EEye's Blink

* The Reviewmeister tests out products that claim to protect network endpoints

In the end, everybody’s network needs endpoint or client security. So the Reviewmeister tested a bunch of products that claim to protect network endpoints.

We focused on products that take some type of action in the face of an attack, such as blocking a port or stopping an executable, rather than products that focus solely on endpoint policy enforcement.

EEye's Blink is our favorite because of its solid reporting and hybrid approach to client defense.

EEye provides on-site installs of the management server/console and several clients because it is included in standard purchases. 

EEye did not provide any documentation, but its product was intuitive and easy to use. We did not find ourselves looking for much documentation, and when we did, the online help was useful.

To test policy functionality, we attempted to create and deploy a policy that would block all inbound traffic except remote desktop, block outbound traffic to Port 23 on remote systems, block Netcat from binding to Port 468, and block Solitaire (sol.exe) from running.

Once the policy was deployed, we tested remote desktop connectivity, telnet connections and our ability to play Solitaire. By trying to control these four processes, we can gain a good understanding for parameters around which you can use these products to set policy across a broader set of application and network activities.

The most interesting policy definition test was prohibiting sol.exe execution. For eEye, you can specify files to trust or deny, but you need to specify the file path.

We configured each policy to allow inbound Port 3389 for Microsoft's Remote Desktop Connection Utility. Eeye successfully allowed the remote connection.

We tested application control (also referred to as execution containment) features by running an application that accessed the network in a way prohibited by policy. We tested intrusion detection by performing a port scan. We tested intrusion prevention (which is implemented as anomaly detection, if at all) by running a Universal Plug and Play Protocol (UPNP) attack. We tested defense resilience by performing a "coarse uninstall" of the product. We defined a coarse uninstall as the deletion of files from the product's program files folder. We deleted all the files we could, as an attacker would.

EEye performed application control, detected our network intrusion and detected the specific network attack.

Out of the box, eEye's Blink provides the ability to directly view the logs on the remote client if the machine is online.  For the full report, go to http://www.nwfusion.com/reviews/2004/0920rev.html

Learn more about this topic

Security vendors bolster line of defense

Network World, 04/12/04

Funk releases new version of secure wireless client

Network World Fusion, 03/23/04

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.