Vontu Protect Monitors Data Departures

I configured a single port on a Cisco Systems Catalyst 6500 switch to monitor the lab's primary VLAN and connected the Vontu monitor machine. I deployed the administrative console, called Vontu Protect Manager, on a Microsoft Windows 2003 server with dual processors. The manager communicates with the monitor via a 128-bit AES-encrypted IPsec tunnel. Vontu Protect uses Tomcat for its Web management console, and pricing for the package includes the cost of Windows 2003 Server.

The monitor captures traffic and then passes it back to the manager for analysis and storage in its embedded Oracle database. Although the monitor tracks only HTTP, SMTP and FTP traffic, future versions of the product will be able to monitor native IM, P2P, telnet, IMAP and POP3 traffic, according to company officials.

Vontu Protect ships with default templates for several statutes, including HIPAA (Health Insurance Portability and Accountability Act), The Patriot Act and those regulations that are part of OFAC (Office of Foreign Asset Control). In addition, you can build templates to scan for a variety of information and even perform keyword-based filtering.

Traffic Jams

Depending on the number of policies you've set, a high volume of traffic may cause a delay in incident reporting. I pumped about 25,000 e-mail messages and 10,000 HTTP posts through the system in less than five minutes using a Spirent Avalanche load generator, but Vontu Protect needed at least 20 minutes to process all the messages. Still, it did process them all, and it caught the traffic that violated configured policies. For more on my tests, go to ID# 1510rd2.

Vontu Protect succeeds because it does not rely on standard pattern-matching mechanisms to filter traffic. Instead, it imports corporate data and creates hash values to match against. Traffic-matching policies are stored in the product's database.

Alerts, which are sent by e-mail, are based on a number of variables, including the type and number of violations present in a single transaction. SNMP alerts will be added in the next release, the company says.

Vontu Protect will not stop employees with malicious intent. By simply putting spaces in a Social Security number, password-protecting a zip archive or employing encryption, a user can bypass the system. Vontu Protect does not claim to catch these types of incidents and the company says it is unlikely any system will ever be able to do so. However, the product does alert you to inadvertent violations of corporate policies and helps organizations find out what data may be exiting their networks.Lori MacVittie is a NETWORK COMPUTING senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].

I dumped our customer data from NWC Inc.'s Oracle9i database into a CSV file and imported it into Vontu, which created a secure data profile (SDP) against the data. I also mocked up employee data to include social security numbers and imported it into the system, then created policies to notify the administrator via e-mail whenever data left the lab with those SSNs or contained the name and credit-card number of a customer.

I sent e-mail with and without the SSNs in the message body as well as Excel and Word files with lists of SSNs and employee names. Vontu Protect captured all the illicit traffic and raised the necessary alerts. I sent a few files and messages with similar data, but not part of my import, and as expected Vontu ignored that traffic. Sending customer data was trickier because Vontu not only looks for patterns that match credit card numbers but it also performs the standard validation algorithms on the numbers to see if they are a valid credit-card numbers.

Standard pattern matching is available for creating policies, so I created a standard match against SSNs and then sent e-mail with a phone number and then with a valid SSN. The SDP based policy ignored the e-mail with the phone number but caught messages with the SSN. The pattern-matching based policy, however, flagged both messages as violating policy because they contained an SSN, even though some of the messages actually contained phone numbers.

Rudimentary workflow capabilities let a designated analyst add comments to specific incidents and notify administrators via e-mail of policy violations. The product's delegated administration feature lets you limit functionality by user role and designate by role and/or user the ability to see violations of specific incidents. More granular security can be enforced by allowing specific groups to see violations, but not examine the message in which such violations occurred.0