This article can also be found in the Premium Editorial Download "Information Security magazine: Keeping on top of risk management and data integrity essentials."
Download it now to read this article plus other related content.
Price: Starts at $59.95/seat for IE; $24.95/seat for Outlook
|GreenBorder Enterprise Security Solution|
Enterprise Security Solution doesn't detect anything; it protects Internet Explorer and Outlook users from themselves through a sandboxing technique that allows arbitrary code from untrusted sources to execute harmlessly.
Virtualization and trust are key to GreenBorder's effectiveness. Security managers assign trusted status to specific e-mail domains and servers, and to network address ranges for Web servers. GreenBorder's desktop agent forces IE or Outlook to run in a virtualized environment for untrusted sources, preventing malicious code from accessing system resources or user data.
One limitation is that trusted domains are generally assumed to be under the control of the organization. This makes it difficult to extend the trust model outside organizations. As a practical matter, most sources are treated as untrusted. Organizations can allow specific users or groups to designate specific external sources, but you'll want to be careful who gets that kind of privilege.
IE users can download software, including Java applets and ActiveX controls, without restriction. All actions are executed in the virtual sandbox, which preserves state only as long as the session remains active.
We tested the IE protection by infecting a system with several spyware apps and viruses. The infection took place, and the malicious code executed within the virtualized environment. But, when we closed our IE window and restarted, all traces of the malicious code were gone, and there was no damage to the OS.
Malware-bearing e-mail attachments are also rendered harmless, and saved attachments preserve state information ("trusted" or "untrusted"). We tried a spoofing attack that routed mail through an untrusted gateway, and GreenBorder tagged it. Untrusted messages are rendered in RTF, preventing the execution of malicious code.
The product's greatest shortcoming is its restriction to IE and Outlook. If you're like many of us who work in semi-managed environments, you've got to be concerned about the use of alternate e-mail programs, Web browsers and IM applications.
Reporting is fairly strong, featuring several options including an auditing report that details system configurations and security events, such as attempts to modify config.sys or create suspicious registry keys.
The server runs on Windows 2000 Server or Windows Server 2003; the client agent runs on Windows 2000 Professional and XP Professional. Larger enterprises will want to use Microsoft SQL Server to store configuration and reporting information. (GreenBorder also supports MSDE for smaller enterprises.)
GreenBorder shifts the paradigm of malware defense from detecting attacks to rendering them impotent. It's an effective addition for preventing malicious code--particularly zero-day infections--from damaging enterprise assets.
This was first published in April 2005