Application whitelisting review: CoreTrace Bouncer

CoreTrace's Bouncer 5 is application control and more. Bouncer is the only product in InfoWorld's review that successfully protected against buffer overflows. It also offers unique write protection of whitelisted files and does a nice job of handling updates to controlled applications.

A great-looking GUI, good reporting, and secure sessions between clients and the management server round out the rich feature set. However, Bouncer doesn't cover all program file types, notably those written in interpreted languages such as Python, PHP, or Java.

Started in early 2008, Bouncer is made up of a Windows XP Embedded management appliance and supports clients running Windows NT 4 SP6a and later and Solaris 7 through 10. The extra features and security considerations put into this product are evident from the start.

Logging into Bouncer's Control Center management console screen image requires a two-factor USB access token and either physical access to the management appliance or a Remote Desktop Protocol (RDP) session. Connections between the management console and clients are IPSec protected with PKI certificates. This is all automated in the setup of clients and server, and it does not use the normal Windows implementations.

The use of client certificates also aids monitoring. Clients can get new IP addresses, new network interfaces, new names, and so on, yet still be identified and tracked through the use of the certificate. Clients automatically check back in to the management console every 60 seconds using heartbeat packets across two high-numbered UDP ports, or you can schedule the connections for finer-grained control.

Managed computers are collected into groups known as Security Configurations. In fact, calling groups of computers Security Configurations is one of the few minor weaknesses of an otherwise top-of-the-class product. To be fair, Security Configurations are really the grouping of computers along with their defined treatment. But a simpler label would avoid potential confusion.

Three Security Configurations are provided out of the box -- All Installed Systems, Pending Systems, and Unsecured Systems -- but administrators are encouraged to make their own custom groupings. Each Security Configuration (i.e., group) will have its own Bouncer settings and Policy Components defined.

Policy Components are built around the concept of trusted change. Administrators can define Trusted Applications (applications that are allowed to run), Trusted Digital Signatures (all applications signed by the same digital signature can run), Trusted Network Shares (any application in a trusted location can run), and Trusted Users (trusted users can run any program). Each managed computer will inherit the policy components defined for its Security Configuration.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email ARN
• Follow ARN on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark