INFORMATION LEAKAGE

Content Inspection Appliance 1500
REVIEWED BY MIKE CHAPPLE

Code Green Networks
Price: Starts at $25,000 for networks with up to 250 users

[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]

As organizations increasingly turn security focus from outside attackers to the threat from within, they are beginning to consider information leakage tools. Code Green's Content Inspection Appliance 1500 (CI-1500) is among the still- maturing handful of products designed to detect sensitive information leaving the enterprise.

Policy ControlA-  
Code Green's primary detection engine uses proprietary technology to develop many short "fingerprints" of each piece of submitted content.

Code Green also supports the use of regular expression matching rules to protect against users extracting content from databases and other structured data sources.

The challenge here is determining and managing rules for what constitutes sensitive data. This may be a straightforward task for companies with clearly defined document-classification policies, but it could pose a considerable challenge for less mature organizations.

You create policy rules based on content match, traffic source and destination, protocol, and desired action.

A document triggers an alert if it contains at least one fingerprint from the Re...

We were impressed with the range of file types covered--390 according to Code Green--including all standard productivity software, such as Microsoft Office, Acrobat and WordPerfect, as well as other formats such as AutoCAD, Flash and .exe/.dll binary files.

Configuration/ManagementA  
The appliance ships with default policies and settings. We simply booted it up, attached it to a network tap and were monitoring traffic.

We then explored the content registration and policy creation process. The CI-1500 allows you to register individual content files through a Web upload, scan Windows and NFS file shares, and integrates with Stellent and EMC Documentum content management systems.

We evaluated both the Web upload and Windows file share registration options and had no difficulty adding new content. We also created policies based on customized regular expressions.

EffectivenessB  
We ran the CI-1500 through a variety of tests designed to thoroughly evaluate its content-inspection capabilities. It successfully detected Microsoft Office, Adobe Acrobat and text documents that we attempted to send via Web upload and email. We tried cutting and pasting document sections into other formats, and the appliance detected our circumvention attempt. It also scanned and detected protected content in .zip files.

The appliance's Achilles' heel, common to content-inspection products, is its inability to inspect encrypted traffic. An insider aware the organization performs content filtering can simply encrypt outbound traffic (for example, using Gmail) to bypass the appliance's scrutiny. The ideal solution would be to integrate a Web proxy server to allow for SSL decryption and inspection.

ReportingB+  
The CI-1500 provides a fairly robust reporting mechanism. Administrators may use one of nine predefined reports (such as top-matched policies, policy violations by protocol and top-source emails of policy matches) or create their own based on specified criteria (such as time, policy violated, source/destination IP, content).

Verdict
Code Green's CI-1500 could prove valuable to organizations with well-defined classification schemes.

Testing methodology: The CI-1500 was tested in a network of Windows and Macintosh clients using a variety of common file formats, including Microsoft Office files and Adobe Acrobat documents.