Total Defense for Business review

Total Defense for Business keeps emails clean, blocks malicious Websites, and protects the endpoint all in one, much like a Unified Threat Management appliance. The cloud-based platform is not very flexible, so if you need to customize policies on an endpoint basis, a less integrated product would better.
Photo of Total Defense for Business

Whoever is in charge of IT at a small business has a lot of things to worry about with a fairly limited budget and limited time to accomplish everything. Total Defense for Business offers small businesses an integrated cloud security platform that allows the administrator to handle endpoint security and Web and email filtering from a single management console. Endpoints have to be kept up-to-date with anti-malware tools, email threats need to be filtered out before the messages reach the user’s inbox, and malicious—or inappropriate—sites need to be blocked. Total Defense for Business offers a fairly robust policy framework to handle all three different tasks to make the administrator’s daily to-do-list easier to manage.

Total Defense for Business is a feature-packed cloud security platform where all the elements are tightly integrated. Total Defense offers anti-malware protection for endpoints, Web and email, such as detecting and removing malware on the endpoint, scanning emails and taking action when malware is detected, and blocking websites attempting to download malware. A robust rules engine allows administrators to create filtering policies and define granular application controls. I created email and Web policies to restrict file downloads, control what files could be uploaded or emailed (for data leak prevention), and prevent users from accessing certain sites and applications which violate corporate policy.

At first glance, Total Defense for Business reminded me a lot of GFI Cloud, a cloud security platform from GFI Software. GFI Cloud also provides antivirus protection (delivered via the company’s VIPRE Antivirus enginefor the endpoint, but its focus is primarily network management, not security. GFI Cloud offers asset management, health monitoring, and remote support. Total Defense for Business is focused on keeping emails clean, blocking malicious websites, and protecting the endpoint and is essentially a cloud-based unified threat management appliance. I use Sophos UTM as a virtual appliance, and Total Defense for Business felt very similar, except without having to source a server capable of running the virtual machine image.

Getting Started
Small businesses are beginning to realize that cloud security services are cheaper and often easier to manage than on-premise hardware and software. Getting started with Total Defense is pretty simple, as all you really need is the domain’s MX record and information about the Web proxy in order to direct all email and Web traffic through Total Defense’s servers. There is no hardware to deploy or software to configure. 

I received the login credentials for my Total Defense account over email. Logging in, I saw the interface, with tabs for Dashboard, Filter Management, Quarantine, Archive, and Reports. Since this was my first time logging in, I was automatically directed to Filter Management where I could turn on Web and Email filtering. There are a lot of features packed into the platform, and Total Defense does a pretty good job of peppering the screens with relevant help text and links to the User Guide.

Total Defense for Business supports Windows, Mac OS X, and Linux. There doesn’t seem to be a way yet to apply the security policies to users on smartphones and tablets, just yet.

Total Defense sells through the channel, so businesses need to contact their local reseller or distributor to purchase an annual subscription for Total Defense for Business. The list price is $71.50 per user per year, for full Web, Email, and Endpoint functionality. While the price may seem pretty high at first, it’s worth noting that the per-user license covers multiple devices. The company also offers a 15-day free trial for anyone wanting to try out the platform first. Customers can get support over the phone or open up a support ticket online.

Web Filtering
To turn on Web filtering, Total Defense needs my public-facing IP address to recognize all the traffic with that IP address as being part of my network. The service can take up to 24 hours to accept and initialize the IP address, so I had to wait before configuring my Web proxy settings. I had the option to turn on user authentication with Web filtering, which means users have to log in to prove they are authorized to use the Total Defense platform.—Next: Web and Email Filtering, Endpoint Security with Total Defense

I created an exceptions list of sites which should never be filtered, and a block page that users see whenever they attempt to load unauthorized content.

I used the very thorough policy engine under “Policy” to associate several rules together into one user policy. There are 49 site categories (religion, technology, online dating, etc) grouped under nine topics (bandwidth-intensive, entertainment, and information, for example). I assigned the policy to certain site categories and defined the “block” and “allow” rules. I allowed social networking to be available during non-work hours but blocked during work hours (the times are defined under the “Policy hours” sub-heading).

The Web filter automatically scanned Web traffic for malware and blocked threats.

I had the option to flat-out block all Web traffic. I specified how to handle objects on Web sites, such as which file types could be downloaded (.jpg) and which would be blocked (.exe). Another rule defined which applications—such as instant messaging, p2p file-sharing, and Web browsers—would be blocked; if the users tried to run that application on their computers, they saw an error message.

All these rules made up a single Web policy to which I assigned users and groups. I could create as many rules as I wanted and assign them to any number of groups

To take advantage of these policies, I had to route all end-user traffic through the Web Security Service. I could manually configure the Web browsers to use the proxy server, point the browsers to use the Proxy Auto-Configuration file (created by the service), define Group Policy within Active Directory, or use a login script. I manually configured the proxy servers for this review. This is one area Total Defense’s documentation shines, as the instructions for setting up the proxy were straightforward yet detailed.

I found detailed instructions on installing the client application on the endpoint and using Windows Group Policy to ensure that users are connecting to Total Defense’s Web Security service even when not on the corporate network. Currentware AccessPatrol had a similar feature.

Email Filtering
Email filtering redirects the organization’s email traffic through Total Defense to remove spam, phishing emails, malicious attachments, and other threats. The service needs the IP address of the mail server, the names of all the domains the organization uses to send and receive email, and the public IP address of computers who will be sending out mail.

Like its Web counterpart, the policy engine for email filtering is fairly extensive, letting the administrator decide what actions to take with spam and malware. I could also create rules based on certain file types, such as saying no executables would ever be allowed, and that users are not allowed to mail out PowerPoint documents. The outbound rules are useful for DLP as well as for ensuring botnets aren’t just using the computer as a spam or malware relay.

Total Defense offers email address aliases and forwarding addresses, as well as the ability to search mail for certain messages. I can instruct Total Defense to accept or reject emails sent to these special addresses, or silently drop the connection attempts. These capabilities are convenient, but they are part of general mail administration and probably do not need to be on a security platform.

Endpoint Security
Total Defense protects the endpoint with anti-malware scanning and application controls, and can block malware from a variety of sources, including removable media. Total Defense uses its own anti-malware technology, but also enhances its scanning engines with data feeds from multiple third-party sources for Web and email filtering. For the purpose of this review, I did not test the efficacy of anti-malware scanning. However, I note that third-party testing lab AV-Test rated Total Defense in the past as being less effective at cleaning up and repairing malware infections compared to other products.

Management Console, Dashboard
I had multiple ways to create users in Total Defense, including integrating with Microsoft Active Directory, Oracle Internet Directory, Novell eDirectory, OpenLDAP, Sun Java System Directory Server, Apple’s Open Directory, and Lotus Domino; manually creating users by hand on the interface; or uploading a comma-delimited file containing basic user information.—Next: Managing Total Defense

The dashboard provides a lot of information about the network, such as information about total bandwidth and data usage, sites and files being accessed, most common site categories, email volume received, types of attachments, top domains and recipients, and which users are using the most bandwidth. The dashboard also reports what sites have been blocked, which policies have been triggered, and what emails have been blocked or quarantined.

The charts and graphs display data for the past 24 hours, 48 hours, “this week,” and the previous seven days. I did not see a way to customize the dashboard, such as changing the order of the charts and graphs or hiding information I did not really care about. There was no way to drill down into certain areas, and if I needed any details, I had to look at the reports. .

The platform has pre-defined reports for the Web, Email, data leakage, endpoint, and “forensics.” The Web reports look at number of requests and bandwidth consumed and display information on sites, users, categories, content types, and blocked content and threats. The email reports provide information on who is sending mail, the users receiving the most mail, blocked mail, where the messages are coming from, and what kind of mail is being quarantined. The DLP report displayed information about files which were allowed to be uploaded or emailed, and files which were blocked from leaving the network. The endpoint reports provided information on what malware and applications were blocked and could be broken out by computer or by user. The forensics report actually is a custom report builder which takes existing reports and accepts other queries to create a drill-down view

Is it Total Defense?
Total Defense repeatedly emphasized that the platform integrated the three features—Web and email filtering, and endpoint security—to make it easier for administrators to use. While that appears to be true, the platform felt inflexible.

As noted earlier, I haven’t seen other products that do exactly what Total Defense does, but similar products take a modular approach where administrators pick and choose what they need. GFI Cloud separates out endpoint antivirus from the network managing capabilities, so I could decide which computers to apply the products to. As GFI adds other IT and security capabilities to the platform, the administrator will be able to continue picking and choosing what levels of protection users receive. Currentware takes a different approach, adjusting pricing based on which features the business actually wants to have.

I don’t have to use Total Defense for Business for email filtering (because I am happy with my existing solution, for example), but the total cost doesn’t change even though I am not using one-third of the product. There are a lot of great features on this platform, but the biggest selling point for the cloud is flexibility, and that isn’t the case here.

My other quibble with the platform was that policies are applied on a per-user basis, not per-device. It makes sense from a pricing standpoint, but security should be context aware and different devices should be treated differently. I would be more likely to restrict bandwidth-intensive sites on desktops while on the corporate network, but allow those same sites if it’s after work hours on the user’s laptop. Because the policy is applied uniformly to all the devices associated to a user, there is no way to define rules for desktop that are different for laptops.

Businesses that already have cloud services or on-premise products they are happy with would not get the most out of Total Defense for Business. Organizations that plan to use all three capabilities and don’t really have many endpoints per user, or don’t mind not being able to differentiate between endpoint types, would do well with the platform. Total Defense for Business helps organizations clean emails, block malicious Websites, and protect the endpoint, using a powerful policy-based framework.

Specifications
OS Compatibility Windows Vista, Windows XP, Linux, Mac OS, Windows 7, Windows 8
Type Business

Verdict
Total Defense for Business keeps emails clean, blocks malicious Websites, and protects the endpoint all in one, much like a Unified Threat Management appliance. The cloud-based platform is not very flexible, so if you need to customize policies on an endpoint basis, a less integrated product would better.
Published under license from Ziff Davis, Inc., New York, All rights reserved.
Copyright © 2012 Ziff Davis, Inc