The other side of security
Test Drive | XPS Direct can keep sensitive data from leaving your network
- By Greg Crowe
- Aug 24, 2007
Overview: The radar-like display gives an administrator an instant view of recent incidents and trends created by correlated alerts.
There is a vast array of tools and solutions that protect networks against attacks. Various appliances and software ' from firewalls to intrusion prevention/detection systems and antivirus programs ' keep computers safe from all manner of external assaults coming in from the potentially dangerous Internet. But this fortress can fall like a house of cards if your users send sensitive information as e-mail attachments to outside recipients.
It is theoretically possible to prevent some of this egregious activity with a standard firewall. But although most networks have incoming traffic tightly controlled, outbound traffic is all too often unrestricted. Individually monitoring the 65,535 TCP or User Datagram Protocol ports would be impossible. And even if you focused on shutting off the channels commonly used for programs such as instant messaging, most IM hosts listen on thousands of alternate ports.
Besides, the office uproar that could be caused by completely shutting down IM might be more trouble than it's worth.
The XPS 100 Direct from Fidelis Security Systems addresses the problem of data leakage without unnecessarily disrupting services. It does this by looking at the data being sent and the type of activity rather than the port over which it is taking place.
For all it does, it is amazing that the XPS fits into a 1U rackmountable chassis. It has four Gigabit Ethernet ports, which allow for a variety of network configurations. The XPS 100 is rated for bandwidth as large as 100 megabits/sec, which means it can handle typical medium- to large-network traffic.
There are two basic configurations for setting up the XPS. One way is to put it in-line, between the router and the rest of the network. This way the XPS will have total control over traffic, making leak prevention easier.
The other is sniffer mode, in which the XPS connects to a hub. Sniffer can detect problems in the traffic flow just as easily, but it might not be 100 percent efficient at preventing problems because of inherent properties of TCP reset packets ' which is what the XPS has to resort to using for prevention in sniffer mode. Fidelis recommends operating the XPS in-line for maximum control.
In either case, setup was not difficult. Security appliances are rapidly becoming fairly standardized in their setup methods. All it usually takes to get to the Web interface is to set the IP information of the command port via an LCD panel in the front of the box, and the XPS was no exception. There also is the option to hook up a keyboard and monitor and enter the necessary data through a user-friendly interface.
To get reports and alerts from XPS Direct, a second, separately purchased appliance is necessary. The XPS Command Post translates data from XPS Direct into easy-to-understand graphs and reports. It can assimilate the output from as many as five XPS devices and let you control them all from one Web interface. This configuration is essential when dealing with more than one XPS sensor ' but even if you have only one, separating these functions allows XPS Direct to concentrate on preventing data leaks.
We found the Web interface to be visually appealing and laid out intuitively. The main screen has a graph designed to resemble a radar screen, with alerts as dots scattered about its surface, and newer incidents toward the center.
You will feel a bit like a World War II-era destroyer captain watching the radar for threats and, given the cool interface, it's almost fun when one pops up ' if it were not such a potentially serious situation.
The XPS will correlate alerts and group them by similar source IP address or incident type. Clicking on any of the dots will bring up the incident or a correlated group of incidents. In the alert details screen, you can see the incident, the rule it broke, a breakdown of the steps the sensor took to discover the problem and a text readout of the questionable data.
The rules engine is quite sophisticated. You can make a rule concerning any type of pattern recognition or port activity and set what action the sensor should take: alert only, alert and prevent, quarantine and so forth. You can then group similar rules into a policy, and assign policies to the appropriate sensor. Dozens of rules come pre-made, grouped in eight policies that suit most basic needs.
With the sensor in in-line mode, it was nearly foolproof. It stopped files with credit card numbers, Social Security numbers, Health Insurance Portability and Accountability Act information and classified document markings, and it stopped them from being sent in a variety of methods ' by SMTP e-mail, Web mail and IM.
When we tried putting prohibited data into the text of the e-mail instead of as an attachment, though, we found that it stopped those e-mails only if there were approximately 10 or more entries. So an e-mail message with five Social Security numbers would go through, but one with 10 would be stopped. Below this number, we suspect, a sufficient pattern had not developed to invoke the rule. All attachments were stopped, regardless of the number of entries, even if they were hidden in documents such as zipped Word files.
The XPS 100 Direct costs $75,000, a good price, especially for something that prevents data leakage that could cost millions of dollars, put millions of people in danger of identity theft or compromise national security.
At the government price of $60,000, this becomes quite a bargain. The XPS Command Post sells for $10,000 ($8,000 government), and it is definitely worth having a separate box to monitor and report on the sensors. That way, you are sure everything is working at peak efficiency all the time.