In the past few years, corporate networks have been plagued by email virus attacks. In attempts to defend against such attacks, administrators have implemented antivirus solutions and management has implemented policies to educate employees. However, antivirus solutions are ineffective against new threats because vendors can create antivirus signatures only after a virus has been discovered. And policies are effective only if they’re enforceable and every user follows them.
To close the security gap, Sandbox Security has created Secure4U, a solution that the company dubs the world’s first application firewall. Instead of relying on users to follow a written security policy, Secure4U enforces an electronic policy by limiting the functionality and behavior of Internet-enabled applications. The software gives administrators the ability to control active content received through the Internet or other domains. To do so, the product creates a sandbox, or closed environment, around applications to restrict applications’ access to system resources and files. Rather than checking a list of potential vulnerabilities, Secure4U monitors and checks specific actions and resource-access attempts by each application and blocks suspicious activities or those flagged by administrators as restricted.
Secure4U runs on Windows 2000, Windows NT, Windows Millennium Edition (Windows Me), and Windows 9x systems. The software’s components include the Secure4U Agent, which is the interface that users see and the component that monitors applications on the workstation on which you install it. The Secure4U Administrator Tool is the interface that administrators use to configure and deploy Secure4U Agent settings. You can use this tool to scan a workstation and configure default rules for each application installed on the system.
These components combined with the software’s kernel-level protection against lower-level threats enable the software to protect systems’ registries. Secure4U monitors applications that attempt to access or modify the registry, and depending on how you’ve configured Secure4U, the product denies or allows applications to make the changes. If an unknown application attempts to read or write to the registry, Secure4U will block the attempt. The product also monitors access to system services and blocks unknown applications from making configuration changes. In addition, Secure4U monitors applications that attempt to call the OS and spawn new processes. You can also configure the software to block applications’ access to the file system.
Additionally, Secure4U offers features similar to those found in personal firewall products: IP address monitoring, UDP and TCP port monitoring, Internet cache and cookie management, and Web and email filtering. For example, Secure4U will log all IP addresses that attempt to connect to your machine and which TCP or UDP port they attempted to use. The Web filtering feature lets you block sites that you don’t want users to view. If a workstation has antivirus software installed, Secure4U will make API or command-line calls to a supported antivirus program (e.g., Computer Associates’—CA’s—Inoculan) to scan for known viruses.
To tie everything together and help you track possible policy violations, Secure4U offers the ability to log events to a text file. The software also includes an HTML-based log file analyzer that lets you search the log files and create custom reports.
Sandbox Security recommends that you install Secure4U on a PC with a Pentium-class processor and at least 15MB of free disk space. Secure4U doesn’t support multiprocessor systems. I tested the software on a 650MHz Pentium III processor system running NT Workstation 4.0 Service Pack 6a (SP6a) with 196MB of RAM and 16GB of hard disk space, and a 166MHz Pentium processor workstation running Win98 Second Edition (Win98SE) with 64MB of RAM and 3GB of hard disk space.
To install Secure4U on the NT system, I had to log on with an account that had Administrator privileges. Inserting the Secure4U CD-ROM launches the autorun feature, which presents you with a welcome screen. (Alternatively, you can launch setup.exe from the root directory of the CD-ROM.) Simply click Install Secure4U to launch the setup process. Next, the setup program asks whether you want to install the software locally or to a remote server. The program installs the software in a \program files\Secure4U directory. You don’t have to reboot the system after the installation completes.
After I installed Secure4U on the NT system, I attempted to remotely configure the Win98SE machine only to discover that you must use offline mode to remotely manage Win9x systems. To work in offline mode, you must log the workstation off the network and reboot the system after you make configuration changes. Sandbox Security isn’t at fault for this shortcoming; it’s caused by a limitation of Win9x.
From the administrator console, you can save configuration options and load previously saved options. To protect the console from unauthorized access, administrators can protect the console with a password. Secure4U runs in Easy Mode and Advanced Mode. Easy Mode provides an easy-to-use interface but limited administrative flexibility. Advanced Mode gives you more control over firewall settings.
In Easy Mode, Secure4U offers four levels of security for Microsoft Outlook, Microsoft Internet Explorer (IE), Netscape Communicator, and Lotus Notes. The None setting provides no security restrictions on applications. Low provides these applications with access to files, directories, and the registry. The Medium setting offers applications read access to files, write access to a limited preconfigured set of directories, read access to the registry, and minor TCP and UPD port restrictions. The High setting causes applications spawned by the previously listed applications to inherit the security settings of the original application and provides restrictions on all directories except administrator-set exceptions, limited access to the registry, and tight restrictions on TCP and UDP port traffic. Setting the security level to High in Easy Mode caused many applications to not function properly. I found that Easy Mode doesn’t provide enough functionality and creates a false sense of security.
In Advanced Mode, Secure4U gives administrators more control over applications and their security settings. It also provides the ability to control system functions (e.g., the ability to shut down and restart a workstation). This mode lets you customize how Secure4U reacts to applications—the software can use a preset security level or you can set the software to ask the user if he or she wants an application to access the Internet. However, I was disappointed to discover that this feature doesn’t function on all Windows Me and Win9x applications.
I also tested Secure4U’s ability to control low-level system access calls. According to the software’s documentation, Secure4U will protect the following low-level system calls: AdjustTokenPrivileges, SetFileSecurity, SetKernelObjectSecurity, SetServiceObjectSecurity, SetSecurityInfo, SetNamedSecurityInfo, SetUserObjectSecurity, CreateProcessAsUser, CreateProcessWithLogonW, SHCreateProcessAsUserW, and in some cases, WriteProcessMemory, CreateRemoteThread, VirtualAllocEx, and VirualProtectEx. To test this feature, I downloaded and ran several exploit programs designed to manipulate low-level system calls to elevate user privileges. I was impressed that Secure4U prevented the exploit code from functioning.
Overall, I was impressed with Secure4U and its ability to control applications. However, many of the software’s features are already available in the Windows OSs. Under Windows Me and Win9x, you can use the Poledit resource kit tool to control Start menu applications, system shutdown and reboot, and access to local and networked drives. However, Poledit doesn’t give administrators the ability to audit log, analyze logs, process spawning protection, or enable low-level system call protection and TCP and UPD port protection. Win2K and NT include all Secure4U’s features except log analysis and low-level system call protection.
In Easy Mode, Secure4U is easy to use but offers little functionality. In Advanced Mode, Secure4U offers more features, but the software is difficult to configure. In addition, Win9x’s architecture limits how secure the software can make your Win9x systems.
Despite these minor shortcomings, Secure4U is a good investment that will help you fight the security battle. Although no security product provides a bulletproof solution, Secure4U can assist you in enforcing security policy and protect users from email attacks.
Contact: Sandbox Security +49 (0) 89-800-70-0
Price: $80 for 1 license
Pros: Provides protection beyond virus scanning and management policies; log analyzer performs well
Cons: Easy Mode offers limited functionality; Advanced Mode is difficult to configure and navigate