Best data loss prevention tools

Finding the right perimeter-based data loss prevention tool means striking a balance between speed, accuracy at detecting and blocking sensitive data from exiting the network, and adequate coverage across a broad range of rule-sets and protocols.

Read Network World's DLP Buyers Guide.
Test methodology.

DLP products come in three categories: perimeter-based, client-based and those that take a combined approach. In this test, we evaluated perimeter-based appliances from Fidelis Security Systems, Palisade Systems, Code Green Networks and GTB Technologies.

The DLPs were set up inline (except for Code Green's Content Inspector, which doesn't support in-line mode) between a simulated WAN and LAN and were configured with a set of 10 rules. We then ran about 1,100 files through each device, waiting about a minute between each file, to determine how accurately the device detected and blocked a total of 276 "bad" files and to what degree network performance was affected by the inline DLP.

Click to see: Scorecard

Here are our key findings:

 All of the products did an effective job detecting harmful files that were sent over the specific protocols that the product supports. But not all products support a wide range of protocols.
 Some of the products that did well at detecting harmful files were less adept at blocking.
 None of the products were able to analyze or block encrypted traffic.
 There's a network performance hit that needs to be taken into account when running these products in-line.

Code Green's Content Inspector scored highest when it came to detection. Code Green also scored high on ease of configuration. But Code Green was limited in the range of protocols it could block.

Our Clear Choice winner is Fidelis' XPS because of its easy-to-use interface, flexible rule-set, amazing reporting, and better-than-average detection and blocking ability.

Palisade's Packetsure and GTB's Inspector were somewhat unrefined by comparison, requiring more work to understand the rule structure and adding unneeded complexity to the overall process. But they were still very competitive when it came to detecting harmful files.

Installation

Generally DLP vendors deploy engineers to the customer site to set up and configure the device, but we decided to do it ourselves to get a hands-on understanding of how the product works from installation through reporting.

For Packetsure and Content Inspector, the basic installation was fairly straightforward and the products were setup with little to no trouble. For the other two products, basic installation was a little more difficult, requiring numerous contacts – via e-mail and phone. But they eventually all were set up without the need for a technician to show up on-site.

After each product was set up and could pass data between the simulated LAN and WAN, we configured the device to our filtering specifications. This included a sample set of 10 rules chosen to test some of the basic features and blocking potential.

The DLPs were set up to look for Social Security and credit card numbers, certain pieces of source code, and five words in a row from a short story, which would be used to prevent any part of a specific report from leaving the network.