Exclusive: Zone Labs Integrity 5.0 firewall offering burns brightly

Installing personal firewall software on workstations throughout your company is a good idea, even if you have a firewall appliance protecting your network’s edge. After all, you can’t anticipate when your network will be infected from an internal source or when your hardware firewall might fail you — being prepared for these possibilities simply makes sense. Software firewalls such as Zone Labs’ Integrity 5.0, which offer varying degrees of protection and management flexibility, can be easily deployed in a large enterprise environment.

It’s been more than a year since we tested an older version of Integrity and the product has improved significantly. In this exclusive look at late beta code of Integrity 5.0, I found many important new features. Among them, Zone Labs has added ICQ support to the product’s protocol-level IM protection module. This module allows companies to reap the benefits of public messaging with the most popular IM applications while simultaneously curbing undesired use and thwarting passage of Trojan horses. System administrators have, for example, the ability to designate acceptable file types and links that can be passed over IM.

Zone Labs also has expanded support of 802.1x authentication, with certification from companies such as Enterasys Networks, Cisco, and Funk Software. Integrity can work with products from these companies to prevent users from logging on to wired or wireless LANs unless their computers are properly configured, have the latest anti-virus updates, and otherwise comply with security policies administered through Integrity. Integrity 5.0 will also include integration with Check Point VPN-1, bringing policy enforcement to remote-access clients. Moreover, Zone Labs has introduced additional anti-virus options from Computer Associates and Sophos.

Core features carried forward from previous versions include port stealthing, which hides PCs from crackers looking to slither in a back door, and stateful firewall inspection, which opens ports only to authorized network systems. Integrity gives administrators control over which applications may access the network and the tools to protect their networks from Trojan horses, spyware, and even malicious software masquerading as trusted applications.

The Integrity environment is comprised of client agents and a central server. Admins can create, develop, and manage policies based on users, groups, or IP ranges on Integrity Server using a convenient Web-based interface. The server then pushes the policies out to the agents installed on clients throughout the company.

One of the most important decisions an administrator will need to make is which of the three available client agents best fits the company’s needs. The most recently released client is the Desktop Client, a stand-alone agent geared toward informed end-users. It works independently of Integrity Server, allowing users to make their own security decisions such as which applications to install.

Administrators who want to keep a tight hold on end-users might use the Integrity Agent. This Java-based agent works in concert with Integrity Server to provide administrators with comprehensive, centralized management over end-users’ systems.

A good middle-ground alternative is Integrity Flex. It allows end-users to configure security policies when they’re off the network but also enforces corporate policy by way of Integrity Server when they’re connected. You can also configure Flex to enforce corporate policy when the end-user is off the network or to merge those policies, if that’s more appropriate.

The Policy Studio makes administering Integrity both simple and flexible. Zone Labs has created a standard list of eight policies to choose from, each with a different degree of logging, protection, and user transparency. Premade policies range from Cautious, which provides maximum security and maximum transparency, to Blank, which provides minimal protection and minimal logging. Or you may use one of seven templates to create your own policy.

Among policy options are the classic firewall policies, which allow administrators to define time-of-day rules, protocols, global ports, sources, and destinations; they also give admins control of specific application usage. Admins also can populate trusted and restricted zones, which can delineate different types of networks and apply different levels of security. Zones can be set up to allow or restrict specific hosts, URLs, IP addresses and ranges, or subnets.

Integrity 5.0’s UI is cleanly designed with standard drop-down menus that provide easy access to sets of management options. For instance, the Configuration main directory opens to Required Setup, Enforcement, Admin Functions, and Data Management, and each one of those provides further options.

The product’s reporting functions did not disappoint either. Integrity gives system administrators a long list of reports to select from, including activity, event, and admin-based reports. Also available are reports on usage of hot-button applications such as IM and e-mail.

Installing the software on a Compaq ProLiant Windows 2000 Server was painless, although I discovered that I could not configure the database from within an existing installation. I had to uninstall and then reinstall Integrity, being sure to configure the database during the initial installation. Integrity automatically installs licensed versions of Sun’s JRE (Java Runtime Environment) and Apache Tomcat 4.0. Integrity Server can use either a built-in database that will support up to 1,000 concurrent users or a relational database such as Oracle or Microsoft SQL Server, for which you’ll need your own licenses.

Although Integrity 5.0’s new features make it even more valuable, powerful, and flexible, it’s still a Windows-only application and doesn’t support Unix, Linux, or Mac clients.

If you have a Windows-only company with a sizeable remote workforce and you’re looking for a mature, robust security solution that can handle today’s cutting-edge applications, Zone Labs Integrity 5.0 deserves serious consideration. At $85 per seat, including the IM module, it’s not cheap, but it will cost you considerably less than the network breaches and virus outbreaks it can prevent.