non-business related, such as gambling or sports. Inappropriate use can also be a user installing unlicensed or unauthorized software onto their client machine. SCM devices protect against both types of inappropriate use by filtering URLs from clients to only allow the client to go to permitted websites.
One of the best examples of the inappropriate usage protection a SCM device can offer is the filtering of anonymizer sites, which allow the user to browse a second site inside of a web session on the first site. These pseudo proxies exist to allow users to bypass the content filtering of an organization. Most SCM devices block access to these types of sites.
Another security feature of an SCM product is protection from denial-of-service attacks. SCM devices achieve this by scanning any web downloads for malicious code before the code enters the organization’s client network. SCM devices do not, however, protect against resource starvation attacks, such as a SYN flood or the distributed denial-of-service attacks of the early 2000s.
SCM devices also safeguard an organization from spam emails. Most SCM devices use a combination of blacklists, whitelists, heuristics, reverse domain name service (RDNS) checks, sender policy framework (SPF) checks, as well as learning mechanisms which update the spam filtering by incorporating data learned from spam reporting sites, as well as learning from legitimate email.
How we tested
Most of the products submitted for this Group Test were appliance-based. However, we did have some software-based solutions as well. We installed the products into our test lab, looking for ease of installation, ease of configuration, quality of documentation and features provided. Once each device was installed, we attempted to change the rule set to allow or block sites that were included in the default filtering list.
The installation of these devices varied as did the type of offering. The SmoothWall offering used a hardened Linux platform to run its SCM package, while the CA offering used a Windows 2003 Advanced Server. The other offerings were appliances. The McAfee product used a keyboard and VGA connection to open the initial configuration. The CP Secure and eSoft offering each used the LCD panel on the front of the device to assign an IP address for initial setup. With the exception of the CA product, the primary configuration interface for all of these devices was a web-based interface.
The web interfaces were actually quite different from one another. Some web layouts were logical and easy to follow, while others were so complex it felt as if a training course was needed just to perform the simplest configuration tasks.
In addition to the wide range of platforms, the prices of the devices varied greatly. Despite the price range, we were able to find advantages to each offering and the mid-priced devices — the McAfee Secure Internet Gateway 3000 at $2,395 and the eSoft ThreatWall at $3,299 — were rated as the Best Buy and Recommended, respectively.