This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance vs. security: Prevent an either-or mentality."
Download it now to read this article plus other related content.
|About this Review|
Information Security deployed six portable storage device control products in our test lab.
All the products were tested in a Microsoft Windows environment with Active Directory, although some supported Novell. All the products utilized either an embedded or external version of a SQL database.
Our testing environment included wired and wireless network connectivity with both desktops and laptops, supporting an array of portable storage devices including USB flash drives, FireWire external hard drives, CD-RW drives and floppy disk drives. Our testing also included PDAs and serial docking stations, smart phones with Bluetooth connections, PCMCIA wireless adapters and multifunction printer/scanner/fax/copier machines on both USB and parallel ports.
Concentrating on real-world scenarios, we blocked devices such as portable music players and storage devices (flash drives, FireWire drives) while allowing legitimate peripherals including keyboards, mice, printers, faxes and scanners. Drilling down into the granular policies, we set CD/DVD drives to read-only and disabled Bluetooth and IrDA connections, while allowing WiFi use.
Multiple attempts to introduce devices contrary to policy were performed using a variety of devices and connections, including portable storage devices infected with known malware including worms, Trojans and keyloggers.
--SANDRA KAY MILLER
All the products we tested have similar architectures--server, console and client/agent--based on a Windows platform, although each included support for Novell's directory services. We deployed each product on an identical simulated enterprise network (see "About This Review," at right) using numerous desktops and laptops, supporting multiple ports and removable storage devices.
Centennial's DeviceWall was the easiest product to install, since it requires only two components--the Control Center and the Client Service. With a half-dozen ways to roll out the client, DeviceWall got our top vote for installation and configuration.
ControlGuard and DeviceLock have similar setups, consisting of a server, client and multiple Windows-based ways to administer the product (Active Directory, MMS, SMS, GPO). With two different client agents--active and passive--ControlGuard gave us more to consider during setup. We deployed both types of agents and concluded that this aspect of ControlGuard should be simplified with a single agent that could perform in either or both modes.
DeviceWall and DeviceLock had easy install wizards that walked us through setting up initial permissions and policies. DeviceLock's wizard allowed us to set permissions for ports and devices, getting us running quickly.
Installing and configuring Workshare Protect Mobile took the most effort, because it is part of an enterprise suite of three components. It delivered comprehensive endpoint protection, but didn't provide the depth of granularity or functionality as the other products.
The installation of SecureWave was the most difficult, because of its four components--a database server, an application server with two subcomponents, the management console and the client. We also encountered several client deployment issues that required extra time reconfiguring our firewall.
This was first published in March 2007