This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners unmasked."
Download it now to read this article plus other related content.
Spyware Interceptor SI-1
Blue Coat Systems
Price: $2,295 for hardware and starts at $695 annually for 100-user subscription
|Blue Coat Systems' Spyware Interceptor SI-1|
Spyware Interceptor takes a different approach to detecting spyware than most products. Rather than performing signature detection on packet payloads, it monitors URLs against its list of known spyware sites--a technique that allows the appliance to detect polymorphic spyware that attempts to avoid signature detection by altering its code.
Recent studies by Microsoft lend credence to this approach, demonstrating that a large proportion of spyware can be traced back to a small number of originating sites. (The list is updated to the appliance daily.)
Once Spyware Interceptor identifies a site as suspicious, it blocks all downloads of executable programs. Administrators may manage exceptions to this filtering on a client and/or server basis, and may also blacklist sites that don't appear in the appliance's database. Users with unusual browsing requirements can have their systems completely exempt from screening activity.
Our testing showed this approach to be quite effective, as the appliance detected each of the spyware sites we attempted to access. The device also monitors, reports and blocks outbound traffic for spyware's attempts to "phone home."
Spyware Interceptor is extremely easy to install. It comes preconfigured to act as a bridge between the protected and external networks. The administrator simply connects the WAN and LAN ports and boots the device.
If you're willing to accept the default configuration (we didn't find it necessary to modify any settings to bring the device online), you simply provide the details of your network, an administrative user name/password and a license key, and you're up and running. Operation is completely transparent to the user and requires no configuration on the workstation.
All this being said, a gateway-based solution won't completely solve your organization's spyware problem. We recommend that Spyware Interceptor be used in conjunction with a client antispyware product to disinfect compromised systems and protect mobile users accessing the Internet while away from the corporate network.
Spyware Interceptor provides a management-friendly reporting and alerting facility. It ships with a number of predefined reports including system performance, infected machines, infected traffic, blocked downloads and system events.
However, the appliance's biggest limitation is its lack of scalability for larger enterprises. The maximum specified capacity is 1,000 supported clients. If your network is larger, you'll need to purchase multiple devices and manage them individually, without the benefit of centralized enterprise management suite.
Overall, we feel that Spyware Interceptor is a promising product for a particular subclass of networks, particularly those with a large number of unmanaged clients.
This was first published in September 2005