Good security practices rarely earn money for anyone, but they’ve helped many companies minimize losses due to accident or sabotage. One of the keys to good network security is establishing defenses inside your enterprise’s perimeter. An enterprise network manager who relies solely on perimeter defenses is ignoring the growing body of evidence which suggests that internal threats are just as dangerous as external ones.
A critical tool for establishing interior defenses is the desktop (or personal) firewall. These devices are generally software-based monitors built to run under Windows. Today, with even dial-up users regularly being pinged and probed, desktop firewalls have joined anti-virus utilities as indispensable tools for any user, consumer or corporate.
If that sounds familiar, Sybergen Networks Inc. has something that may interest you. The company is offering a centrally managed set of tools in its Sybergen Mobile Workforce Solution, a suite consisting of the recently released Sybergen Management Server 1.0 and Sybergen Secure Desktop 2.1, formerly SyShield.
Of course, when you’re implementing any desktop technology, management features are paramount. Whether you’re rolling out software to five desktops or 5,000, you probably don’t have the resources to go from desk to desk. The Mobile Workforce Solution gave us enough problems in this area to limit its score to Good. But we also wouldn’t be surprised to see it mature quickly in this highly competitive marketplace.
We tested Mobile Workforce Solution with Windows 2000 Advanced Server and Microsoft Data Engine, and we used Windows NT 4.0 Workstation for our client testing. As part of the installation, the client files for Secure Desktop are copied to the server; you’re also given an opportunity to edit the configuration file that clients will use immediately following installation. Among other things, you can enter the IP address of the Management Server and those of your mail servers in order to use the notification features, although we would rather see the software use a DNS name, because IP addresses change, whereas mail servers often do not.
Once the software was installed, we could work without having to reboot the server, which is a plus in anyone’s book. We found it easier to set the slim (but highly illustrated) documentation aside and instead start probing the Java-based interface. But we still encountered some problems along the way: For example, selecting objects in the tree view of our managed devices required us to click the group icon, but selecting a client inconsistently required us to click the host name.
Still, it was relatively easy to create strong global policies that you can then modify in group policies to suit the needs of departments, mobile users, or other factions. Whether your computers are desktops or mobile units, they can belong to only one group; unfortunately, the software doesn’t let you assign group membership in advance of the first connection to the network. Therefore, it’s best to have your global and default policies (these are separate constructs) set as strong as is reasonable.
The client’s configuration settings are stored in the local registry and updated by the agent when global or group policy changes occur. The client UI can be password-protected or removed from the client altogether to ensure that users can’t monkey with settings unless you want them to.
But one problem we found was that when we created groups in the Management Server’s browser interface, they didn’t pick up our global settings until we changed the settings themselves. In an enterprise environment, this might cause numerous unnecessary configuration changes to flood your network.
The Management Server’s monitoring tools could use some work, too. The only way to aggregate statistics for clients is via the defined groups, although the interface does lend itself to easy visual presentation of data, such as a pie chart of suspected attacks, for example. Of course, because the data store is relatively open, enterprising users might find it easier to design reports to fit their own needs.
One change we would like to see is an improvement in the way security is handled when the Management Server is offline or can’t be reached because of network traffic or a routing problem. A default setting of High security (which allows Web browsing) or Ultra High security (which effectively cuts one off from the Internet unless the Management Server can be reached) should be implemented. Of course, you would disable this setting for mobile users who are regularly connecting and disconnecting.
Sybergen’s Mobile Workforce Solution isn’t perfect, but it’s a reasonable first start. We would like to see the management interface cleaned up. The software also has numerous little problems with server and client configuration that we don’t expect in an enterprise-class product. At $60 per seat, Mobile Workforce Solution probably isn’t something you’d want to deploy to every desktop until these issues are resolved. But as a mobile users’ product, it offers enough flexibility to allow those users to connect and disconnect from your network without resorting to hair-pulling — which is a compliment in itself.
P.J. Connolly (email@example.com) thinks the lockdown style of desktop management should be applied to everyone else.
THE BOTTOM LINE: GOOD
Sybergen Mobile Workforce Solution
Business Case: As do other critical desktop tools, personal firewalls require centralized management if security policies are to be implemented effectively. This security management tool isn’t cheap, but neither is rebuilding your systems after an attack.
Technology Case: Centrally managed security tools such as Sybergen Mobile Workforce Solution attempt to provide flexible management that accommodates always-connected desktops and usually unconnected mobile computers.
+ Provides central management point
+ Accommodates multiple security profiles
– Management interface behaves oddly
– Group settings don’t properly load global settings at creation
– Reporting tools are inadequate
– Uses IP addresses instead of DNS names
Cost: $60 per node, volume discounts available
Platform(s): Secure Desktop: Windows 9x/2000, Windows NT; Management
Server: Windows 2000, NT Server with MS Data Engine, SQL Server 7.0
Sybergen Networks Inc., Fremont, Calif.; (510) 742-2600; http://www.sybergen.com.
Prices listed are in US currency.