You don't really need to pour glue into your USB ports to thwart unwanted connections

At my local library, they have poured glue in the USB ports of their computers to keep people from inserting USB key drives and infecting them. But such extreme measures aren't necessary, thanks to software from Safend Technologies.

The technology has three components that work together to protect your networked PCs. The first is the Safend Protector agent that runs on each PC. It enforces the policies that are created on the Safend Management Console, which runs on a Windows 2003 Server with Microsoft's .Net framework v1.1 installed. A third piece, called the Safend Auditor, can be used to examine computers prior to putting the agent software on them and will produce extensive reports on what devices have ever been used on a particular PC. This is a great way to identify a user's digital tracks and also to identify how vulnerable your endpoints are. This piece is available at an additional charge.

I tested Safend on a small network with Windows Vista, XP, 2000 Professional and 2003 Server PCs. Safend recommends its management console for Windows 2003 Server, although it can also run on XP machines for testing purposes. Also, the agents need to have the right Windows service packs and patches installed. The Vista support, which has been added in Safend Protector Version 3.2, worked just fine.

One issue with the desktop agent is it uses the Windows Management Interface (WMI) to communicate back to the server console. This may need a port to be opened if it's blocked by a personal firewall.

I tested it with both the Kaspersky and AVG Internet Security Suites, and both detected the Safend agent and asked if I wanted to open up communications. One oddity was that the Safend software wouldn't work on Windows 2000 with AVG installed but not loaded -- I either had to load AVG (and allow WMI connections), or uninstall it to continue. Otherwise, the program worked as advertised and was fairly easy to set up once I got past the WMI issues.

Caveats
The best applications for this software are with networks that have solid Microsoft Active Directory or Novell eDirectory (new for Version 3.2) implementations and that are used to pushing software to their highly managed clients. If you don't have access to the desktop to install the agent, you will find this a frustrating solution.

The software relies on Active Directory Group Policies to distribute policies to endpoints, as well as the ability to associate its security policies with particular Active Directory objects. This makes for a great deal of flexibility in how policies are set up and pushed to particular groups or network clients.

Safend does some very extensive logging and protection of the desktops it protects. It can log every file accessed, block selective files from running (such as databases or CD disk images), encrypt USB drives automatically or block anyone from inserting one in any machine, send alerts via e-mail when something is wrong and control just about any device that can be connected to the outside of the computer, including Bluetooth, USB, Wi-Fi and removable drives too.

The console application has a nice look and feel, and security policies are arranged very logically according to port control, device control, Wi-Fi control, and file and storage controls. Administrators can whitelist particular devices or wireless access points so that they are always allowed access and can also prevent CDs from automatically running upon insertion, which would solve the old Sony rootkit issue with its music CDs, for example.

There are several features that are new to Version 3.2. These include integration with Websense's Port Authority content inspector. Every file that is downloaded by an endpoint to an external storage device is examined for its contents, and the action is logged at the console. Also new is the ability to whitelist particular CD or DVD media, to prevent users from wholesale copying or playing music on their computers. Finally, it now has the ability to track what is connected inside the PC as well as outside, such as a second SATA hard drive that could be installed by a malicious user to download files.

Niceties
There are some other niceties to the program. An administrator can make use of a special cutoff password to temporarily disable the protection of the agent, which can be useful during troubleshooting. A user in distress can also be granted this ability temporarily with a separate one-time code that has a built-in time window specified by the administrator.

You can also set how the agent will appear on the client machine -- you can show its system tray icon and event messages, or hide either or both from view. Policies can be updated at periodic intervals specified by the administrator, with the default being every 90 minutes.

Alerts can be sent to an e-mail address, to the Windows event log, to an SNMP manager or can kick off a particular program.

Drawbacks
I found three major drawbacks to Safend. First is its lack of Mac and Linux client support; right now the product is just for all-Windows networks. Second is that the Safend protection will only work once a client is logged in and authenticated by an Active Directory or eDirectory domain. This means that a rogue laptop without any authentication or without a Safend client installed can still infect your network.

One final issue is the huge size of the log files that can get tedious to parse on large networks, although there are ways to limit the number of logged events via the administration software.

Overall, I found that Safend makes for a very solid system for protecting your network endpoints, and at a reasonable per-seat cost.

Safend Protector Version 3.2
(215) 496 9646

* Pricing varies from $13 (for implementations of more than 10,000 seats) to $32 (for implementations of less than 250 seats) per seat.
* Safend Auditor ranges from $700 to $5,000 when purchased with the Protector, and double that price when not, per network, depending on the size of the network.
* Discounts for annual subscriptions (500 seat minimums) and if customers want to participate in beta programs.

David Strom is a writer, editor, public speaker, blogging coach and consultant. He is a former editor in chief of Network Computing and Tom's Hardware and has his own blog at strominator.com. He can be reached at david@strom.com.