SearchSecurity: The new breed of unified threat management tools

Unified threat management devices have traditionally been suited for small and medium-sized business networks. UTMs combine a number of essential technologies, including firewall, perimeter antimalware and antispam, VPN, Web content filtering and more, but historically have not been capable of handing the traffic load of a large enterprise network. Now, UTM vendors are integrating a host of new features in an attempt to become more competitive against other enterprise-grade security appliances.

You can watch the five minute screencast that I did for SearchSecurity here. I cover several different products, including Fortinet, Sophos, Checkpoint and Juniper.

FedTech magazine: Cisco’s ASA-5512-X review

dashboard betterTo better protect the enterprise network, organizations need stronger firewalls. Cisco Systems’ Adaptive Security Appliance 5512-X delivers a solid set of features to address those needs: Zero-day malware protection, application-aware software and integration with endpoint device control for end-to-end security.

You can read my review here for FedTech Magazine.

Network World: Mobile Device Manager Review

airwatch 2Mobile Device Managers (MDMs) make a lot of sense when you are trying to control whom can access your enterprise network and applications from particular phones and tablets. But to effectively evaluate these products, you should first consider what exactly are you trying to control: the apps on particular devices, the pairing of a user with his or her device, the device itself, or the collection of files on each device. Each MDM has a somewhat different perspective, and has strengths and weaknesses in terms of what it can control best.

In my review today for Network World, I looked at six different products: AirWatch (pictured above), Apperian’s EASE, BlackBerry’s Enterprise Server 10 (BES10), Divide, Fixmo, and Good Technology’s Good for Enterprise. No single MDM product won this review; all had serious flaws that would prevent them from being successfully deployed, depending on your circumstances.

The need for better mobile security is obvious: witness this story from last year about a hospital volunteer taking pictures of patient records with his phone and them selling them. Sadly, most current MDMs still wouldn’t be able to prevent something this overt.

The MDM arena is still pretty immature, akin to where the anti-virus world was decades ago. Security profiles are somewhat clunky to install and administer and some vendors don’t support vintage versions of iOS or Android. Topping this off: once you find phones that have been compromised, there is no easy way to return them back to a pristine condition, largely through the fault of the mobile OS vendors.

Expect to pay between $20 to $75 per user or per device per year, which can add up if you have a lot of phones to protect. Few vendors are transparent about their pricing (Airwatch and Blackberry are notable exceptions).

Good and BlackBerry do the best jobs of protecting your messaging infrastructure, so if that is the primary reason for picking an MDM product you should start with these two. Divide had the most appealing management console and overall simplest setup routines, and also supports licensing unlimited devices per user. And Apperian is great for corporations that have developed a large collection of their own apps and want a consistent set of security policies when deploying them.

You can see the full range of screenshots for my review in this deck.

FedTech: Review of Microsoft Office Pro Plus 2013

Microsoft Office has split into two distinct personalities, Office 2013 (which you get via a CD) and Office 365 (that comes via the browser and the cloud). The two share several common features and will make it easier for federal government users to collaborate without having to serially email documents back and forth. There is also tighter integration into your Microsoft account for reading emails and adding contacts and calendar entries.

For more on my review of MS Office Pro Plus 2013, read it in FedTech Magazine’s latest issue here.

Password manager reviews for Network World

Today Network World has posted the latest product review of mine and is the third in a series of reviews over the past year that I have written about the general topic. We all have too many passwords to deal with, and enterprise IT managers have too many products that can manage them.

The most recent review looks at six different products that can be used by either consumers or corporations to handle passwords in a variety of situations. They are Kaspersky Pure, LastPass Enterprise, Lieberman Enterprise Random Password Manager, 1Password, RoboForm Enterprise, and TrendMicro DirectPass. Because you can’t directly compare the six, I didn’t award a winner, but I did like LastPass and Lieberman’s products a lot.

You can also see the various features of the products in this series of screenshots that I posted on Slideshare.

My earlier review on single sign-on products last December can be found here. These are strictly enterprise-related and look at ways that enterprises can deploy more secure Web services’ logins. The winner of that review was Okta.

Finally, my review of two factor authentication tools last May can be found here. These strengthen passwords by adding another mechanism, such as your cell phone, to the login process. The winner of that review was SecureAuth’s IdP.

Why your small business needs a better firewall

When I set out to test a collection of new small business firewalls for Network World, I wanted to find a place that could illustrate their need. I was fortunate to find Mercury Labs, which despite their name is a video production and public relations company of about 10 people located in midtown St. Louis, not far away from my office. Over the course of a couple of weeks, I brought in several different unified threat management boxes to try out, including Check Point Software’s 640, Dell/Sonicwall’s NSA250MW, Elitecore Technologies’ Cyberoam CR35iNG, Fortinet’s FortiGate 100-D, Juniper Networks’ SSRX220H-POE, Kerio Technologies’ Control 1100, Sophos/Astaro’s UTM 220, and Watchguard Technolgies’ XTM330.

Mercury was instructive because before I got there, they didn’t really have a lot of protection on their Internet connection: the only device connected to their cable modem was an Apple Airport. Relying on NAT does not a firewall make. Over the course of my tests, they were intrigued to see the consistent number of attacks coming across the big bad Internet as we could capture them in real time. Think of a sewer line that is encased in clear plastic so you can see the flow of filth.

Several of the vendors sent in their techs to help me with the tests, something that I always welcome because we always find bugs in any product. In fact we found a killer bug in the top-rated product from Check Point. The tech was making some frantic calls back to his developers in Israel where they quickly found and fixed the bug and sent us the new firmware.

Small businesses have lots of choices when it comes to protecting their network. You can buy a home router for less than $50 from any number of consumer networking vendors, or you can spend more than $4,000 for one of the more than a dozen firewalls from the enterprise security vendors. The UTM products lie in between those price points.

The UTM products include more than just a firewall: there is intrusion detection and prevention, network-based anti-virus and anti-spam screening, virtual private network connections (VPNs), and content filtering on outbound Web browsing to prevent phishing and browser-based attacks.

I liked the Check Point UTM because it had a nice balance of simplicity and power, and it was also the cheapest of the boxes that I tested. It worked well on the mostly Mac network at Mercury, something not all of its competitors could claim. You can see a sample screen from Check Point’s box below.

chkpt dash

You can see lots more screencaps here. And you can read my review in Network World here.

Network World: Secure Auth Tops in Two-Factor Tokens

SecureAuth options2We all know that relying on a simple user ID and password combination is fraught with peril. One alternative is to use one of the single sign-on solutions we reviewed last year, but there are less expensive options that could also be easier to install. That’s where two-factor authentication services come into play. I recently reviewed eight such tools, including Celestix’s HOTPin, Microsoft’s PhoneFactor, RSA’s Authentication Manager, SafeNet’s Authentication Service, SecureAuth’s IdP, Symantec’s Validation and ID Protection Ser- vice (VIP), TextPower’s TextKey and Vasco’s Identikey Authentication Server. SecureAuth (illustrated) came out on top.

You can read my review in Network World here.

You can download the various screenshots here.

And you can follow the Twitter handles of the various vendors here.

Why small businesses need firewalls

I have been spending time this week at a small media company called Mercury Labs. Despite their name, they don’t normally test anything, but ironically that is what I have been doing there. I was testing a bunch of integrated network security devices for Network World.  These devices cover what is called unified threat management, but you can think of them as network firewalls with additional features, such as the ability to scan incoming and outgoing traffic for viruses and spam, blocking phishing URLs, and being able to set up a secure virtual private network connection when you are on the road.  I’ll call them advanced firewalls here for convenience.

I have a long history of testing these tools. Almost seven years ago, one of the Techtarget publications had me looking at them for larger enterprises, and I went out to the central IT department at Stanford University to put them through their paces. This time around, I wanted to find a small business site for the tests that I was going to be doing for Network World. That’s why I was over at Mercury this past week.

They have about 10 Macs connected to an Apple Airport, which is the center of their network, providing IP addresses, wireless connections and a shared hard drive to the entire office. The Airport is attached to a cable modem and the Charter broadband network.

Wait a minute. Don’t you need a firewall if you are going to connect your network to the badass Internet? Yes, and Mercury knew they were taking chances. A firewall is just the basic separation that keeps the bad guys from getting inside your network and causing havoc. That is why they were the perfect testing site. They were vested in my review and what I would find out about these products and their specific needs.

Interestingly, it isn’t just small businesses that don’t have firewalls. When I arrived at Stanford, the central network didn’t have any either. Partly that was because of some odd notion of academic freedom, but back then they realized they had to get better protection. Ironically, while I was doing my tests there we saw someone try to reach out from Germany one morning. Luckily, they had other defenses that prevented them from doing any damage, but it emphasized the reason why I was there testing these products. And coincidentally, when we brought up the advanced firewalls at Mercury, we could see all the network traffic where folks were continually scanning and looking for ways to enter their network too. It was a sobering illustration of why these products are essential.

When I first arrived on scene, I went into their phone closet where I tried to suppress a gasp. Yep, this was your typical small business: part storage room, part cable jungle, and mostly a mess. It was clear that trying to figure out the network topology was going to be a challenge, and my first act was to leave everything alone.

Inside the closet were two small gigabit switches from DLink that looked like they had been around since the days of DOS. This worried me, but since things were working, I wasn’t too concerned. Yet.

One of the vendors that were part of the test insisted on sending a product engineer to help with my testing, and I am sure glad that he was there. When we cut over to his device instead of the Airport, things initially went south. Turns out we found a bug in their firmware. Once that was fixed, all of the wireless Macs were quickly brought up on the network behind the new firewall. But the wired Macs had trouble connecting. It took a few reboots later before we got everyone back on board. It was ironic that the wireless portion of their network was easier to bring up than their wired portion. That was thanks to the wonky cabling in the closet.

So what are some takeaways from this experience?

If you are running gigabit Ethernet to your desktops, make sure your cable plant is up to snuff. Part of my problems had to do with the older cables used to connect things in their wiring closet. There is a difference between Cat5 and Cat5e, especially if you want to run the faster networks these days. Make sure you are using the right cables.

Disconnect any unused wired ports in your office.  This is just basic security practice, but bears repeating. And if your wiring contractor hasn’t done so, you should label your ports in the walls and in your closet so you can track things down more easily.

Understand the limitations of your core network gear, including switches, routers, firewalls, and wireless access devices. Your network installer should explain these things in terms that you can understand.

Have a separate guest network with the appropriate security measures. The Mercury folks were using the Airport guest network features, which were bare bones. One of the reasons they wanted to go to the advanced firewall was to provide better protection from their frequent guests and contractors who were going to be connecting in their offices.

Oh, and what happened with my review for Network World? Well, you will have to wait and read about it in their pages. I can tell you that I learned some interesting things about all the products that I tested.

ITWorld: How to choose a social media management service

How do you know you are fully engaged with all of your social networks? This turns out to be a difficult question to answer. And as we try to resolve complaints from customers on Twiter and Facebook, we also need to track mentions across other networks and develop consistent workflows and processes to respond and measure these involvements.

Luckily, there are tools available for these tasks, and you can read my article in ITWorld here that reviews many of the issues involved before purchasing one.