How we tested data loss prevention tools

A small network containing a router and a server was set up containing some of the services one would commonly expect to see running on an enterprise network including: FTP, HTTP, Secure-HTTP, Mail (POP, IMAP, & Exchange) and SSH.

Each vendor was required to ship its product and all required components to the lab. No vendor was permitted to do an on-site installation. Support for the DLPs was obtained on an "as-needed" basis, and vendors provided standard documentation. Towards the end another test was run with the vendor on-site.

The DLPs were set up in-line between a simulated WAN and LAN and were configured with a set of 10 rules. To connect these products in-line, we used a Network Critical V-Line (Bypass) Tap. This device allows the DLP to be placed "virtually" in-line -- if the DLP should fail, traffic continues to flow. If you plan to hook your product up inline, this is a recommended method.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A small network containing a router and a server was set up containing some of the services one would commonly expect to see running on an enterprise network including: FTP, HTTP, Secure-HTTP, Mail (POP, IMAP, & Exchange) and SSH.

Each vendor was required to ship its product and all required components to the lab. No vendor was permitted to do an on-site installation. Support for the DLPs was obtained on an "as-needed" basis, and vendors provided standard documentation. Towards the end another test was run with the vendor on-site.

The DLPs were set up in-line between a simulated WAN and LAN and were configured with a set of 10 rules. To connect these products in-line, we used a Network Critical V-Line (Bypass) Tap. This device allows the DLP to be placed "virtually" in-line -- if the DLP should fail, traffic continues to flow. If you plan to hook your product up inline, this is a recommended method.

Some of the products also required a separate proxy product to assist with the blocking. We did not take into account the configuration of the proxy when testing the products, but it will be reflected in the cost.

We also tested the speed at which we could pass data through the device. We started with a baseline of 581MBps, which is what we could get out of the network without any device present. Then we activated a rule, which we knew worked, and sent a flood of e-mails of a variety of sizes from 1KB to 1GB through the device. We measured how quickly these e-mails made it out.

Using a machine sitting out on the simulated WAN, we attempted to access a variety of files via each protocol and a variety of ports on LAN services and pull data out of the protected network.

We tested each product by running about 1,000 files through it, waiting about a minute between each file. Some of these files contained blacklisted data (about a quarter of them) and some contained harmless data. We recorded which files made it out, which files were blocked, and which files where flagged (but not blocked).

Return to test.

Read more about security in Network World's Security section.