Lumension® Data Protection

Compare

Port Control  |  Device Management  |  Media Encryption  |  Management  |  Auditing and Logging  |  Architecture

Port Control

Feature

Device Control

Windows 7

LANDesk 1

Symantec 2
USB
Explicit interface control is unavailable. Independent of interface, certain device class-based control and device ID-based control is available
Firewire (IEEE 1394)
Explicit interface control is unavailable. Independent of interface, certain device class-based control and device ID-based control is available
Bluetooth
Explicit interface control is unavailable. Independent of interface, certain device class-based control and device ID-based control is available
ATA/IDE *
Explicit interface control is unavailable. Independent of interface, certain device class-based control and device ID-based control is available
Not present in the built-in Device Control Policy- Devices tab. The Exceptions tab, however, provides for additional allow/block control based on 10 parameters including Device ID, Hardware ID and Class
Not available as a default in the Hardware Devices List within the Application and Device Control Policy configuration. Additional Class ID GUIDs (and specific hardware Device IDs) may be added for management through the Policy Components configuration
SCSI *
Explicit interface control is unavailable. Independent of interface, certain device class-based control and device ID-based control is available
Not present in the built-in Device Control Policy-Devices tab. The Exceptions tab, however, provides for additional allow/block control based on 10 parameters including Device ID, Hardware ID and Class
Infrared
Explicit interface control is unavailable. Independent of interface, certain device class-based control and device ID-based control is available
Parallel /LPT
Explicit interface control is unavailable. Independent of interface, certain device class-based control and device ID-based control is available
Serial
Explicit interface control is unavailable. Independent of interface, certain device class-based control and device ID-based control is available
PCMCIA
Explicit interface control is unavailable. Independent of interface, certain device class-based control and device ID-based control is available

Port Control  |  Device Management  |  Media Encryption  |  Management  |  Auditing and Logging  |  Architecture

Device Management

Feature

Device Control

Windows 7

LANDesk

Symantec
CD and DVDs
Class policy options are allow or block only. Does not allow independent read and write control applied across specific interfaces
Policy options for this Class ID GUID are to block, exclude from blocking or omit from policy only. Does not provide read and write control nor control of application across specific interfaces
Removable Storage Devices
For all removable storage classes provides access denial and remote session access control in additional to more granular class (e.g.CD/DVD) control. Does not, however, provide read, write control dependent on system interface, nor encryption/decryption control
Through Device Control - Storage volumes tab, read / full / no access and forced encryption controls are provided, however, only for volumes that were not present when the client policy was installed. Control which combines read/write/ forced encryption based on access interface is also not provided.
Policy options for this Class ID GUID are to block, exclude from blocking or omit from policy only. Does not provide read and write control nor control of application across specific interfaces
Biometric Devices
Class not provided by default. Device ID-based installation control only.
Those indentified in the LANDesk Management Console as Fingerprint readers
Policy options for this Class ID GUID are to block, exclude from blocking or omit from policy only. Does not provide read and write control nor control of application across specific interfaces
Floppies
Policy options for this Class ID GUID are to block, exclude from blocking or omit from policy only. Does not provide read and write control nor control of application across specific interfaces
Imaging Devices
Class not provided by default. Device ID-based installation control only
Those indentified in the LANDesk Management Console as Scanners
Policy options for this Class ID GUID are to block, exclude from blocking or omit from policy only. Does not provide read and write control nor control of application across specific interfaces
Tapes
Requires that this device class to be created in Device Control Policy-Device-Exceptions tab .
Policy options for this Class ID GUID are to block, exclude from blocking or omit from policy only. Does not provide read and write control nor control of application across specific interfaces
Scanners
Class not provided by default. Device ID-based installation control only
Policy options for this Class ID GUID are to block, exclude from blocking or omit from policy only. Does not provide read and write control nor control of application across specific interfaces
Modems
Class not provided by default. Device ID-based installation control only
Policy options for this Class ID GUID are to block, exclude from blocking or omit from policy only. Does not provide read and write control nor control of application across specific interfaces
Wi-Fi NICs
Class not provided by default. Device ID-based installation control only
Palms, Blackberries etc.
Custom Classes
Microsoft 2008 Server GPOs specify Custom Classes only within the Removable Storage Access container.
Specific device class control includes connection interfaces
Detection of USB Key-loggers
In general, all types of hardware-based loggers are not detectable by software-based device control solutions

Port Control  |  Device Management  |  Media Encryption  |  Management  |  Auditing and Logging  |  Architecture

Media Encryption

Feature

Device Control

Windows 7

LANDesk

Symantec
CD/DVD encryption
Not natively present within the standard Symantec Endpoint Protection distribution
USB Flash encryption
Not natively present within the standard Symantec Endpoint Protection distribution
Cross Windows OS USB encryption
Decryption only for legacy OSes pre-dating Windows Vista.
Not natively present within the standard Symantec Endpoint Protection distribution
Decentralized Encryption
Not natively present within the standard Symantec Endpoint Protection distribution
FIPS 140-2 Level 2 Validated *
As of July 2011 - Microsoft BitLocker is FIPS 140-1 Level 1 validated.
This applies to encryption software products and encryption is not natively present within the standard Symantec Endpoint Protection distribution

Full Disk Encryption for endpoint hard drives is delivered by the integrated Lumension® Disk Encryption Add-On


Port Control  |  Device Management  |  Media Encryption  |  Management  |  Auditing and Logging  |  Architecture

Management

Feature

Device Control

Windows 7

LANDesk

Symantec
Blacklist model – exclude specific devices
The Device Installation and Removable Media management both provide blacklisting capability. For devices ‘not requiring’ a device driver, however, the administrative burden and limited capabilities of the GPOs of blocking based on device ID (and not just device class) makes a full blacklisting solution unrealistic
Through manually entering blocked devices based on 10 different possible parameters in the Device Control Policy-Devices-Exceptions tab
Via manually entering the blocked device IDs in Policy Components – Hardware Devices configuration. The Symantec Endpoint Protection Implementation Guide recommends utilizing a separate utility, the DevViewer tool, or the individual endpoint’s control panel to obtain the device ID. General centralized collection of both blocked and unblocked devices is not present, logging of blocked devices only is provided as an option
Whitelist model – include specific devices
Device Installation control only. Control by device ID is again limited for devices ‘not requiring’ a device driver.
Through manually entering allowed devices based parameters (such as Device ID, Hardware ID or Vendor Device ID or others)
Via manually entering the device IDs which are to be excluded from blocking in Policy Components – Hardware Devices configuration. The Symantec Endpoint Protection Implementation Guide recommends utilizing a separate utility, the Dev Viewer tool, or the individual endpoint’s control panel to obtain the device ID. General centralized collection of both blocked and unblocked devices is not available. Logging of blocked devices only is provided
Permit Read-only access
Based on device class only
Permit Write-only access
Based on device class only
Manage devices on a machine basis
Via 'LANDesk Endpoint Security Push Delivery' method.
Via application of machine-based policies
Manage devices on a user basis
Device installation controls administered on a machine-basis, with a configurable exception for administrative users. Creation of multiple GPO policy sets would be required to apply restriction to specific users/groups
Via 'LANDesk Endpoint Security Push Delivery' method.
Via application of user-based policies
Centralized management
Web-based Management Console
Standard console is the LANDesk Management Console application
Rapid security policy distribution
Requires reboot. If forced reboot is not configured, changes will not take until system restart
Push function for changes of authorization
Requires reboot. A configurable GPO, 'Time to force reboot' is provided for a change in removable storage access rights.
Device and Media Libraries/ Ease of Manageability
The Management Console provides unauthorized device information from the Network view by individual endpoint not in a centralized device library collection. Unauthorized device information is also stored in a decentralized (on each endpoint) list of the 'ten most recent unauthorized devices that were connected'
Only provides logging of devices when a device is blocked
Detection of New Devices – remotely or locally connected
Manual device class id / discovery or assisted by command line utility.
Provides configurable inventory reporting for endpoints but not a centralized device library
Use of a separate utility, the DevViewer tool or individual endpoint’s Control Panel is recommended for obtaining device related IDs. Centralized logging of devices is available only for blocked devices
Online/ offline permissions
Per LANDesk help, if the following options are selected 'Limit connections to listed networks', 'Allow unlisted networks if not connected' and 'Verify core server existence on the network', 'clients will have unrestricted I/O device access', however, this is a limited of case of online/offline permission sets
Through appropriate use of location-based policies (configured via Specify Location Criteria)
Customized user experience (custom access denied text)
Only device installation based.
Time-scheduled access to devices
Scheduled (repeating) permissions
Temporary access to devices
Temporary access may be provided through a password override option or administrative disable or reconfiguration, but not via a temporary permission configuration option in the management console
Content Analysis – File header and extended file analysis

Port Control  |  Device Management  |  Media Encryption  |  Management  |  Auditing and Logging  |  Architecture

Auditing and Logging

Feature

Device Control

Windows 7

LANDesk

Symantec
Logging of access attempts
Pre-existing reports
User notification in case of permission changes
Provides unauthorized storage device blocking notification
File-Shadowing – bi–directional shadowing
Copy Volume Limits
Network device audit
Lack of centralized device library does not allow easy auditing of devices added to network for enforced or non-enforced (monitored) policies
Logging of blocked devices is not sufficient to provide full auditing visibility in to all devices present in the network

Port Control  |  Device Management  |  Media Encryption  |  Management  |  Auditing and Logging  |  Architecture

Architecture

Feature

Device Control

Windows 7

LANDesk

Symantec
Kernel Protection – Tamper projection, boot restriction without kernel driver
Full protection requires that the HIPS module be enabled or else a service may be stopped. Reference http://community.landesk.com/support/message/58027
AD integration
Device Control Scalability
OS Support  (XP, 2K3, 2K8, 7)
Integrated Application Control
Application control may be provided through AppLocker for Windows 7 and Windows 2008 R2 Server Only. Provided through Software Restriction Policies (Version 1) for early OSes
Integrated Vulnerability Management
Vulnerability Management may be provided through the built in WSUS/ Windows Update agent for Windows OSes. Certain aspects of vulnerability management, however, are not optimal such as the patch management of third party software
 


Footnote:

This information was developed by Lumension and is presented for educational and information purposes only. The above data reflects research done by Lumension in 2010 and 2011, using publically available information and resources. While Lumension tries to be fair and accurate in its comparative assessments, the capabilities of compared products and services can and do frequently change, and comparisons of this type are by nature unavoidably subjective. The reader is advised to independently verify information with each developer to ensure up-to-date accuracy and to specifically validate those characteristics that are most important to the reader.

Legend

- Fully Supported

- Partially Supported

- Not Supported

Roll over any item with a green star* to get additional comparative details.