Cyberoam EDP 3.2
Strengths: Impressive range of endpoint controls, easy to deploy, good management tools, excellent value, modular format
Weaknesses: Deployment tool cannot identify client OS, agents 32-bit, AD support basic
Verdict: Cyberoam's EDP offers probably the most comprehensive range of access controls, is easy to deploy and priced to suit a wide range of businesses
Not content with an impressive portfolio of UTM security appliances, Cyberoam has turned to endpoint security and delivered a software product offering a far greater range of access controls than any of the established solutions.
Its endpoint data protection (EDP) product tackles access of removable media and workstation ports and adds optional controls for IM apps, email and applications. There's much more, as it offers encryption, data protection, hardware and software inventory and asset management.
EDP is completely modular, with the device control option looking after all ports, including USB, serial, network, audio, infrared and Bluetooth. The data protection module provides encryption of removable storage devices, shadow copying of transferred data and file-transfer controls for IM apps and email.
The application control module uses classes to determine which applications users are allowed to run. Finally, there's asset management, which adds hardware and software inventory, plus change and patch management. If you want the lot, then go for the full management suite, which looks good value.
EDP comprises a central server, management console and client agents. If you're using Vista, 7 or Server 2008 as a management host, you must manually install SQL Server Express 2005 prior to loading the server.
Using the separate utility, we deployed the EDP agent to test clients comprising Windows XP, Vista, 7, Server 2003 and 2008 systems. It's a smooth process, but it was annoying that the utility couldn't identify the operating system on any of the test hosts, which could be an issue with larger networks.
The EDP console displays all managed systems in the left pane and new agents are placed in a default group. It's easy to create new groups to represent offices, departments and so on and drag selected agents into them. Policies are assigned at the system or group level and using a base policy for the default group allows access controls to be applied the moment the agent has been deployed.
EDP does support Active Directory, but it's not as polished as products such as DeviceLock. The console displays all logged-in AD users, but it can't import these from a domain controller; they need to be placed in EDP groups where policies can be applied to them, but this can't include system policies.
The main console offers a row of tabs for accessing the auditing, event log, policy creation and monitoring tools. The audit tab provides basic information about selected systems, including the installed operating system, computer name and uptime - and you can switch to viewing lists and graphs of active applications.
For policy creation, you select the system or group from the left pane and pick either the basic or advanced policy tab in the main window. Basic policies function at the system and group level and enforce access rights to system operations and settings.
We were able to block users from accessing Windows features such as the Control Panel, Device Management, Task Manager, editing the registry and so on. We could even block access to the System Restore function, to stop systems being recovered back to before an agent was loaded.
Device policies control access to any type of device that can be plugged into a workstation. We tested with a selection of USB storage devices and found that although the client system loaded their drivers, they remained inaccessible. EDP can block access to unwanted hardware such as USB storage and network devices, but allow HIDs (human interface devices) to be used.
The application control module shows what's running on a system or a group and uses classes to stop users getting around its controls by changing filenames. Using EDP's software inventory, you can view all identified applications, drag them into classes and apply your desired restrictions.
We used blocking policies for resident P2P apps and after applying them, users could no longer load the likes of BitTorrent, as the executable was unavailable. We also asked to be notified when these actions occurred and pop-up windows duly appeared on the admin system.
Advanced policies look after email, IM apps, documents and printing. Email policies control what is being sent and use details such as the sender, recipient, subject and attachment name and size to determine whether to block a message.
IM policies control file transfers and enforce extension type and size restrictions. A smart feature is the option to allow transfers but back up each file to the EDP server. Document policies restrict access to selected file types and we could block access or backup for read, modify or delete operations and apply these to disk types such as fixed, removable or optical.
EDP's asset management module provides endpoint vulnerability assessments, critical patch lists, logs of changes to hardware and software and even software tools. Event logging is extensive and extends to real-time viewing of IM conversations and all emails for selected clients.
Encryption is applied using advanced policies and these assign user rights to specific pieces of removable media. The latter only allows users within EDP and with the rights to access specific media and decrypt the contents.
There is a good choice of established endpoint control solutions, but Cyberoam's EDP has just raised the bar. It delivers an incredible range of features that far outstrips the competition. It is simple to deploy and manage and its modular format means you only buy what you need.