Code Green CI Appliance 1500
Swift installation, sophisticated fingerprinting technology, deep Layer 7 inspection, quality hardware platform
No LDAP support, care required with file type filters
The appliance may not yet be perfect, but Code Green Networks offers an easily deployed content inspection solution that can stop sensitive data leaking away
External threats to network security have always grabbed the headlines, but it's a well-known fact that the biggest dangers are likely to come from inside your perimeter. All companies store business-critical information on their local network and it's now essential that they put safeguards in place to make sure that's where it stays.
The internet presents an ideal medium for data to be spirited away, and Code Green Networks offers a solution that monitors all types of internet communications and stops them being used for unauthorised transmissions of sensitive information.
On review is the Content Inspection Appliance 1500, which targets a wide range of businesses. Code Green uses a system of fingerprinting to identify specific files and it advised us it currently supports more than 360 file types. The fingerprints are computed and stored on the appliance, and the methods used ensure that even a severely modified file can still be identified.
Changes to file names won't faze the appliance, and neither will content modifications or even conversion from one file type to another, from example from Word to PDF. It also looks ideal for programming environments, where the appliance can be used to stop source code from being emailed or FTPed out of the company.
Naturally, fingerprinting carries high processing overheads, but the 1500 looks up to the job as it comprises a well-specified Dell PowerEdge 2950 2U rack server equipped with a pair of 2.66GHz dual-core Xeon 5150 processors and 8GB of FB-DIMM memory. Storage is handled by a quartet of 300GB Maxtor SAS hard disks, preconfigured as a RAID-5 array. Network connections are plentiful as, along with two embedded gigabit network adapters, you get two dual-port Intel PCI Express gigabit cards.
For testing we ran the appliance in transparent mode, but it also supports routing. Ideally, you place the appliance behind your firewall and use a network tap to allow it to monitor traffic. It does support switch-port mirroring, but note that it requires ingress and egress port spanning - a feature not all switches support.
In its base mode, the appliance can only passively monitor traffic. If you want to block it, then you need to integrate it with an existing ICAP server. To actively block email, you will also need to run Code Green's MTA inspection agent and route this traffic through one of the appliance's network ports.
Management access can be via a dedicated port on the appliance, although you cannot isolate it on a separate subnet, as it must be able to access the network that is being protected. The web interface opens with a tidy main interface, and your first job is to declare which resources are to be protected. RedLists are used for this function, with sources ranging from SQL Server and Oracle databases to file shares on Windows, Unix or Linux network servers. Code Green can also scan and register data from Stellent and Documentum content management repositories. GreenLists are used to avoid false positives, and can contain items such as a company name or logo, or parts of a document type that are not deemed confidential. Pattern matches are used to denote specific data strings, such as credit card or national insurance numbers.
Policies determine actions when protected data is identified and these contain the content definition along sources and destinations. For the latter, you are limited, as LDAP is not supported, so you can't apply policies to specific users and groups. Instead, you use email addresses to identify users or add host, range or network IP addresses. You can apply the policy to outbound and inbound traffic and, in passive mode, you assign one of four severity levels to identify it in the console status screen and reports. Up to three actions can be applied, based on the number of times a pattern is matched.
For testing, we registered a file share on a Windows Server 2003 system that contained a variety of Word documents and created a policy that would flag any matches as high risk. We started by emailing the documents to an external address and watched the appliance flag all these operations. Impressively, the appliance was able to identify the majority of documents even when we stripped out more than 90 per cent of their content. We changed file names, fonts and content and converted them to PDFs, yet each file was still successfully identified. Be careful when applying filters for content registration, though: when we used the MS Office filter, we found it was possible to copy a Word file to another system, edit it in WordPad, save it in RTF format and email it without detection. With the "any" filter in action this doesn't happen.
The analysis tab provides plenty of insight into data movement as you can select an incident, view the matches that triggered it and, in our case, load the email that contained the file attachment. Incidents can be assigned to selected appliance administrators with a priority, and their status can be changed, with comments added after they have been closed. The appliance also comes with nine predefined reports on areas such as policy violations, file matches and so on, however, it's easy enough to create you own.
During testing, we felt the 1500 had a few rough edges and the ability to apply policies to users and groups would make it more versatile.
Nevertheless, it is particularly easy to use, and its smart data fingerprinting technology means that little, if any, sensitive or critical data will slip through its net.