Should you buy a security appliance?

Should you buy a security appliance?

By Brian Livingston

If you’d rather spend your time using Windows for work or play, rather than spending a lot of time configuring different security products to protect you from hackers, you might be interested in a fairly new category of product called security appliances.

Interestingly, two major computer magazines are just now coming out with lengthy reviews of such products. In its July 2005 issue, PC Magazine reviews Unified Threat Management (UTM) appliances, which reside on a wired network outside ordinary firewalls. Meanwhile, Network Computing Magazine in its June 23 issue tests wireless security monitors, which scan your airspace for unauthorized Wi-Fi activity.

As soon as I saw these test suites, I wondered, “Do these results mean I should change the Security Baseline?” The Security Baseline is a feature I print, below, in every issue to advise you on products you must add to Windows for protection against hackers.

For home users and very small businesses, the answer to the above question is clearly “No.” Security appliances replace the category of products we call hardware firewalls. For a single Internet user, or a local area network supporting only a handful of users, the firewalls we list in the Security Baseline (if properly configured) provide strong protection, when used in combination with the recommended software.

For small to medium-size businesses, appliances are worth considering if you’re in the market for a security expenditure around $5,000 or so. Add to that the cost of professional installation, whether it’s performed by your own in-house admins or outside consultants.

Buying and installing security appliances can reduce the need to buy conventional firewalls. It doesn’t, however, eliminate the need for security software. Viruses and Trojan horses don’t necessarily get into your company via a Wi-Fi or wired Internet connection. Any laptop, handheld, CD, DVD, or USB thumb drive that walks in the door and communicates with one of your computers can infect you just as quickly. Be sure to read the section “Perimeter protection isn’t enough” at the end of this article for details.

Having said that, let’s look at the award-winning appliances that some seasoned reviewers have been kind enough to test for us.

UTM appliances combine security functions

PC Magazine rates four different UTM products, all falling generally within a $3,000 to $4,000 price range. The Editors’ Choice winner, the Astara Security Gateway 220 (photo at left), has the largest capacity, handling networks with throughput up to 280 Mbps. Its $4,035 direct price includes a license for 50 users.

All four of the reviewed products offer a combination of firewall, antivirus, antispam, Web content filtering, VPN, and intrusion prevention or detection. The Astara device’s antivirus service is from Kaspersky Labs, while its spam protection is from McAfee.

The rankings for all the reviewed products are:

• Astaro Security Gateway 220 (Editors’ Choice, Score: 4.5/5.0)
• Fortinet FortiGate 200A (4.0)
• ServGate EdgeForce (4.0)
• SonicWALL Pro 2040 (3.5)

The full text of PC Magazine’s article appears in its July 2005 print version but wasn’t posted on the magazine’s Web site by our press time. You can see the magazine’s reviews online for two of the top-rated products, Astaro and Fortinet, in addition to a sidebar entitled How We Tested. Reviews that the magazine published in 2004 are also available online for ServGate EdgeForce and SonicWALL models (which may vary from the models rated in July 2005).

Wireless monitors detect intrusions

Network Computing reviews five products it calls “distributed wireless security monitors.” These are also known as “overlay products,” because they use a central computer and a series of remote wireless sensors that are separate from (overlaid on) your access points. The overlay devices attempt to detect unauthorized access points and efforts by hackers to break into your Wi-Fi network.

The review, conducted by the magazine’s Real-World Labs and written by Frank Bulk, omits “integrated” systems from vendors such as Airespace and Aruba. Integrated products, which make your existing access points do double-duty by adding a monitoring role, cannot perform as well as a dedicated set of sensors, the magazine found.

“Very security-conscious organizations, highly regulated companies such as those in financial services and health care, and government facilities dealing with sensitive information should consider an overlay approach,” Bulk writes.

The magazine awarded its Editors’ Choice to AirMagnet Enterprise (photo at left), with a top score of 4.15 out of a possible 5.0 points. “Organizations looking for a strong wireless IDS [intrusion detection system] with some diagnostic capabilities will want to evaluate AirMagnet,” the review says, “and government facilities with higher security needs might rest easier knowing that AirMagnet is the only vendor in the beginning stages of FIPS 140-2 certification.” FIPS is a U.S. government certification program explained in a Network Computing sidebar.

Aside from the top winner, an intriguing Best Value award was given to a competing product, Network Chemistry RFprotect System 4. That offering came in a close third, with 3.93 points. “RFProtect’s well-rounded capabilities and bargain price make it an easy sell,” the magazine says.

To compare prices among the five reviewed products, Network Computing estimates the cost of three separate scenarios, including all first-year software and hardware support. Network Chemistry’s systems pencil out at about 60% the price of AirMagnet’s. The smallest scenario includes six probes, covering a typical office building of five floors, each floor spanning 50,000 sq. ft. (4,645 sq. meters), and each having three access points. Network Chemistry’s system works out at $5,772 while AirMagnet’s is $10,545.

The rankings for all the reviewed products are:

• AirMagnet Enterprise (Editors’ Choice, Score: 4.15/5.00)
• AirDefense Enterprise 6.2 (3.98)
• Network Chemistry RFprotect System 4 (Best Value, 3.93)
• AirTight Networks SpectraGuard Enterprise 3.0 (3.45)
• Highwall Technologies Enterprise 3.0 (2.80)

The full review is in Network Computing’s June 23, 2005, issue.

Perimeter protection isn’t enough

For those companies with the need for an all-in-one approach, the security appliances described above can be attractive. It’s essential that you realize, however, that not all hacker threats come in via an Internet connection.

Perimeter security, such as provided by firewalls and intrusion-prevention systems, can’t guard against all forms of mobile code. If a user attaches a laptop to your network or runs an infected program from a CD, you can catch a nasty bug.

PC users need good internal protection, such as software security suites and antispyware programs, to guard against malware that enters the network from a client PC. Combined with good perimeter defenses, this is the only way to assure yourself of well-rounded protection. Our Security Baseline section, below, summarizes the latest ratings by trusted reviewers of such defensive software.

To send us more information about security appliances, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Finding the right silent-PC products

By Paul Thurrott

The need for silent computing is sweeping the planet. Rather than put up with ringing ears, turbine-like power supplies, and vibrating system components, PC users are striking back and demanding more of PC and computing makers. Looking for a little silence? Here’s some more relief.

In the last issue of Windows Secrets, I discussed the joys of silent PC computing in general terms, describing the various parts of a typical PC that are most often responsible for excess noise. I received a lot of great feedback from readers, all of whom have had similar epiphanies about the need for leading quieter lives. But many wanted specific advice. So this time, I’d like to examine some of the silent computing products that have been reviewed online, and discuss some of the products I’ve purchased personally.

Building your own silent PC

I mentioned that major PC makers such as Dell and HP are a good source for silent or quiet PCs. But if you’d like to build your own PC, HTPCNews.com, a Web site for home theatre (HT)/Media Center PC enthusiasts, has published an interesting guide for building a silent PC. As Brad Gilomen of HTPCNews.com notes, “an HTPC is something you will want to be as quiet as possible.” But there’s no reason you can’t use the advice in this guide to build any kind of silent PC.

Getting a quiet power supply

In newer PCs, power supplies are often fairly quiet and unobtrusive. But if you’re building a new PC, or wish to upgrade an existing PC with quieter components, you’re going to need to do some research. To that end, Silent PC Review has an exhaustive overview of power supply fundamentals and recommendations that’s regularly updated. You might also want to check out BuildSilentPC.com’s article, Quiet Power Supply, though it hasn’t been updated since last fall.

If you’re using Dell equipment, I’ve had good success with PC Power & Cooling Dell-replacement power supply products. Dell’s more recent PCs are far quieter than they used to be, however.

Cooling your CPU and video card

Because of the heat they generate, your PC’s microprocessor and, on newer systems, video card, often sport enormous fans and heat sinks. The situation here is simple: Find the quietest solution you can. Unfortunately, the heat sink/fan combinations your system requires will vary based on your processor and video card models.

MADSHRIMPS has a nice roundup of fans/heatsinks for Athlon-64-based systems, with similar articles for Pentium 4-based systems and Pentium 4 Socket 775-based systems. These comparisons are great because they measure noise-related data, which can be compared to the overall cooling efficiencies of the fan/heat sinks.

On the video-card front, manufacturer fans are often getting bigger and more efficient. But if the goal is quieting down the fan — typically by replacing it — then research, again, is key. It’s hard finding up-to-date data about video-card cooling solutions — sometimes incongruously referred to as VGA coolers. MADSHRIMPS, predictably, has a great roundup of graphics card coolers, though it’s over a year old.

Shushing your hard drive

Because of their rapidly moving parts, hard drives can generate a lot of vibration. This moves into your PC’s case, causing noise. Some hard drives are also just noisy by nature, so look for drives with slower rotational speeds and lower heat production. Major hard drive makers are now touting the “advanced acoustics” of newer models, so it’s likely you’ll see better results out of the box with more modern drives. For example, Western Digital uses something called WhisperDrive technology, while Maxtor talks up its Quiet Drive.

There are generally two ways to reduce hard drive noise with existing drives: use an enclosure, or physically connect the drives to the PC using sound-dampening connections.

While I have heat concerns about enclosures, they do address both sources of hard drive noise. The SilentDrive has reviewed well in The Register and The Hardwire. You can purchase the SilentDrive at QuietPC or New England Digital Computers for about $30.

If an enclosure seems like overkill (perhaps because your hard drive is operationally quiet), you could still improve matters with hard drive isolation mounts, which limit the amount of noise that’s generated by vibrations. I use and recommend the Noise Magic NoVibes III HDD Decoupling Rack (it’s a German company), which uses a combination of thick rubber bands and cork/rubber pads to physically suspend your drive and isolate it from the PC. Check out Silent PC Review’s review for more information. You can purchase the NoVibes III HD Decoupling Rack from Silicon Acoustics for about $30.

Fixing other heat and noise sources

Older CRT-based displays are large and heavy, and they also tend to throw off a lot more heat than LCD displays. If you can afford it, upgrade to an LCD display for something quieter, cooler, and less heavy. Or, when your CRT eventually dies, upgrade to LCD at that point.

If you’re using hard drives that predate Serial ATA (SATA), you might consider purchasing rounded hard drive cables (and even rounded floppy drive cables. Thesecan help overcome the airflow-blocking quality of the flat ribbon cables used by IDE-type drives. I should note that there is some controversy over the effectiveness of these cables. If you’ve ever gone fishing, however, you’ll understand why flat ribbon cables can be such a heat-flow problem: Pulled through the water normally, a fish is quite aerodynamic, but if you try to pull it lengthwise, you might as well be trying to land a barn door. Short-Media has a nice write-up about round ribbon cables. They’re generally inexpensive and can be found at almost any electronics retailer or etailer.

Regardless of which type of drive cables you’re using, make sure the cables are routed correctly to maximize airflow. Stagnant air will increase the PC case’s inside temperature, ultimately causing fans to kick in and raise the system’s noise output. For more common sense advice like this, check out eHomeUpgrade’s Build Your Own Silent PC article.

Paul Thurrott, associate editor of the Windows Secrets Newsletter, is the author of Windows XP Home Networking, 2nd Ed., and Great Digital Media with Windows XP and the author or co-author of several other books.

No Web browser is completely secure

By Chris Mosby

The headline above probably sounds like a broken record. I know I’ve said it many times and written it probably even more.

You’ve probably read the same statement in other newsletters or Web sites about Windows. Why is the statement so important? It’s because it is completely true.

A good example of that was revealed last week, as I discuss below.

The thing to remember here is that if there is a vulnerability to be found in a Web browser — or any piece of software, for that matter — a hacker is going to find it and try to exploit it. The first thing to do is exactly what you are doing now: subscribing to this newsletter and keeping informed about what threats there are out there so you know to protect yourself against them.

Browsers suffer from open dialog spoofing

The exploit I mentioned above was discovered last week by Secunia. They report a vulnerability in all widely used browsers, which can allow a hacker to make dialog boxes that look like they were opened by a trusted Web site.

This is due to a problem in JavaScript. Dialog boxes that are launched by that language do not show their origin Web site. Used with other exploits — or on its own — this exploit can be used to gather personal information from people who believe they’re entering data into a trusted Web site.

This vulnerability is known to affect Internet Explorer, Mozilla, Firefox, Camino, Opera, Safari and iCab. Secunia has a vulnerability test page so you can test your browser of choice, even if it’s not in the above list.

How the dialog origin vulnerability works

Secunia’s Web site uses the following diagram to show the three steps that occur in the exploit:

Step 1. The user visits a malicious Web site.

Step 2. The user then follows a link to a trusted Web site.

Step 3. After a while, the malicious Web site (which was opened in step 1) opens a dialog box in front of the trusted Web site, appearing to be from the trusted site.

Until this weakness is corrected in upgrades to the browsers listed above, one way to avoid the problem is not to hyperlink from sites with unknown reputations to any site where you make financial transactions. Visiting a site you aren’t familiar with, and then following a link from that site to an online banking site, for example, can expose you to this security hole.

Frame injection still a problem in browsers

As was discussed in the last newsletter — and last reported in this column on Feb. 10, 2005 — multiple browsers are affected by a frame injection vulnerability. This was first discovered in 1998 and has been unintentionally re-introduced into various browsers’ code off and on since then.

There was a lot of press coverage about its re-introduction into Firefox with version 1.0.3. Many people, however, have forgotten that this kind of vulnerability has gone unpatched in Internet Explorer since the problem was discovered almost exactly one year ago.

As far as Firefox goes, a released version of 1.0.5 that fixes this problem is still not available. However, test builds of 1.0.5 have been available since June 20th, if you don’t mind using beta software.

For the most up-to-date information on this vulnerability and a free test for your browser, see the Secunia advisory.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

A bit of help for the Help files

By Susan Bradley

The week after Patch Tuesday typically is when more subtle issues of patches start coming to light. This post-Patch week was no exception.

For the first time in a long while, my patch-testing process missed finding that a function in one of my company’s applications was broken.

The Help function in our tax-preparation program being nonfunctional was reported by a person in the office after I’d deployed the patches. Knowing what I’d done to my workstations and the timing of the issue, along with reading the bulletin in question just the week before, helped me greatly in coming to a fast and quick resolution.

I’ll describe my troubleshooting steps in this week’s Patch Watch. Hopefully the process I went through will help you identify and fix similar patch issues quickly.

When it worked and stopped working

When I was informed that the Help menu inside our tax program wasn’t working, I immediately launched the software in question to confirm that the issue was reproducible on my machine as well as by the person who was calling me. I knew that it had worked relatively recently. Going to another machine to confirm the issue meant that something had changed.

I then did something a bit unusual that made me immediately suspect what the problem was. I could tell that the Help area that was now blank was Web-based. So my first thought was that the issue was related to MS05-025 (883939), an Internet Explorer patch. To confirm my initial suspicions, I right-mouse-clicked inside the blank box to see what the HTML properties of the box were.

That’s when I realized it wasn’t the IE patch at all but rather MS05-026 (896358), which also relates to Help.

How did I know this? From the type of error I saw. The properties of the blank box were:

res:// C: Windows System32 shdoclc.dll /navcancl.htm#mk:@MSITStore

I remembered seeing a reference to MSIT in the security bulletin. It said, “This security update restricts the use of the InfoTech Protocol (ms-its, its, mk:@msitstore)”.

The reference to @msitstore stuck in my brain. That was my problem. I immediately went back to the security bulletin to click on the known issues link, KB 896358. This gave me several links to possible resolutions. Even so, I wanted to ensure that I followed the recommended workaround from the vendor.

Help from an on-the-ball vendor

I expected the support personnel to be a bit clueless when I rattled off, “Security Bulletin 05-026 broke the Help component inside our tax software program.” So I was very pleasantly surprised when the operator knew exactly what I was talking about. He directed me to a Technical Support Engineer, who in turn directed me to Knowledge Base article 896054 for resolution and recommended a workaround. I performed the edits and found that they fixed my issue without even rebooting.

The key element to this fast resolution was a bit of information about the security bulletin. I had drilled down and read the bulletin the week before and thus remembered the mk:@MSITStore information. But, even without this knowledge, I was guessing that it was this bulletin or the Internet Explorer one. I next would have manually uninstalled the patches one by one to see which, if any, was responsible.

Uninstalling isn’t the answer in my book

While I will easily uninstall a patch to test if it is the issue, I do not leave the patch off unless my line of business applications are totally blocked from functioning.

The patch in question has the potential of being exploited through malware or other methods. The fact that the online Help file inside my software program was broken was a mere inconvenience. We have printed manuals that we can walk to the library and read, if we really need help for the program. Honestly, most of us probably need the exercise anyway.

The risk of removing this patch for a mere “information convenience” was one I wasn’t willing to accept. Sometimes your patch decisions are like that. Hopefully, most of us find that the risk of not patching is much greater than any pain you experience patching. Having a bit of knowledge and good technical support contacts,fortunately, meant that my patch issue was quickly resolved.

Is 2003 SP1 being forced onto computers?

Windows XP SP2’s blocking mechanism expired on Patch Tuesday last April. You may remember that Windows Secrets associate editor Paul Thurrott was the sane person telling folks that the service pack wouldn’t be rammed down the throats of folks that didn’t want it.

I’d recommend that he be ready for another round of truth-telling. Microsoft has released a blocking tool for Windows 2003 Service Pack 1 that will block SP1 from being deployed to servers through Automatic Update on July 26th. The tool will expire on March 30, 2006. Let’s hope that on April Fools Day, Paul doesn’t have to run around dispelling rumors again.

Fixing SQL Server 2000 with 2+ GB

A fix for an issue with SQL Server 2000 with more than 2GB of memory has finally been publicly released. I first wrote about this problem, which involves Microsoft’s Address Windowing Extensions (AWE), in my May 26, 2005, column.

The patch, referred to by number as 899761, is freely downloadable. It will not, however be slipstreamed into the service pack, so if you’re affected, you’ll need to manually install this.

Microsoft’s final Windows 2000 update

The last official update to Windows 2000 was released by Microsoft on June 27. Update Rollup 1 for Windows 2000 Service Pack 4 is not being called Service Pack 5, but it is the equivalent for us mere mortals. Therefore, you must treat this like a fullblown service pack and run it through a thorough testing process.

Update Rollup 1 includes all of the security patches released between June 26, 2003 (when Service Pack 4 was released), and April 30, 2005. But it also include many other fixes as well. (For a complete list, see KB 900345.) So be sure to test before deployment or ensure that you have a good backup or disk image.

The update rollup breaks the way TAPI handles nonencrypted RPC packets. It also interferes with some Internet Security Systems (ISS) products, namely Secure Desktop and BlackICE Agent, PC Protection, and Server Protection. For more information, see KB 891861 and 901159.

Got Real? Get patched!

Real announced that Real Player and Real Player Enterprise need patching due to an issue with how memory is handled. The vulnerability was disclosed by eEye in a recent advisory. RealOne Player, RealOne Player v2, Real Player 10, and Real Player 10.5 need full downloads to fix this issue.

In this case, you have to manually install the fix. The “phone updater” will not get the update. You can, however, use Shavlik HFNetChkPro 5, which is a patch-management solution that supports automatic deployment of patches for RealPlayer.

Antispyware market gets more options

Microsoft has extended the beta period for the Microsoft AntiSpyware beta to December 31, 2005. Meanwhile, Trend Micro has come out with an evaluation version of their own antispyware product.

There are two Web-based tools from Trend that might help as well: an online scan tool and a remover for one of the most hated of all malware, CoolWebSearch.

There’s one more free tool that may also help. The WinHelp2003 site offers a “hardened” Hosts file that blocks many known spyware locations. Keeping this up-to-date is as easy as getting a new one from the site every month.

Package Installer makes patches smaller

It wasn’t Patch Tuesday but a Wednesday, June 29, when the telltale yellow shield showed up on my Windows XP SP2 machine. Not having heard about anything “in the wild” that would need an out-of-band patch — nor receiving any Security Update notification — I clicked on “Custom install” to investigate.

This “critical patch” is Package Installer for Windows, which Microsoft says will actually become a mandatory download soon. Package Installer is designed to streamline patching by preventing the installer code from being downloaded to a box over and over. KB article 898461 describes the 477 KB of files that are being installed as we all migrate toward the new Microsoft Update system.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.