How we tested endpoint data loss prevention tools
This test was conducted at the Iowa State University Internet-Scale Event and Attack Generation Environment (ISEAGE) Laboratory. A VMware vSphere ESX server was set up on a Dell PowerEdge 1950 with a quad-core Xeon processor, 4GB of RAM and a 500GB SATA hard drive.
Virtual machines were then cloned from four base VM images for each of four operating systems to emulate endpoint devices (Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008).
The base images contained a connection to an HP network printer, eMule P2P file sharing software, OpenOffice.org, Adobe Acrobat Reader, Thunderbird, AOL Instant Messenger, and all of the sensitive data to be tested. After we discovered that vSphere will not share USB drives or CD burners to guests, physical Windows XP clients were configured to test blocking of writing to removable media or burning to optical drives.
Each vendor was required to either ship an appliance and the required endpoint software to ISEAGE, or to make the necessary software available to download. No vendor was allowed to do an on-site installation. Support was obtained on an as-needed basis, though TrendMicro and WebSense both arranged for an introductory session to familiarize us with their products. Two products – Identity Finder and WebSense – also required the creation of a management server. These were built on Windows Server 2003. The TrendMicro LeakProof physical appliance was connected into the same gigabit, switched network as the VMware server, and configured with an IP address on the test subnet.
After all three management servers were running and configured, the endpoint software was installed on each of the client VMs. Then, each combination of exfiltration method and protected file was executed to verify blocking.
This testing method only applied to WebSense and TrendMicro, as Identity Finder's functionality is based solely in discovery and remediation of sensitive data storage, and not on active blocking. For Identity Finder, a search was performed on the test data to determine what portion of the included "identity" data (names, Social Security numbers, addresses and credit card numbers) was correctly identified.
Return to test.
Date publication:
Author: Keylogger.Org Team
Virtual machines were then cloned from four base VM images for each of four operating systems to emulate endpoint devices (Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008).
The base images contained a connection to an HP network printer, eMule P2P file sharing software, OpenOffice.org, Adobe Acrobat Reader, Thunderbird, AOL Instant Messenger, and all of the sensitive data to be tested. After we discovered that vSphere will not share USB drives or CD burners to guests, physical Windows XP clients were configured to test blocking of writing to removable media or burning to optical drives.
Each vendor was required to either ship an appliance and the required endpoint software to ISEAGE, or to make the necessary software available to download. No vendor was allowed to do an on-site installation. Support was obtained on an as-needed basis, though TrendMicro and WebSense both arranged for an introductory session to familiarize us with their products. Two products – Identity Finder and WebSense – also required the creation of a management server. These were built on Windows Server 2003. The TrendMicro LeakProof physical appliance was connected into the same gigabit, switched network as the VMware server, and configured with an IP address on the test subnet.
After all three management servers were running and configured, the endpoint software was installed on each of the client VMs. Then, each combination of exfiltration method and protected file was executed to verify blocking.
This testing method only applied to WebSense and TrendMicro, as Identity Finder's functionality is based solely in discovery and remediation of sensitive data storage, and not on active blocking. For Identity Finder, a search was performed on the test data to determine what portion of the included "identity" data (names, Social Security numbers, addresses and credit card numbers) was correctly identified.
Return to test.
