Price: Starts at $10 per seat
Proprietary intellectual property may be walking out your door. The proliferation of inexpensive, large-capacity removable storage devices makes it remarkably easy for an unscrupulous user to quickly and quietly steal large amounts of mission-critical data. Centennial Software's DeviceWall 3.1 aims to plug this security hole by providing centralized control over which removable devices users can connect to their workstation--and how they use them.
DeviceWall is capable of recognizing and preventing access to a wide variety of peripherals including PDAs (BlackBerry, Palm), removable CD-RW drives, external USB storage devices, MP3 players and digital cameras. In addition, DeviceWall can be used to lock down wireless ports.
Group-based policies can be pushed to users manually or via a defined schedule, either by selecting the hosts directly from the domain (NT or AD), by importing host names from a file or by specifying an IP range. Installation on our test clients was quick, painless and worked without flaw.
Although the product works as advertised, its management model is clearly focused on the SMB space. Centennial needs to improve the integration with enterprise environments in order to make large-scale deployments practical.
For example, it would be nice to be able to manage various policies by Active Directory Organizational Units instead of user groups.
In our test lab, we granted specific domain groups access to given devices, and the DeviceWall dutifully enforced the restrictions and reported violations back to the management console.
The product handled "off-LAN" users very nicely. If a remote user needs access to a removable device, but can't communicate with the management console, the administrator can generate a temporary access code that will allow the user to use the device until reconnected.
DeviceWall can be set initially in open mode, so managers can audit user activity before implementing restrictive policies.
Both the client agent and management server will install on any Microsoft release from Windows 2000 and higher. The management server additionally requires an IIS install with the WebDAV components. Since DeviceWall is squarely focused on the typical corporate desktop deployment, there is no support for non-Microsoft environments.
Although the reporting capabilities of the management console are functional, the canned reports are pretty basic. The administrator can export the raw data in CSV format for more detailed reporting, but this is an extra hassle; we would like to see the reporting beefed up in the base product.
Given that this is clearly an endpoint security solution, it would be great if DeviceWall integrated directly with solutions like Cisco System's NAC, so that a device could not even connect to the corporate network if it didn't have the DeviceWall agent installed.
Limitations aside, DeviceWall works and can help an organization gain control of what users are allowed to connect to their corporate workstations. It's an affordable solution that addresses a key niche, and with some more polish could become an important tool in your compliance arsenal.
This product review also appears in the March 2006 issue of Information Security magazine.