Content

Anti-malware 2008

Last year I predicted that this year we would see almost no pure anti-malware gateways. I’ll eat a bit of crow for that prediction, but only a bit because the trend continues. We saw nowhere near the number of products this year that we saw last year.

That does not mean that the anti-malware gateway product vendors are turning out lackluster products. Far from it, these products we saw were slick, well conceived and easy to setup and manage. The big strength of these gateways is their ability to manage endpoint anti-malware products, as well as provide a solid gateway. This all led me to consider why the convergence trend has slowed.

First, the trend toward a single gateway device — a sort of super-UTM — impacts the concept of defense-in-depth badly. Leaving the UTM as the only device at the perimeter forces one to extend protection to the desktop in order to achieve defense-in-depth.

Extending anti-malware protection to the desktop requires some way to manage large numbers of endpoints centrally. These anti-malware gateways don’t provide what is needed in that regard. They do not allow such things as provisioning of current signature sets and they do not force automatic updating, for example, as one way to keep endpoints current in terms of malware protection.

Rather, these products filter at the gateway based largely on protocols that attempt to pass the perimeter in either direction. In order to manage the endpoints one needs an anti-malware management product. Understanding the difference is important.

The products we looked at have a wide variety of interesting capabilities. For example, some used the notion of reputation to decide whether a particular website is likely to be a malware risk. At least one product does not require periodic updates. Instead it communicates with a server back at the vendor to check for the most current status of a website. This is a refinement on the use of reputation to determine risk.

Buying a gateway

My first advice is set your expectations correctly. What do you want to accomplish? If, as I pointed out already, you want to manage and correlate endpoints, this is not the right type of product for you. However, if you want to add a robust malware filter that operates in a variety of ways, this product group may be a good bet.

For example, if you have the problem of employees surfing the internet and then connecting to a secured network and possibly cross-contaminating the secure network, use a gateway to prevent the infection in the first place. Coupled with anti-malware at the endpoint you’ll have robust protection. However, do not expect your anti-malware gateway to manage that endpoint.

We found that focusing on the web covered almost all of the malware threats we considered. However, the issue of email is not to be forgotten. While there are competent email filters, a lot of email is exchanged using some form of webmail. The classic example of this is the employee who checks their Yahoo account while at work, picking up an infection and then contaminating the entire enterprise. For that, these products shine.

My second piece of advice is be sure that you know what your throughput at the gateway needs to be. These generally are inline appliances and on large networks you should make sure that you’ve selected a product that won’t increase latency unacceptably.

How we tested

For this group we were not concerned about such things as catch rates. We have found, over years of testing, that products of the quality we were looking at usually all had similar catch rates. We set the products up in our network test bed and noted how easy they were to setup and manage. We also looked at how they performed their assigned tasks. In that regard, we found some innovative approaches.

We were mostly concerned with things such as how updating occurs, what technology is used to catch malware, and how the device is managed. Reporting and alerting also were important to us. Finally, we wanted to know what types of malware the product caught. Overall, we were impressed with the clever ways that these gateways do their jobs.

Managing malware at the perimeter is a difficult problem and, frankly, I question whether it can be built into a UTM effectively. Time will tell whether I’m right. For now, just keep the crow warm. I may need to eat a bit more of it next year at this time.

John Aitken and Mike Stephenson contributed to these reviews.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.