Home


About Network Testing Labs

Contact Network Testing Labs

Independent Reviews of Network Hardware and Software

 

NETWORK TESTING LABS REVIEW

Protect your Network Against Malicious Web Sites


 

 



Traditional URL filtering is no longer enough.
By Barry Nance


Executive Summary
In our tests of four Web security products, we found McAfee Email and Web Security Appliance to be the most formidable roadblock against every sort of Web-based threat. McAfee’s SiteAdvisor technology and anti-malware scanning engine allows the Email and Web Security Appliance to block access to malware-infected Web sites more accurately than traditional URL filtering products from other vendors, and it even educates users to the potential dangers on each site. We found the Email and Web Security Appliance performed extremely well, even under heavy traffic loads. Installation was simple and uncomplicated.

When you take pricing into account, the Email and Web Security Appliance is clearly the most cost-effective anti-malware tool. Further, when you factor in operational costs and benefits, you can easily see that the Email and Web Security Appliance offers the best bang for the buck.

McAfee Email and Web Security Appliance earns our World Class Award for best Web security product.


The Web has become a natural part of our lives. It is a universal communication tool that businesses can’t do without. But in recent years, the Web has become a security threat. Web sites of all categories can subject you to unwanted spam, pop-ups, dangerous downloads, spyware or all of the above.

The flood of malware on the Internet is threatening to overwhelm us. Spam, spyware, viruses, Trojans, rootkits, phishing attempts and other scams are stealing our credit card data and passwords, throwing up unwanted and inappropriate advertisements on our screens, slowing our computers to a crawl, deleting or modifying our files, tracking our keystrokes, broadcasting e-mail to all the people in our address books, scamming us out of our money and allowing hackers to remotely control our computers.

Solving the Malware Problem
Without effective protection against Web-based threats, your IT staff will spend inordinate amounts of time cleaning up after malware that finds its way onto your computers. The cost of stolen corporate data and lost productivity is an even larger concern.

How can you best defend against malicious web sites and web-borne malware? Generally speaking, the best place to stop malware and to filter access to malicious web sites is directly at the point where your network connects to the Internet. An Internet gateway that keeps malware off your network in the first place is far more effective and less expensive than the after-the-fact cleaning of individual server and desktop computers.







Malware Recognition via URL
We found McAfee Email and Web Security Appliance with SiteAdvisor to be a highly accurate tool for preventing access to both Web-based malware and malicious or annoying web sites.
Traditional URL filtering products are in widespread use, but they were created before the Web was much of a security threat. Their design is to enforce acceptable usage of the web by employees, and they do that by allowing the network administrator to block access to certain categories of web sites – e.g. shopping, gaming, pornography. Websense, SurfControl, McAfee, Barracuda and other vendors offer such products.
In recent years, vendors have started to claim that their URL filtering products protect against malware, spam, pop-ups, and other unwanted artifacts of malicious web sites. But how well do these products really work?

To help you decide which Web security tool you should use on your network, we tested four different products: McAfee Email and Web Security Appliance (which includes McAfee’s SiteAdvisor technology), Barracuda Network’s Web Filter model 310 appliance, Surf Control’s WebDefense, and Websense Enterprise (including the optional Websense Security Filtering module for extra measure) in our Alabama lab. The most important criterion in our evaluation was the ability to block malware and access to malicious web sites. We also looked for useful reports, timely alerts, ease of use and ease of deployment.

We found that McAfee Email and Web Security Appliance exhibited the greatest accuracy, quickest performance and highest ease of use. Its SiteAdvisor module did an excellent job of blocking access to malicious Web sites. Email and Web Security Appliance kept virtually all malware from penetrating our network, and its effect on the responsiveness of our clients’ Internet experience was negligible. The Email and Web Security Appliance wins the Network Testing Labs World Class award for gateway-based Internet security.




Table 1 reveals how well the four products recognized “bad” URLs and IP addresses. Impressively, Email and Web Security Appliance’s Web site classification (aided in part by SiteAdvisor) kept virtually all malicious and annoying Web sites at bay.

 

Web site categorization success rate (1,000 URLs)

Email and Web Security Appliance

99%

Websense Enterprise

90%

Surf Control WebDefense

85%

Barracuda Web Filter

84%

                Table 1. Ability to recognize malicious Web sites.

SiteAdvisor always stays up to date on the latest threats. It continually crawls the Internet, using intelligent bots, or virtual computers. These bots visit nearly every Web site, download content from that site and scan the results for various kinds of malware. The bots even fill out registration forms to determine whether signing up a site triggers spam. If the site contains malicious code or other suspicious content, SiteAdvisor’s bots note the nature of the threat so SiteAdvisor can help you avoid that site.

The SiteAdvisor component knows which Web sites are infected with malware, which sites produce excessive pop-ups, which sites engage in fraudulent practices, which sites contain browser exploits and which sites will target your e-mail address with spam. SiteAdvisor’s database is the result of testing virtually all Web sites on the Internet for malware behavior. Moreover, in addition to its programmatic evaluation of the Internet, SiteAdvisor uses feedback from customers to assess the risk of Web sites.

Deploying McAfee’s Email and Web Security Appliance is no more complicated than assigning it an IP address – truly a plug-and-go appliance. The documentation is clear, comprehensive and easy to follow.

On one screen, the administrator can configure web security policies and acceptable use policies, thus blocking users from time-wasting or obnoxious web sites (such as gambling and pornography) and also preventing users from accessing malicious web sites in the categories you select.

Turning on the email filtering properties of the Email and Web Security Appliance takes just a few mouse clicks. This action lets you block email-borne spam, malware, phishing attempts and other unwanted email-based traffic. Since spam is often used as a distribution method for phishing and other web threats, using an Email and Web Security Appliance to protect and secure your email environment makes a lot of sense, and it certainly saves time and money.








Content Recognition
Our second battery of tests asked the products to detect and thwart malware based primarily on content, in addition to URL or IP address. This second round of testing included many “zero-day” threats – i.e., malware that suddenly appears on sites whose URLs were registered just a few moments ago and for which accurate content recognition is paramount.

The Email and Web Security Appliance we tested was a Dell PowerEdge server model running McAfee’s comprehensive anti-malware modules.

Websense Enterprise and its Security Filtering module also thwarted a good deal of the malware in our test suite. Security Filtering’s malware categories include Web sites known to harbor spyware, phishing and other frauds, potentially unwanted software, bot networks and keyloggers. Websense uses its “Threatseeker” technology to help categorize and identify malicious web sites.

Websense Enterprise flexibly gave us the choice of blocking, allowing, warning, imposing a quota, throttling bandwidth usage and refusing file types to manage our users’ Web access.

Websense Enterprise runs on Windows Server 2000, 2003, Red Hat Linux and Solaris.

Surf Control’s WebDefense, with its Access Manager and Threat Manager modules, didn’t fare as well in dealing with malware or categorizing Web sites. Like Email and Web Security Appliance with SiteAdvisor, WebDefense’s list of threats is based on an automated examination of Web sites. In addition to its Web filtering, WebDefense guards against Web sites known to harbor viruses, phishing attempts, worms, trojans and other malware. The vendor says a separate module, MailControl, can stop e-mail-borne attacks.

The Access Manager module acts to limit employees’ browsing of recreational or illegal content. Threat Manager, on the other hand, tries to filter malware so that it doesn’t reach your users.

The Barracuda Web Filter 310 fared worst of all in our tests. We also note that Barracuda suggests using the Web Filter 310 to handle up to only 300 connections per second for best performance – the fewest number of concurrent connections of the products reviewed here. Web Filter can block access to Web sites based on domain, URL pattern, or content category, block downloads based on file type and block applications that access the Internet.





In these more strenuous tests, the Email and Web Security Appliance turned aside an amazing 98% of the malware we subjected it to. Table 2 shows the results of these tests.

These exercises used very different test data from that used in the first round of tests.

Incidentally, who would you guess registers the most Web sites every day?

Yes, that’s right – malware authors and malware organizations.


 

Success rate against a suite of 150 malware instances

Email and Web Security Appliance

98%

Websense Enterprise

94%

Surf Control WebDefense

90%

Barracuda Web Filter

86%

               Table 2. Ability to block malware via content recognition.

The Email and Web Security Appliance contains McAfee’s anti-malware scanning technology, which performs a deep, thorough inspection of all files as they pass through the appliance.






Performance
We also tested the throughput of each product. We wanted to know which one provided the most responsive Internet experience for users.

We found that the Email and Web Security Appliance was the quickest performing of the four products. The device works with such alacrity that client
This deep content inspection approach protects against malware that is lurking on “friendly” URLs, such as webmail downloads or other well-known web sites (e.g. professional sports teams, news organizations, or other high-volume web sites) that have been infected with malware, often via hijacked advertising banners.





responsiveness was virtually unaffected – our users were completely unaware the Email and Web Security Appliance was filtering Web and e-mail traffic. Table 3 reveals the latencies we measured.

Smaller numbers signify better performance (and thus also signify the more responsive Internet experience).

 

Latency (non-executable)

Latency (executable)

Surf Control WebDefense

28 ms

66 ms

Barracuda Web Filter

27 ms

230 ms

Websense Enterprise

20 ms

35 ms

Email and Web Security Appliance

15 ms

28 ms

        Table 3. Latency (performance) results.

Conclusion
McAfee Email and Web Security Appliances are high performance, scalable, robust, reliable and intuitive to use. They’re highly effective roadblocks against malware of all types. When tested against traditional URL filtering products, we found that the McAfee product delivered measurably stronger security against malicious web sites.





Testbed and Methodology
We primarily looked for the ability to identify and block malware (such as viruses, spam, phishing attempts, keystroke loggers, browser hijackers, adware, rootkits, dialers, data miners and Trojans). We wanted a product to prevent malware from sending data from our network (i.e., “phoning home”), identify already-infected clients, scan traffic quickly, receive frequent spyware definition updates and produce helpful reports on infection attempts and traffic statistics.

We collected a suite of 150 malware samples, and we moved the collected material to an isolated, quarantined network. We thus were able to simulate the Internet within our lab.

The quarantined network consisted of three subnets.
  • Subnet 1 had 25 client machines with a variety of operating systems, including Windows NT, 98, 2000, 2003, ME, XP, Vista, Red Hat Linux and Macintosh OS X.
  • Subnet 2 contained three Web servers (Microsoft IIS, Netscape Enterprise Server and Apache), three e-mail servers (Exchange, Notes and Sendmail), two file servers (Windows 2003 Advanced Server and Netware) and two database servers (Oracle 8i and Microsoft SQL Server).
  • Subnet 3, simulating the "Internet," had Web servers containing the malware instances and which sported “bad guy” IP addresses and URLs.

Systems on the first two subnets accessed the third subnet as if it were the real Internet. 

To measure performance, we used two time-synchronized protocol analyzers on the Internet and local network sides of the products and examined the resulting packet captures to determine the time taken to forward or discard each network message.

Client and server machines started off in a pristine state for each test. Our clients and servers attempted to download malware from the simulated "Internet." We noted how well the products identified malware traffic and blocked attempts by the malware to send data back to the source.

We gauged success or failure by examining each machine for malware after each test. We looked for running malware processes, new program files (EXE, DLL or OCX, possibly marked with the “Hidden” attribute) and directories as well as Registry and Start Menu changes.



Copyright 2012 Network Testing Labs


  
Home

About Network Testing Labs

Contact Network Testing Labs