• United States
by Mandy Andress and Rodney Thayer

How we did it

Sep 20, 20042 mins
Endpoint ProtectionNetworkingSecurity

How we tested the various endpoint security products.

Each server/console was installed on a fully patched Windows 2000 server. All nine consoles were running in individual operating-system installations on one box using VMware virtualization software. That server was a Pentium 4, 3-GHz system with 2G bytes of RAM. The clients were running on Windows XP on a Pentium 4, 3-GHz system with 2G bytes of RAM. We also used VMware to support the client software on this machine.

We installed the central server/console for each product as defined in the installation instructions and deployed client installations with tools provided. If the product didn’t contain deployment tools, we installed them from URL, CD or file share.

We configured each product to send alerts by e-mail to an alert address and created a test group for the client computers within a domain we controlled.

To test policy functionality, we attempted to create and deploy a policy that would block all inbound traffic except remote desktop, block outbound traffic to Port 23 on remote systems, block Netcat from binding to Port 468 and block Solitaire (sol.exe) from running.

To test whether these products could help defend against attacks, we looked at each product in four areas:

•  Application  control – How well the product would contain a malicious or prohibited application.

•  Intrusion detection  – How well the product worked as a detector of attempted network intrusions.

•  Intrusion prevention – How well the product detected network attacks by using anomaly detection.

•  Defense resilience – How the product behaved if it were attacked.

We tested application control by running Netcat to listen on TCP Port 468 and using a telnet client to connect to it. We tested intrusion-detection features by using NMAP and Nessus to perform TCP and User Datagram Protocol (UDP ) port scans. We tested intrusion-prevention features by using Netcat to send a malformed Universal Plug and Play request.

We then reviewed the alerts and log information available based on our policy tests and attack information. We also tried to create reports. First, we wanted a report showing clients that have not checked in with the server in a period of time. Second, we attempted to generate a report showing alert statistics for a specified time period.