Content Inspection Appliance 1500
REVIEWED BY MIKE CHAPPLE
Code Green Networks
Price: Starts at $25,000 for networks with up to 250 users
As organizations increasingly turn security focus from outside attackers to the threat from within, they are beginning to consider information leakage tools. Code Green's Content Inspection Appliance 1500 (CI-1500) is among the still- maturing handful of products designed to detect sensitive information leaving the enterprise.
Code Green also supports the use of regular expression matching rules to protect against users extracting content from databases and other structured data sources.
The challenge here is determining and managing rules for what constitutes sensitive data. This may be a straightforward task for companies with clearly defined document-classification policies, but it could pose a considerable challenge for less mature organizations.
You create policy rules based on content match, traffic source and destination, protocol, and desired action.
A document triggers an alert if it contains at least one fingerprint from the RedList of restricted content (the GreenList holds permitted content). Actions include notifying the administrator, retaining a copy of the offending document, sending a syslog report and blocking/rerouting email messages.
We were impressed with the range of file types covered--390 according to Code Green--including all standard productivity software, such as Microsoft Office, Acrobat and WordPerfect, as well as other formats such as AutoCAD, Flash and .exe/.dll binary files.
We then explored the content registration and policy creation process. The CI-1500 allows you to register individual content files through a Web upload, scan Windows and NFS file shares, and integrates with Stellent and EMC Documentum content management systems.
We evaluated both the Web upload and Windows file share registration options and had no difficulty adding new content. We also created policies based on customized regular expressions.
The appliance's Achilles' heel, common to content-inspection products, is its inability to inspect encrypted traffic. An insider aware the organization performs content filtering can simply encrypt outbound traffic (for example, using Gmail) to bypass the appliance's scrutiny. The ideal solution would be to integrate a Web proxy server to allow for SSL decryption and inspection.
Testing methodology: The CI-1500 was tested in a network of Windows and Macintosh clients using a variety of common file formats, including Microsoft Office files and Adobe Acrobat documents.