Network Computingwww.networkcomputing.com

Rollout: Reconnex's iGuard 2600

Posted by Jordan Wiens on January 30, 2007

Tags: content monitoring,  data extrusion detection,  data leakage,  product review,  security products,  sensitive data,  software review,  Access and Authentication,  Antivirus,  Benchmarks,  Client/Server Protection,  Data Encryption,  Data Networking & Management,  Data Protection,  Data Security,  Database Management Services,  Enclosures,  Firewalls,  Hotspots,  Java,  Jordan Weins,  Linux,  Network Management and Monitoring,  Other,  Remote Access Software,  Security Standards,  Security and Privacy,  Servers & Storage,  Software and Web Development,  Technology,  User Interface,  VPNs ,  Vulnerability Assessment and Management,  WLAN Security,  Windows,  Wireless

Channel: Data Protection, Networking & Mgmt, Other, Servers & Storage, Wireless

The Upshot Reconnex's iGuard 2600 allows for powerful forensic searching of past network data, without the higher cost associated with its big brother, the iGuard 3600. The device monitors your network to find potential leaks. Sensitive data must be tracked no matter where it is on the network. Content-monitoring devices detect specific data types as they move along, and send alerts when sensitive data leaves the network through e-mail, Web forms, file sharing or chat sessions. IGuard's ability to capture and retain data as it travels is extremely useful for investigating potential leaks. Its protocol analysis is strong and the user interface is extremely well-laid-out for both simple quick access to high level data and in-depth technical analysis. Beware, however, that the process may subject the enterprise to certain legal consequences. Reconnex's iGuard 2600

Early content-monitoring packages helped keep spam and porn from entering the network. That same technology now tracks Social Security numbers and other sensitive data that could leave you equally vulnerable when it leaves your network.

Reconnex's iGuard 2600 appliance is the latest evolution of this content-monitoring technology. When iGuard was introduced two years ago, it monitored and recorded network traffic that could violate any number of policies, and stored that traffic on a terabyte drive array. The iGuard 2600 makes that same technology available to organizations that don't need the flagship model's terabyte of storage or high-end, high-availability features, such as hot failover. The 2600 holds 400 GB of data and has a simplified set of built-in policies that focus primarily on privacy data and compliance.

IGuard doesn't actively block the potential data leaks, but its broad capture and logging capabilities are suited for in-depth analysis of traffic and incident investigation. That's useful for finding the people behind the problems--a different, but no less important, task. In contrast, products such as Fidelis' XPS attempt to stop traffic that violates a set of rules.

Problem solving vs. Prevention Click to enlarge in another window

IGuard's ability to log traffic for further analysis gives it an advantage over products from Fidelis, Vericept and Vontu. Using a variety of attribute tags, you can construct powerful search queries--for example, you can search for all Webmail messages with an attached Excel spreadsheet sent from one network location.

This historical packet capture could cause problems, though. For instance, the large amount of packet data logged could be a target of the new Federal Rules of Civil Procedure, which may require preservation of that data in the face of legal action. Additionally, the 2600 may have access to more sensitive data than a simple intrusion-detection system or firewall has, since it can detect and log Web site content, IM conversations and e-mailed documents. Take advantage of iGuard's role capabilities to define exactly what actions different users can take.

HOW WE TESTED

The device contains two monitoring ports, for working bidirectionally from a tap, but the 2600 also can be deployed from a span port. After verifying that the device was correctly receiving spanned traffic, we let iGuard run while we generated some typical network traffic: Web pages, e-mail, IMs and some file transfers.

We created a spreadsheet that contained fictitious SSNs, violating one of iGuard's default rules. The device flagged the file transfer over e-mail, but did not detect it when we uploaded it over a Web site. We first used a test Web page to upload the file, then we used yousendit.com (a public site that let users send large files). In both cases the product failed to generate alerts about the file transfer.

Reconnex helped us discover the problem: Although iGuard was logging the post traffic, it wasn't correctly interpreting the MIME encoding used to send the attachment to the Web form. The process of transferring using the site was the essentially the same as e-mail transfer--yet, during e-mail transfer, iGuard recognized and interpreted the MIME type, recognized the .zip file, extracted its contents, and analyzed the Excel spreadsheet to detect the leaked SSNs. IGuard's historical capture helped our troubleshooting and let us extract sample data to send to Reconnex. It developed a temporary patch, having iGuard reinspect data uploaded over the Web at fixed intervals. The fix has been integrated into the latest update.

Despite this bug, iGuard presents an attractive option for organizations interested in monitoring and securing the data that leaves the network.