Clearswift makes a clean sweep of Web threats
- — 23 August, 2007 08:34
Mitigating network-borne threats has been an imperative to companies of all sizes and statures. As if malware and viral infestation weren't enough, today's corporations must contend with even bigger bugs, including regulatory compliance, information leaks, and intellectual property theft.
I recently garnered an exclusive look at the new Clearswift MIMEsweeper Web Appliance ENW10, an inline filtering device that locks down all Web communications including e-mail and FTP, and I was pleasantly impressed with the results. The MIMEsweeper appliance is a Dell PowerEdge 1950 server packed with virus protection (courtesy of Kaspersky Labs), a spyware sniffer (from Aluria/EarthLink), and a link blocker based on a URL database from an OEM that Clearswift declines to reveal. The appliance plugs into your network with very little effort and begins protecting straightaway.
In tests, MIMEsweeper did a reliable job of trapping spyware, viruses, and keywords and phrases thrown at it -- even viruses buried inside Microsoft Office attachments. In addition to sniffing through Office docs, this appliance can peek inside PDFs, compressed archives, and executables, as well as a variety of multimedia files, to expose the hidden bits running through your network with suspicious and potentially malicious intent. The set-it-and-forget-it updating scheme will help technically challenged SMBs justify the price, considering the appliance exacts a nearly 37 percent premium over the cost of Clearswift's comparable software-only configuration.
On the downside, unlike competing solutions from Secure Computing and Blue Coat Systems, this unit cannot scan HTTPS content streams. SSL-encrypted content and Web sites will pass through MIMEsweeper unexamined.
Further, unlike SurfControl, which offers a client-side agent that integrates with its Web security appliance, MIMEsweeper does nothing to protect against leaks of sensitive content while mobile users are on the road.
Nevertheless, what MIMEsweeper sets out to accomplish it does well. It provides solid defenses and good reporting, keeps management overhead to a minimum, and boasts features such as lexical pattern matching and LDAP support for user authentication that will bolster its appeal to larger enterprises.
Drop and block
The MIMEsweeper appliance sports two dual-core Xeon 5160 processors, dual gigabit NICs, 2GB of RAM, and a RAID 1 storage configuration using two 250GB SATA drives. The hardened Linux core supports 2,500 users, on average, according to the company, and it can be configured as a direct proxy or mounted transparently within your network routing.
Installing MIMEsweeper in the test network was a snap. Basic settings such as network configuration and passwords are handled quickly by a wizard interface. Installing the online update to the new 1.1 release was also painless, and MIMEsweeper maintains partitions between new and previous versions to accommodate rollbacks if necessary.
Further, although customizing policies is typically an arduous, time-consuming process, MIMEsweeper's straightforward interface made easy work of building up rules and defining roles and machines for policy inclusion. There's just no easy way around the development curve, but I found the Web interface surprisingly easy to use.
Newly added lexical search expressions allow you to sift e-mails and attachments for specific words and phrases. Boolean operators, regular expressions, and contextual awareness operators (before, after, with, etc.) can all be combined into tightly tailored scanning algorithms.
A notable omission is the absence of policy scheduling, though a number of nice features rounds out the offering, including policy/rule dependency tracking and customizable "404" screens that can be outfitted with your own corporate stylings and messages that alert users to policy violations.
Multiple MIMEsweeper appliances can be peered for scalability, and you can push policies uniformly through centralized administration, but comprehensive load balancing and centralized reporting are still absent. Both would be welcome additions.