With the information security field seemingly saturated with every possible appliance and software, it would seem there's little room for an innovative approach. TrustWare's BufferZone belies that notion.
TrustWare's BufferZone works by quarantining suspect or restricted applications, creating a protected environment for each Web- or network-based application, such as Web browsers, IM, email and P2P applications, preventing viruses or malware from entering and affecting the rest of the workstation.
Instead of designing a management console, BufferZone relies on Microsoft's native Group Policy Objects to manage and deploy BufferZone and its installation file. This allows easy integration with Active Directory and reduces the learning curve, through a group policy template that uses the familiar management console (MMC). Simply copy the administration file to the c:windowsinf directory and add it to the GPO administration templates. Deployment was just as easy, using GPO and software installation packages by copying the .MSI file to a shared drive from which it's deployed to workstations as users log in.
This should be fine for most organizations, though some may prefer products with more robust proprietary consoles.
Depending on the policy set, you can easily prevent P2P applications, such as Kazaa, from being launched by a user, or allow ActiveX applications to be run only in the BufferZone-protected area. You can add applications or files by simply typing the name of the executable or DLL in the applicable dialog box. Any application or attachment that is launched by a Web navigator, P2P application, IM or mailer is quarantined by default.
You can choose from four policy settings under which files can be run: BufferZone, so files run only in the protected area (this prevents a file from affecting other areas of the workstation hard drive or memory space, or removable media such as a CD, flash drive or MP3 player); Forbidden, in which users have no access to the files; Confidential, which means any file or path matching the policy is invisible to applications run in BufferZone; or Trusted.
In testing, we found that using both file path and wild cards was best for policy enforcement (for example, *MY DOCUMENTS*.doc and *torrent.exe). Buffer-Zone includes a switch to allow digitally signed executables to run outside of the controls set for a certain media or file.
Although BufferZone was excellent at stopping potentially malicious executables and preventing CDs or USB devices from being accessed, it was obvious that it was only for files already known. A new policy would have to be created each time an unknown application or executable was installed. Fortunately, in an enterprise environment where typically standardized applications are installed, this shouldn't be too much of an issue.
The lack of any reporting capabilities may give pause to some enterprises.
BufferZone does a remarkable job controlling which files can be run or downloaded on a workstation. The typical entry points, such as Web browsers, can be locked down, preventing unwanted access.
Testing methodology: BufferZone was run on two workstations, Windows XP SP2 and Windows 2000 SP4, that were in a standalone AD domain.