Review: Reconnex's iGuard needs improvements

INFORMATION LEAKAGE
iGuard v5 from Reconnex
Price: Starts at $50,000

The Internet has revolutionised business, enabling real-time commerce and the easy flow of information in and out of your organisation. Therein lies the problem: It's all too easy to inadvertently or intentionally expose critical intellectual property and confidential information.

Reconnex's iGuard addresses this threat at the perimeter, copying and analysing all inbound and outbound traffic for policy violations. It can be an important tool for confidential data protection, regulatory compliance and investigation.

Installation/Configuration: B
Tuning a complex product like iGuard to detect sensitive data while reducing false positives and negatives is a complex process. Although the quick start guide can get you up and running quickly with default policies and rule sets, be prepared to invest time tuning your rules.

This is what makes it an effective technology: Without this tuning process, the confidential data leaving your enterprise gets lost in the clutter--imagine looking for five true positives in a million emails. The tuning can take weeks or even months, setting rules and polices in a Linux command line interface; you may want to engage professional services to help.

Effectiveness: A-
We realised some successes out of the box using the default regulatory and acceptable-use policies. The challenge isn't that you're not seeing your intellectual property leave the enterprise; it's that you're seeing far more than anticipated.

Overall, iGuard proves to be an important tool for proactively finding intellectual property leaving the enterprise, and reactively using the information to conduct an investigation and comply with regulations.

That said, iGuard's value grows through its integration with other security products, feeding content analysis to gateway content filters, SIMs and email security tools.

iGuard is not an automated prevention tool. Most large companies we've spoken with agree that blocking on detection is not practical in the real business world--it assumes that you know what all of your confidential information is, where it resides and to whom it may be sent.

The hardened Linux appliance resisted all our attempts at compromise.

Management: B-
The Web interface presents a clean, easy-to-navigate executive dashboard. One of the first items that strikes you is that, while you can drill down for details in the text, the graphs are static.

You can call up detailed information on entire emails, documents, FTP sessions and SSL-encrypted sessions. iGuard understands 80 protocol types.

However, the product shows its immaturity in the tedious process of creating rules. You must first create the search terms, protocols and IP addresses, then repeat the action for the mail and messages, images and file transfer pages. Then you go to yet another page to activate the rule. There is no wizard or radio buttons to simply select which page you want or what to search for. There is no context-sensitive help.

Reporting: C+
The reporting request page has a simplistic, clean interface. It contains a few canned reports, such as incident and executive summaries, with nice graphs showing which rules were tripped and how often. But, there are only a handful of canned reports, and you have a limited ability to create custom reports, which can be critical for audit and operations. Reports are drillable and exportable to .pdf only.

Verdict
iGuard is maturing, though it still needs some usability improvements such as wizards, customisable reports and the ability to drill down on the graphs. Its integration with other tools makes it an excellent value.

Testing methodology
This review is based on an evaluation of information leakage products, including iGuard, at the reviewer's company.

This article originally appeared in the December 2006 edition of Information Security magazine.