Security-as-a-Service (SaaS) is something that is relatively new to the world of IT security. Cloud computing is an emerging market; however, the potential cloud computing offers is huge. About a month ago, McAfee contacted The Tech Herald to demo its SaaS Total Protection solution. Below are the results, both the positives and the negatives.
McAfee’s Total Protection Advanced - Small Business Edition is a hosted security service that layers anti-Virus, software-based Firewall, and browser protection in one package. Total Protection Advanced, which was used in this review, offers the extra layer of e-mail protection. Hosted security offers some interesting perks for IT when it comes to security enforcement and management and McAfee’s offering takes advantage of this by streamlining the security process on a network with single-click installation and policy-based management.
This review covers the setup and management of McAfee Total Protection Advanced - Small Business Edition (Total Protection from here on out), as well as detection coverage for various Malware and other threats. The test covered a lab setup of one Administration computer and three “employee” computers. One computer was left out of the install group as a control device. The computers with Total Protection installed were all updated, including the latest software patches and security updates. The exception is one computer with Internet Explorer 6.0 to test compatibility.
Set-up and Installation:
Total Protection is straightforward when it comes to set-up. Once the control computer (Administration station) has the software installed, all that is left to do is e-mail an installation link to the other computers on the network. Total Protection offers two other levels of installation management for larger networks aside from e-mail. You can perform silent installations and push installations. The fastest way to get the application working is to e-mail the network with the installation link and deploy it.
Once the e-mail is sent and the users install the client, as the administrator you will notice the computers instantly on the administration web console. (See image 1 below) From this point you will want to create groups and policy. Once the groups and policy are set, that’s it for the most part regarding management. The changes are instant, as the Total Protection network will instantly deploy all changes made by the administrator -- or damn near instantly. In the testing of policy, creating some settings were instant, and others took hold after about three to five minutes.
Group and Policy creation is point-and-click (See images 2 and 3). The documentation provided both in the introduction e-mail to the service and online explains this process pretty well. However, unlike most cases where security will require complex settings, this setup is intuitive. While McAfee offers a decent default setting, it is wise to create your own policy and groups that are unique to your own network (Note: To make things simple as an administrator, create the policy first and then create the group).
Policy creation is simple to move through, the administration screens offer tabs to cover the Virus, Spyware, Firewall, and Site Advisor settings. The option that stands out is the Firewall management screen, which can prevent desktop management of the installed Firewall; instead control is turned over to the administrator.
Usage and detection testing:
With Site Advisor as well as the Firewall and anti-Virus on the user’s computer, Total Protection offers a decent layer of security. However, no security solution can take into account that some people ignore warnings and other alerts and disable some security features. If you have read past reviews on The Tech Herald, then you know a favorite test in the lab deals with Malware Core.
If you look at it from a user’s point of view, Malware core is horrible. A nasty fake Malware removal tool is loaded with Spyware and other junk. If that wasn’t bad enough, it also tries to extort money from the user. After it runs the “system scan” it will gladly remove all the Malware that it found for a fee of about $30 USD. The sad part is, each time we test Malware Core in the lab, the system is clean. As a security person you have to look at Malware Core and at least give credit to the sheer tenacity of the authors who created it. It takes guts to still develop and offer the “product” long after it has been proven as a fraud.
As you can tell after watching the video linked to below, when visiting the Malware Core site, McAfee tossed up some obvious warnings. However, the object of the video was to point out an important issue when creating policy. Notice that the Firewall prompted the user to take an action when Malware core wanted to access the Web. The user could allow this connection, thus infecting their system, and likely the network. Now McAfee recommends that the administrator lock down the systems and manage everything, but there is the option to let the user self govern with regard to the Firewall. Use that option sparingly, if at all. The wrong click can cause serious issues down the line.
McAfee passed the Malware Core test. First there were the warnings, and even the silliest of users would notice them, and the majority would stop their actions (there is always one however who will know better than anyone and ignore all the warnings). The second was a full blown infection, which McAfee caught and removed.
[Screencast Video Link]
[Note: Video edited for time. Total scan time after Malware Core removal was about twenty minutes. Also, the video was not embedded due to capture size. Notice the date on the AV update. This is a little odd, because the IE7 computer used in the Malware Core test was the one computer that was updated with current Virus and Spyware coverage. This could be due to various reasons and was not explored in the testing. Coverage was confirmed however, using the admin console before the test started.]
Aside from anti-Virus and Firewall, Total Protection offers e-mail filtering as well. The e-mail scanning from an administrator's stand point is granular and very controlling. The filtering works by routing e-mail through McAfee servers, so there are some changes that you will need to make regarding MX settings. Once working however, the e-mail filtering is great, as you can see in the report in the image below.
The overall rating of the Spam protection offered in the e-mail scanning would hover at a high 98 percent, well within what McAfee claims. However, like MXLogic and other gateway filtering, there is a quarantine area for each user, so false positives are not lost. They can later be added to a whitelist, ensuring delivery.
The documentation for the e-mail set-up is detailed enough to get started with ease. The catch is the MX configuration, which will cause some problems if not correctly configured (this would be where the phrase RTFM comes into play). If you chose the e-mail server security application, you will need to perform some other configuration options, however the documentation covers this (e-mail server Security Application is only available on Microsoft Exchange and Lotus Domino).
McAfee Total Protection Advanced - Small Business Edition is a good option for smaller businesses that need layered defense and can not afford the costs associated with many software solutions -- McAfee’s own software products included.
Security-as-a-Service (SaaS), if it is to hold any real value, needs to be cross platform and support everything on a network. One of the failings of McAfee Total Protection Advanced - Small Business Edition is that it would not work on anything but PC (Windows) environments. While this covers the majority of businesses in the world, it leaves out those companies who utilize Macintosh and a flavor of Linux on their systems.
Scanning is partially managed within the cloud, as this is where the definitions and updates come from, and while it requires a local client, there was a noticeable drain of system resources. As you see in the video, one simple scan took about twenty minutes to complete. While testing was complete, and no malicious infections got past McAfee, it is a harsh reality that hosted security still has some growing up to do. The normal McAfee software, the one in shrink-wrap you can order online or pick up in Best Buy, scans almost three times as fast as the SaaS version.
E-mail setup was again, simple and easy to use. However, the MX settings can be tricky, and aside from an e-mail to explain the setup, there is an assumption that the e-mail is managed by Exchange. During this review, the test used an e-mail server that ran qMail. While e-mail filtering worked correctly, the MX settings that are used in the example list alternate threshold values than what would normally be used. This leads to one final positive for McAfee: its support.
While knowledge of qMail and e-mail settings helped resolve the issue in the lab, because there was an initial problem with e-mail setup, it was used as a means to test the support (The Tech Herald was given Gold Level support for the review). It is safe to assume that the techs who helped with the e-mail issue were unaware of the fact this was for a review and treated the issue as a normal customer contact.
McAfee offered us the services of an engineer, but we wanted to use the normal support channels that a typical customer would use. The support was fast, but there was an obvious time delay because of international time zones. Samir and Sandeep were the two techs who worked with us on the “support” issue; both were helpful and clear in their e-mails, so direction and advice was easy to follow.
Overall, McAfee Total Protection Advanced - Small Business Edition delivers the level of protection that McAfee claims, but there is still room for the vendor to expand. For example, faster scanning, and adding other operating systems and details for mail servers other than Domino and Exchange. The one thing that shouldn’t change is the support, as that was excellent on its own.
If you want to try the SaaS that is Total Protection, sign up and utilize the trial period, it is well worth looking at and offering it the chance to prove itself.
The total score for McAfee Total Protection Advanced - Small Business Edition was 8/10.
The test is rated on four parts each worth twenty-five points:
1. Integration and Deployment simplicity
Simple to deploy and install on networks small and large.
If you use Exchange, then you will not have the interoperability issues mentioned previously. Most companies use Exchange so Total Protection will fit right in.
Windows only, e-mail setup on Linux-based e-mail server was tricky.
2. Management (Including Scanning)
The Security Center, where the management takes place, is simple to use and offers lots of detail and options. Changes to policy were taken almost instantly. Reports were easy to read.
Scanning was slow.
3. Coverage (Malware and e-mail defense)
Passed Malware Core test and Site Advisor went nuts when attempting to visit malicious sites.
None really, with the rapid updating and the management coverage being well rounded. Keep in mind that no definition-based scanner will catch everything.
4. End user management experience and ease of usage.
On the client computers Total Protection can be managed with a few clicks, but depending on the policy in place the bulk of the Firewall controls could be disabled.
Resource usage when updates took place. Launching a scan would lag the system some. This never seemed to change over time.
In this test, McAfee Total Protection rated the following:
1. 15 pts
2. 15 pts
3. 25 pts
4. 25 pts
Windows XP SP3 (Completely patched)
Intel Pentium D 3.4 GHz CPU