Clamp down on security leaks

Assentor Compliance is a workable solution for monitoring e-mail and IM. Its open lexicon gives the product enough flexibility to handle typical business compliance needs and meet requirements of specific industries such as finance and health care. It stops short of handling all types of communication used to distribute sensitive data. Web mail, for example, isn’t handled. Furthermore, administrators must build policies for specific data-protection regulations.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Return to special report DOWNLOAD PDF Click here to download InfoWorld's special report Leakproof your data

Reconnex iGuard 3300, Version 1.4
Reconnex offers strong network traffic coverage, comprehensive policies, and above-average reporting. Yet this solution does one better than other solutions in an important way: iGuard’s custom file system writes all communications data at gigabit line speed. In addition to banishing network lag, this feature captures unknown attachments, allowing examiners to do complete forensic analysis. However, iGuard doesn’t block communications that violate policies.

iGuard units typically install below an outbound firewall using network taps, or they connect to SPAN (switched port analyzer) ports on switches.

You get predefined polices and rule sets (filters) for all the top violations, including violations of Gramm-Leach-Bliley, HIPAA, and Visa CISP (Cardholder Information Security Program). Business users can edit these policies and create basic new ones by picking and choosing options from the Web GUI.

There wasn’t a business circumstance I couldn’t accommodate. For instance, I defined policies for specific network exit points, document type, and both inbound and outbound traffic. However, creating intricate policies (such as those monitoring full regular expressions) entails using a command line interface, and this requires some expertise. But I appreciated the ability to easily rerun a changed policy on captured data, which helps ensure nothing is missed.

Like Tablus, iGuard is port agnostic: Because it looks for the structure of the protocol, it had no problems monitoring all types of e-mail traffic, IM, and FTP file transfers. Additionally, the system had no difficulty cracking open encrypted messages sent using SMTP, chat, and Web mail.

This solution doesn’t identify attachments by extension. Instead, it uses a special process to look for binary signatures. In my testing, iGuard quickly decrypted compressed .zip and .tar archives, reviewed Microsoft Office documents, checked PDFs, and scanned source code for violations. It also properly identified files purposely renamed with a wrong extension. Although Reconnex’s philosophy is to remain passive (it doesn’t block messages), its alert mechanism worked as well as the alert mechanisms in the other products. In real time (less than 40 microseconds), iGuard sent a message to designated managers when it sensed a violation. Also, the software will send a trigger to your mail server so any existing quarantine technology is invoked.

The supplied reporting engine allowed me to drill down from executive reports on policy violations to details about an incident along with the object that triggered the event. I wished iGuard would highlight the offending part of an attachment, a feature planned for a later release. Reconnex said it will soon offer an offline monitoring console so administrators can view incidents from all appliances in aggregate and also perform forensic searches of data at rest. Currently you need to jump to each individual appliance for reporting, which you can do from one browser.

As with the other products, I could generate reports based on the policy violated or other search parameters, such as sender e-mail address. I also subscribed to incidents that matched a custom filter and scheduled e-mail delivery of these reports. Workflow rules, which aren’t in all such products, saved me a lot of effort in reviewing incidents. I set up iGuard so that, upon detection of source-code violations, it would gather and zip all the evidence and then send it with a summary to the appropriate investigator.