Proventia Desktop firewall stymies malware

October 22, 2008 nnyq.com edit

In the days of overcomplicated security tools, it's satisfying to review a feature-rich product that intentionally keeps it simple. Internet Security Systems (ISS) Proventia Desktop (also known as IBM Proventia Desktop Endpoint Protection) offers a host-based firewall core supplemented by anti-virus, anti-malware, buffer overflow exploit protection, intrusion prevention, and it can function as a Cisco Network Admission Control agent. I was eager to test version 9.0.226.0, released after the IBM buyout of ISS, to see how the product is holding out against the competition.

( For more on ISS's mail security product, read our review of Proventia Network Mail Security System MS3004 )

Setup made simple
Installation of Proventia Desktop was simple and quick -- so quick that I almost didn't even know it installed. The only clue was a new status bar icon in the desktop tray. Clicking on the tray icon pulls up the user interface.

The UI has 7 tabs with a handful of configuration options on each. Interface options were clearly labeled, readily understandable in most cases without any additional reading. If you need more help, just click on the Help button provided on each configuration screen. There were a few minor bugs in the interface, but none that I couldn't immediately figure out.

The firewall comes with four defining Protection Levels carried over from the product's BlackICE origins: Paranoid, to block all unsolicited inbound traffic; Nervous, to block most unsolicited inbound traffic; Cautious, to block some unsolicited inbound traffic; and Trusting, which allows all inbound traffic.

The default setting is Nervous. It allows Internet and Windows NetBIOS sharing by default, but disabling each setting is as easy as removing the check mark. You can configure visual and audio indications for blocked traffic as well as get a visual indication when the service is stopped.

All host-based firewalls are subject to unauthorized stops in the firewall service. Typically, this is done accidentally by any user with administrative permissions and privileges or maliciously by a buffer overflow or executed malware program. Proventia Desktop protects itself from both: It prevents unauthorized changes to agent files and service shutdowns, asking for a password before the agent can be reconfigured or disabled. Additionally, the administrator can choose for all network traffic, inbound and outbound, to be blocked if the agent is stopped (i.e. fail secure).

The firewall's exception rules are standard. You can block by port or all ports, IP protocol number (UDP, TCP, etc.), IP address, or traffic direction (inbound, outbound, or both), and you can choose to accept or reject particular traffic. One interesting twist is the ability to set the future duration of the rule by hour, day, month, or forever, which is the default.

You should enable outbound Application Control, which is not turned on by default. You can choose the default behavior -- let it connect, prompt before allowing, prevent connection, or terminate application -- to implement when an unknown or modified application attempts to connect to the network. These same options are used in defining firewall rules, and you may define additional known applications along with the assigned behavior.


Click for larger view.

Next-Article:Spammer gets 30 months for inundating AOL Pre-Article:Studies show online holiday spending uncertain