Centennial Software last week aired a product designed to help secure networks by letting companies better control portable USB-based storage devices such as flash drives and even iPods.

DeviceWall employs a server program to set up usage policies and a software agent, running on Windows PCs and notebooks, to enforce them. It can block the use of all USB storage devices plugged into PCs, or permit use of specific devices based on individual users or groups of users. One feature lets users request temporary use of a flash drive, memory stick or other storage device.

The new software is aimed at shutting off a growing hole in some corporate networks: Easy-to-use portable storage devices that can be plugged into a PC's USB port. Employees can readily download huge amounts of sensitive data to a PDA, CD or even a mobile phone.

Consulting firm 2G Technology is a Centennial reseller. The company tested DeviceWall internally with about 25 PCs and notebooks, and two servers. It is testing it at an enterprise client with about 2,000 PCs.

"We set up DeviceWall to deny all USB storage devices, such as iPod, memory stick, USB hard disk drives and floppy drives, and CompactFlash," says Cam Summers, technical services coordinator at 2G. "We also tested access denial of CD/DVD burners. And we found that there was no access allowed for any of these devices. The end user is notified immediately via a message that 'access is denied.' "

Summers loaded the server program, and then used a feature to download the DeviceWall client to the target PCs. The client installation went smoothly, with no interruptions for the users, who see a new icon appear on their control panel. The client code is protected so that end users can't disable or uninstall it.

When you plug a device into a USB port, the DeviceWall client code intercepts the initial traffic exchange between the device and the PC. An algorithm refers to the server configuration data to determine if the device use is permitted. If not, it prevents the driver from being loaded and alerts the end user.

Each user can be given a separate policy. 2G says it found it was faster to assign users to groups via access control lists, set parameters for each group, and then push the agent code out to the PCs.

There are a range of rival products that attack some parts of this broad problem of securing data. Vontu and Vericept have server software that monitors communication flows such as e-mail, instant message and FTP files to detect specified data, such as Social Security numbers. Authentica and Liquid Machines have programs that run on the client PC to enforce corporate policies on information downloading and printing.

DeviceWall starts at $25 per client.