Product Reviews

Plug Those Portable Holes

DeviceWall helps you control those portable storage devices on your network.

• By Rick A. Butler
• 06/01/2006

Companies spend millions every year to protect their networks from intruders. They set up elaborate firewall and intrusion detection systems to keep the bad guys out. But that's only one side of the problem.

REDMOND RATING Documentation 20% 8 Installation 20% 8 Feature Set 20% 7 Performance 20% 7 Management 20% 7 Overall Rating: 7.4 —————————————— Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional

It's not just the bad guys outside your network that you have to worry about. The ones inside your network pose an equal or greater threat. Layoffs, outsourcing or other changes in the corporate climate can quickly turn someone who has always been a loyal employee into a threat -- and it's hard to know for sure if and when someone may have turned.

To make the situation even more interesting, almost everyone now uses some sort of portable storage device, such as a USB drive, PDA or iPod. If you're dealing with potentially hostile employees using portable devices, all the external security in the world won't help you. The threat is already there. All it takes is one employee with a grudge to download some sensitive data and carry it over to a competitor or jam a USB drive into their desktop and upload a bunch of viruses.

Behind the Wall
So how do you deal with this pernicious security threat? You have to manage the portable devices attached to your network by locking down ports and preventing access to certain removable devices. A tool called DeviceWall from Centennial Software can help you do this. DeviceWall creates a central management point and deploys clients to machines on which it will control access to removable storage. It also creates a policy-driven architecture to help manage portable device access.

Installing DeviceWall is straightforward. You'll need a server running IIS with WebDAV and access to SQL Server. During installation, you'll have one major security policy decision. You can start with an open policy that allows full access to removable devices and then close down as you go -- or you can lock down everything hard and later open ports and access to devices at your discretion.

You can roll out the client components through a push install, which looks to the server for changes in policy. Users will see a pop-up to let them know of the access restrictions to removable devices.

[Click on image for larger view.]

Figure 1. The DeviceWall Control Center lets you control access to flash drives, CD-ROM drives and all other peripherals and communication ports.

Through the management console, you have control over just about any type of removable device -- PDAs, USB drives, disks and CDs. Depending on which device you're securing, you can establish read, write or full control. Deny permissions work the same as in Windows, overriding any other group membership permission. You can easily assign permissions to users or groups. The policy is then sent out to the client systems.

Up Next Centennial Software recently released DeviceWall 4.0, which adds several features to increase data protection. By encrypting data moved onto a USB flash drive, for example, DeviceWall 4.0 ensures the security and integrity of data while it’s in transit. The new version also has some ease-of-use, management and customization improvements, including: Automatic AES & Blowfish 256-bit data encryption White listing-approved devices for more granular user-permission control First-time Policy Wizard speeds deployment Anti-tampering technology for increased client security.

The Good and the Could Be Better
DeviceWall is a useful tool that serves a growing need. It has some refined features counter balanced by a few rough edges. Three areas where DeviceWall is most impressive are its support for granular permissions, auditing and temporary access.

Granular Permissions: DeviceWall's granularity gives you detailed control over portable devices. You can set up security groups for device families with read, write or full control rights. For example, you could establish rights to write to the memory of a digital camera, but not a CD, PDA or a USB flash drive.

Auditing: DeviceWall supports a good degree of auditing, including auditing changes to policy. Managed nodes will report on removable device usage and attempts to use disallowed devices. All auditing is centralized.

Temporary Access: There may be times when you need to provide one-time access to a removable device for a specific reason. This is extremely helpful because you don't have to go messing around with established policies to permit one-time access. A user needing one-time access starts by going to the DeviceWall client, then collecting a code. He calls that code into the system administrator, who enters it into DeviceWall and provides a counter-code to grant the user temporary access.

There are several areas where DeviceWall could use more work. Among them, Group Policy integration, client strength and device support:

Group Policy Integration: DeviceWall operates within its own policy structure, rather than integrating with Microsoft's Group Policy infrastructure. While not a show-stopping omission, the decision to use a self- standing management stack will increase complexity for organizations that stick to GPOs for management.

Client Strength: No surprise, the people who pose the greatest potential threat are those with the most technical acumen, including IT admins and programmers. They're the ones who know how to find, copy and transport proprietary data off your clients. A determined hacker may be able to get around DeviceWall at the client level by first booting up a system with a Knoppix disk.

Devices Not Covered: DeviceWall doesn't protect serial or parallel ports. While most portable storage devices now rely on USB, FireWire, or SATA connections, a savvy operator could use this knowledge to move data onto a portable device via those connections.

Better Mousetraps or Smarter Mice?
So, DeviceWall will protect you, as long as your node is online and connected to the network. Don't let your guard down, however, because the internal threat could still persist. There are ways that a disgruntled, yet resourceful system admin could copy files to a local hard drive. For example, he could boot offline and then connect a removable device. DeviceWall would no longer be between him and the precious data.

[Click on image for larger view.]

Figure 2. The Audit Log gives you a graphical representation of access attempts, indicating which have been blocked or allowed.

This brings up a key point in system security. Your data is only as safe as the machine on which it's stored. There are myriad tools that can bypass system security and compromise data, and there is no silver bullet to secure your systems against them. Still, DeviceWall is good at what it does. Incorporating DeviceWall into your network security plan is a great step to help prevent one method of data loss.

As with any other security tool or technology, DeviceWall shouldn't be the only part of your plan. Your overall security infrastructure should include a variety of technologies, tools and tactics, such as monitored auditing, access controls, file encryption and restricting working files to the file server. Given these parameters, DeviceWall is a great fit within a carefully considered security plan.