Protect systems from unauthorized portable storage devices and connections
Portable storage devices are handy, but they've helped render PCs and laptops much less secure. Shortly after the release of the Apple iPod, clever people figured out that in addition to storing music, the pocket-sized devices could be used to quickly siphon off programs and data from nearly any computer. USB flash drives now hold several gigabytes of data and, with their fast transfer speeds, offer unlimited possibilities for the quick and undetectable theft of company data or the introduction of malware or other unwanted programs. A seemingly endless stream of small, fast devices has appeared on the market, enabling connectivity and data transfer with nothing more than a USB or FireWire port. Windows automatically recognizes and configures many portable storage devices in seconds without additional drivers.
IT departments of every size need to be able to control which users can connect what types of devices to company computers and whether users are allowed to read from and/or write to connected devices. Loss of company data could be more than just an embarrassment; it could violate the law.
Completely disabling all external ports isn't a viable solution—portable devices have too many legitimate uses. Users need to be able to move data around, sync PDAs and mobile phones to their computers, and connect to other devices, such as printers.
Fortunately, several software products are now available that let administrators not only enable and disable ports, but control the types of access that individual users or groups can have to ports. With this type of software in place on a laptop, a sales rep can sync her PDA to the computer, but someone who logs onto that computer with different credentials and plugs a PDA or USB device into one of its ports can't sync the PDA to steal the rep's customer contacts or download data to a USB device. Of course, these software products don't fix all the potential security problems presented by portable media devices, but they're a start.
I tested three products designed to address the need to control access to PC ports: GFI Software's GFI EndPointSecurity 3.0, Centennial Software's DeviceWall 4.0, and SmartLine's DeviceLock 6.0. Each of these products allows control of a variety of ports and devices, such as portable media players, USB memory sticks, CDROM/DVD drives, Compact-Flash and other memory cards, floppy disks, PDAs and mobile phones, network cards, and Wi-Fi, Bluetooth, USB, and FireWire connections. A fourth vendor, SecureWave, didn't make its Sanctuary Device Control product available in time for this review.
GFI EndPointSecurity 3.0
Figure 1 shows the GFI EndPointSecurity 3.0 console. You use this console to create Protection Groups, which contain machines whose ports you want to secure from unauthorized access by portable devices. For each Protection Group, you create a Protection Policy that specifies user and group permissions obtained from Active Directory (AD) for each type of device. GFI EndPointSecurity can control access to portable USB, FireWire, and Bluetooth devices; media players; mobile phones; PDAs; CD-ROM/DVD drives; memory cards; and network cards.
The various devices are grouped by type, so permissions for a user or group apply to all storage devices, or all PDAs, or all CD-ROM/DVDs, regardless of whether they're connected via USB, FireWire, or other method. Users and security groups can be added to the policy for each Protection Group. GFI EndPointSecurity, like the other products reviewed, works well with AD.
From the GFI EndPointSecurity console, you deploy the agent program to individual computers or entire Protection Groups. Agent deployment is fast and requires no user intervention. The agent, like the other clients reviewed, can't be stopped or uninstalled by users with normal user rights; users with administrative privileges, however, would be able to defeat any of the reviewed clients.
Access to devices can be read only or read/write (or prohibited if you don't specify one of the two types of access). For example, granting a user read-only access to a USB drive lets the user copy files from the drive to the computer. Granting no access rights to storage devices prohibits their use, no matter what type of port a user connects them to. Users won't be able to read files to or copy files from memory sticks or media players.
Creating Protection Policies and adding users or groups to policies is quick and easy to do in the GFI EndPointSecurity console, which is a standalone application not integrated with Windows management tools. The console interface makes it easy to see which computers are currently protected. Unfortunately, the ability to grant temporary device access to offline users, a useful feature present in the other two products, isn't available here.
GFI EndPointSecurity logs device-related activity to the software's event log or to a SQL Server database. Both successful and unsuccessful device access and file transfer activity is logged. The ability to log to a SQL Server database is a nice feature that all three products possess. It lets you centralize company-wide activity in one location and use SQL Server reporting utilities to create reports. However, GFI EndPointSecurity's installation process doesn't automatically create the database on the SQL Server system, which I found to be a minor irritation.
GFI also makes the GFI EndPointSecurity ReportPack, an add-on application that lets you view the large number of included reports, schedule automated reports, and create new reports. For businesses that don't already use a separate SQL Server reporting utility, ReportPack is a worthwhile add-on, although I prefer DeviceWall's approach of including the reporting features in the same application as the policy manager.
Overall, I found GFI EndPointSecurity to be a straightforward, solid application. It's designed strictly to help secure network endpoints from unauthorized device use, and it does this well, with a clean, easy-to-use interface. Using USB flash drives, an iPod connected via FireWire, an SDRAM card, and a Bluetooth-enabled mobile phone, I wasn't able to defeat GFI EndPointSecurity's client protection.
| Summary |
GFI EndPointSecurity 3.0
PROS: Ability to divide computers into groups and apply policies by computer group as well as by user; good AD integration; easy to use
CONS: Separate, extra-cost reporting application; SQL Server database not automatically created during setup; no temporary device access capability
RATING: 4 out of 5
PRICE: $625 for up to 25 computers, volume discounts available
RECOMMENDATION: This is a solid solution for companies that want the ability to manage computers in groups, have some in-house SQL Server reporting tools, and don't need to grant offline users temporary access to devices.
CONTACT: GFI Software * http://www.gfi.com * 888-243-4329
Centennial Software's DeviceWall 4.0 protects endpoints from access by portable devices and media that plug into USB and FireWire ports, LPT and COM ports, floppy drives, and CD-ROM/DVD drives. Device-Wall can also manage Wi-Fi, Bluetooth, and infrared wireless connections.
Before you can install DeviceWall, Microsoft IIS and Web Distributed Authoring and Versioning (WebDAV) must be installed and enabled on the DeviceWall server. If SQL Server isn't already installed, DeviceWall automatically installs an instance of Microsoft SQL Server Desktop Engine (MSDE). The IIS and WebDAV requirement is a bit of a drawback because of the additional installation and configuration that you must do if you don't already have IIS with WebDAV running.
DeviceWall uses the same idea of a central console as do the other products reviewed. You deploy the DeviceWall agent to client computers through the DeviceWall Control Center console. As Figure 2 shows, the console also lets you define policies that specify how users and their devices can interact with network computers. The console is clean and easy to use. Reports on the log data are built into the console interface, which makes them easy to find and run.
DeviceWall offers more robust user permissions than the other two products by including an explicit Deny permission that overrides other permissions. However, DeviceWall doesn't let you group like computers together for the purposes of applying a set of appropriate permissions. You apply permissions by user only, so a user who has permission to attach a USB storage device to a laptop will have the same permission on a server, which might not be appropriate.
I used a variety of devices to try to subvert DeviceWall's security, but I was blocked every time. DeviceWall includes an option to not notify users when device access is blocked, a useful feature for discreet access monitoring.
DeviceWall supports more-specific device profiles than the other two products. While GFI EndPointSecurity includes a device profile called PDA, DeviceWall includes separate profiles for Pocket PC, Palm OS, BlackBerry, and smart phones. This is a nice feature for organizations that have standard types and brands of external devices and want to block nonstandard devices. DeviceWall also lets you create new device profiles, another good feature for organizations that have standardized on certain devices or want to.
One of DeviceWall's most interesting features is the Temporary Access Tool. When a user isn't connected to the network and wants temporary access to a device that's ordinarily blocked, the user launches the Temporary Access Tool. The user receives a code and calls the administrator, who then generates a response code for the user. After the user types in the correct response code, he can access the device until he logs out. For a company with many mobile users, this is an extremely useful feature.
Another interesting feature of DeviceWall, which I didn't test, is the ability to encrypt data copied onto a flash drive using 256-bit AES and Blowfish ciphers. DeviceWall 4.5, which became available after I performed my tests, adds logging of data moved between portable devices and the network, an improved temporary device access capability, and support for the Apache Web server.
Of the three products I tested, SmartLine's DeviceLock 6.0 is the most integrated with Windows management tools. You can deploy the agent by using the DeviceLock console or by using Microsoft Systems Management Server (SMS), a benefit for those already using SMS. Further, in addition to its standalone console, which Figure 3 shows, DeviceLock provides a Microsoft Management Console (MMC) snap-in and a policy editor that integrates into Windows Group Policy Editor (GPE) and lets you create DeviceLock policies in GPE.
When the client agent is installed, it scans all the available ports and devices—including internal hard drives, serial and parallel ports, USB and FireWire ports, CDROM/DVD drives, floppy drives, network cards, and Wi-Fi and Bluetooth connections—on the PC and makes them available for use in policies. This approach is quite different from that of the other products, which don't actively search the ports on the computer. The scan allows DeviceLock to produce a list of ports and devices specific to each client PC, but the results aren't significantly different from those of the other products reviewed. And on a large network, DeviceLock's comprehensive scan would be time consuming.
DeviceLock Enterprise Server is a separate component with a console that lets you configure DeviceLock permissions outside of the GPE and centralize logging data that's otherwise stored on each client. As with the other products in this review, DeviceLock Enterprise Server uses SQL Server to store the logging data. Unfortunately, DeviceLock provides no out-of-the-box way to produce reports on the logging data, so a third-party reporting utility is required to make the best use of the audit trail.
One feature that's unique to DeviceLock is the ability to schedule device policies to take effect at certain times of the day. For example, a business that doesn't require users to lock or log off their computers at the end of the business day could set a policy that locks down all devices at 6 P.M. to prevent data theft by someone in the office after hours. Like DeviceWall, DeviceLock includes the ability to grant temporary device access to offline users.
DeviceLock also has a couple other unique features. Administrators can allow access to specific CD-ROM/DVD media by uniquely identifying them, even if a policy specifies that the drive is normally locked. This feature could be used, for example, to allow internal training CD-ROMs to be used by anyone without having to grant temporary access to a CD-ROM drive. DeviceLock can also make a shadow copy of all data sent to external storage devices or transferred through serial and parallel ports, so you could audit not just filenames but the actual content copied.
As with the other products, I wasn't able to defeat DeviceLock with my array of portable storage devices. Despite the lack of included reporting tools, DeviceLock is a solid, reliable endpoint security product, although it's a bit more expensive than the other products reviewed while offering similar client protection.
Getting the Job Done
It's important to remember that each of these products secures a computer's ports and devices only when the client agent is running on the endpoint. The products help prevent casual data theft made possible by the current crop of small, high-speed portable devices. A more concentrated attempt at data theft by removing a laptop's hard drive or booting from a live CD that contains Linux or another OS will defeat the device control offered by these products.
That said, all three of the reviewed products get the job done in terms of helping prevent data loss due to the connection of unauthorized devices. No matter what device I used to try and steal data, I was prevented from doing so by the policies I created.
Also, each of the products can use SQL Server for centralized collection of auditing data. This is vital because without a centralized audit database, auditing and reporting is time consuming, if not completely unfeasible. Beyond the basics that each of these products handles admirably, I was most impressed by the robustness of DeviceWall's device profiles as well as its support for manually creating new device profiles. This gives administrators the ability to limit connections to specific brands of devices in addition to specifying the general types of devices that can connect to endpoints. (See Table 1 to compare the three products' features.)
Reporting on audit data is critical to a timely, comprehensive view of endpoint security, including reporting on where and when unauthorized activity is taking place. DeviceLock is a fine product for organizations that have the reporting tools and skills in-house to develop custom reports from the audit data, and the GFI EndPointSecurity ReportPack add-on offers some very nice reports. However, DeviceWall offers informative reports built right into the product. Because of the flexibility and customizability of DeviceWall and its powerful built-in reporting features, DeviceWall is this Editor's Choice.