In the second round of our Rolling Review of data loss prevention systems, we took Code Green's CI 1500 Content Inspection Appliance for a spin. Having reviewed Safend Protector, which is primarily a host-based DLP offering, we were eager to try out a true network-layer DLP product.

Founded in late 2004 by the same team that built SonicWall, Code Green had initial success by aiming at banks and financial institutions. Now the regulatory climate has accelerated the company's expansion into healthcare, retail, and other sectors where robust DLP is required to ensure compliance and protect privacy and intellectual property.

Our Rolling Review seeks to evaluate vendor DLP solutions in many areas, including endpoint protection, data discovery, reporting, threat detection and response, range of communication channels that can be protected, along with pricing and ease of management. The CI 1500 performed well in many areas, and not so well in others.

The appliance is a rebranded Dell PowerEdge server running a modified version of Red Hat Linux Enterprise under the hood. It ships with eight Ethernet interfaces that serve a multitude of capabilities, including interfaces for mirrored packet analysis, messaging analysis, ICAP redirection, and device management.

The appliance itself is relatively simple to set up--all that's required is a little work at the Linux console to get your management network interface running, after which all device management is Web-enabled.

Look Out For Leaks
A quick look at the management GUI reveals Code Green's emphasis on robust pattern matching as critical data traverses the LAN/WAN via SMTP, HTTP/S, FTP, and other TCP protocols. Out of the box, the CI 1500 contains an impressive array of patterns and file filters that can be used to detect leaks, including filters for credit card and Social Security numbers, stock ticker symbols, and unique filters that can determine who's shopping their resumé out to your competitors.

The simple-to-use Boolean engine lets administrators refine or marry multiple pattern policies, and develop complex expressions that pinpoint and detect the most troublesome data leaks. Most environments will be able to implement policies right away using the out-of-the-box patterns, but creating custom patterns on the CI 1500 could have been a little easier. User-defined patterns must be entered using standard Perl-compatible regular expressions; it's not rocket science, but it does take some effort to learn the delimiters necessary to build your custom expressions.

Wake Up From The Nightmare
While pattern matching is important, it could turn into an administrator's worst nightmare from a false-positive perspective. That's where Code Green's Data Element Fingerprinting comes in. The fingerprinting capabilities can scan entire file systems, using over 400 recognized file types, to identify key elements inside spreadsheets and documents that when leaked would violate policy. Fingerprinting improves the appliance's accuracy beyond standard pattern matching or file filtering.

For example, it might not violate policy to e-mail a customer spreadsheet to a colleague that contains name and address data, but if that spreadsheet also contained credit card data and was fingerprinted by the CI Appliance, then that transmission could be blocked. Better yet, because the fingerprints are married to the original content, cutting and pasting vital credit card data, or perhaps intellectual property in the form of C++ code, won't fool the CI appliance.

CI's support for ICAP also lets administrators work in tandem with leading proxies to apply policy and prevent leaks via HTTP/HTTPS and FTP. The appliance also supports scrubbing of all outbound e-mail through CI's Message Transfer Agent. We were able to discover the contents of each message and apply policy on all outbound e-mails. Messages with sensitive content can be off-loaded to an encryption engine or can be blocked.

Code Green does offer integrated endpoint protection with central policy distribution from the CI appliance, but the feature set is generally limited to physical port security. In addition, the endpoint agent requires the client be joined to the corporate domain where policy will be enforced. This is a potential issue for organizations that use contractors and other third parties for mission-critical projects.

We were unable to place checkmarks next to some of the more important items on our endpoint protection wish list, such as the ability to prevent users from joining unsecured Wi-Fi networks, or the ability to prevent printing or screen capture of sensitive documents.

Last but not least, the CI Agent software isn't as tamper-resistant as Safend Protector. With Protector, any effort to kill key processes or registry keys to disable the agent and circumvent security would fail. Unfortunately, the CI Agent doesn't yet possess such protection from tampering.