BARRIER1's combination of tightly integrated open-source security applications and a managed monitoring service provides an interesting approach to turnkey security.
If you've been skeptical about the notion of turnkey security, fledgling vendor The Barrier Group offers a somewhat novel app-roach that should give you pause to reconsider. Its BARRIER1 Model 50 appliance combines tightly integrated open-source security apps, and a common correlation and analysis engine, bundled with a 24/7 security monitoring service.
The ability to combine a turnkey appliance with a managed service is enabled by BARRIER1's "brain," its proprietary Advanced Analysis and Reaction Engine (AARE), which provides IDS/IDP intelligence and feeds correlated data to Barrier Group's NOC. The NOC provides threat analysis and response, incident tracking and reporting, and real-time updates for the embedded AV, IDS and antispam engines.
Our BARRIER1 appliance failed during testing--we're not sure why. We completed our testing with a replacement sent overnight by Barrier.
Under the hood, BARRIER1 combines a stateful inspection firewall, Snort-based IDS/IDP, ClamAV, SpamAssassin antispam, proprietary Web content filtering, and e-mail filtering and forwarding via Qmail.
The IDS/IPS is a combination of Snort and AARE rules, traffic anomaly detection and a honeypot. The anomaly detection kicks in after a two-week "learning mode" of network profiling and analysis; the AARE analyzes traffic, which is studied by Barrier Group's staff.
The IDS/IDP inspects in-coming traffic, blocking the source IP of suspect packets for a predefined period. Packets that pass the IDS test are screened at the firewall. Multiple events--for example, if the AV detects three infected e-mails from the same source--can also trigger IP address blocking rules.
The user interface provides reports for each service, and BARRIER1 produces a quarterly roll-up dashboard; ad hoc reports can be generated upon request. Since Barrier Group's model is focused on offloading the management and monitoring tasks, certain functions, such as a real-time view of the IDS events, aren't available through the Web-based interface.
All security managers and admins share a common account by default; individual admin accounts must be set up by the NOC upon request. Similarly, all user account changes are logged and available to the NOC for troubleshooting, but not to the local security manager. Despite these concerns, the actual functionality of each module proved satisfactory.
Although the unified Web GUI helps security managers navigate the appliance, some of the open-source apps still require a familiarity with Linux. While the documentation was good, we would have liked context-sensitive help.
The hardware can be purchased or leased, but, either way, software updates and the monitoring service are part of the bundle. Subscription pricing is broken into four services: firewall, antispam/AV, IDS/ IDP and Web content filtering.
The BARRIER1 appliance comes in several sizes, from the SOHO-sized Model 25 to the Model 300 with 12 Gbps throughput, HA and clustering capability. Despite the option of the high-end appliance, the business model seems best-suited for smaller shops looking to run security with minimal staff.
--Scott Sidel
