Product Group Tests
Network data leakage prevention (2010)
An enterprise class product with all of the necessary network DLP features. Code Green Networks TrueDLP is our Best Buy this month.
We rate Fidelis XPS 6.0 Recommended for its comprehensive coverage and performance and its features.
Full Group Summary
Protecting the main network points is vital in preventing data leaks from organisations. Nathan Ouellette puts four products to the test.
For many organisations, data protection seems to be a much higher priority these days as the value of data continues to outpace all other business related assets. Whether the motivation is to protect trade secrets, safeguard personally identifiable information or even avoid a regulatory fine, security stakeholders and vendors alike are recognising the growing interest in data leakage prevention. More importantly, they are increasingly interested in how to prevent data from leaving the environment and ensuring that policies governing the access and control over the data are enforced properly.
The market for data leakage prevention (DLP or extrusion prevention) has grown significantly over the past few years, as vendors and stakeholders try to sort out the priorities and needs for endpoint and network-based protection.
The main systems responsible for outbound network traffic, and subsequently the potential exposure of sensitive data, are still the primary communications technologies: email and web. Instant messaging, blogging, webmail, file exchanges and collaboration are all potential vectors that users may purposely or accidentally use to leak sensitive data out of the organisation. As stakeholders assess the varying degrees of sensitivity for data in their organisation, the next logical step is to understand where it resides, how it can leave the company and where to apply adequate controls in order to automate enforcement.
In this issue
Some DLP solutions are focused more on protecting the endpoints (workstations, servers, etc), while others focus primarily on network (email, web, etc). Some products overlap and contain hybrid solutions that cover both.
For our 2010 network data leakage prevention review we focused mostly on the solutions that protect the main network points in an organisation. The vendors provided mostly the same type of solution. They are all appliance-based servers that have capabilities to monitor network traffic, SMTP architectures and web activity and also scan for sensitive data at rest contained in files, folders, network shares and other repositories.
All of the products submitted for testing operate in network modes that require both the ability to see the traffic, as well as taking action based on some sort of policy.
Similar to IPS devices that analyse and prevent different types of traffic on the network wire, these products contain the same types of network configuration requirements. In order to configure a solution to look for information such as credit card data, it must be configured in-line on the network or it may require a SPAN/mirror port in order to be able to effectively capture all of the information.
Additionally, typical network DLP solutions will need to send network reset packets to prevent traffic from reaching its destination if it is flagged as a policy or rule violation. There are definite network requirements and capacity planning items to be resolved before any business tackles a network DLP solution.
All of the products in this group performed well and work as intended. Each has a web-based interface capable of centralised administration and can also be load balanced and scaled for performance tuning purposes. The fundamental build block of network DLP systems is to feed them policy items and have them properly deployed so that the desired alerting and actions on any given piece of data can be enforced. All of the products did well with this concept.
The varying differences in implementation can range from subtle to drastic. Some key differences include how the various protection mechanisms are licensed. Some vendors choose to licence their technologies as modules, and charge fees for each element of your network that you wish to protect (one fee for web, one for email).
What may be even more important from an architecture and support perspective is that some solutions actually require several different appliances. Each appliance device acts as a limited function or role. This would ultimately alleviate performance concerns but increase overall support needs and could easily consume over ten network ports just for capturing and remediation. Buyers should acknowledge that although inline performance concerns are valid, it is the overall architecture and resource consumption of the solutions that could end up being the deciding factor.
How we tested
Our lab server machines consist of Windows 2003 RC2 standard edition images managed with Hyper-V within a Windows 2008 server. Our server and workstation equipment mattered less for this review since each solution came with its own hardware devices. Due to the monitoring and remediation capabilities for some of the solutions, what became apparent is the ability to accommodate a large number of available ports, depending on the size of the environment.
Some solutions required part of their product to be installed on client machines. All client software was installed on virtual instances of Windows XP SP3.
Although each of the products performed well strictly from a technology perspective, we were surprised at the lack of professional polish from some of them. We believe our expectations equal that of every day security buyers and decision makers when assessing the value of any given solution.
Regardless of the quality of each solution presented for review, we recognise it is an interesting time for the DLP market as email and web defence solution providers may look to integrate more DLP related features and change the market somewhat in the future.