Security Features

Port Control - Safend Protector can intelligently allow, block or restrict the usage of any or all computer ports in your organization according to the computer on which they are located, the user who is logged in and/or the type of port. Safend controls: USB, PCMCIA, FireWire, Secure Digital, Serial, Parallel, Modem (e.g. dialup, 3G etc.), WiFi, IrDA and Bluetooth ports.

Device Control - Highly granular identification and approval of devices, including a comprehensive list of device types and robust white listing of device models and even distinct devices (by serial number).

Storage Control - Special control over external and internal storage devices including Removable Media, External Hard Drives, CD/DVD, Floppy and Tape drives. Policy can block usage of device types, models and even distinct devices (by serial number), restrict usage for read only, or enforce encryption (see below).

Removable Media Encryption - Unique to the Safend Protector solution is the ability to restrict the usage of encrypted storage devices to company computers by use of encryption. This extends the security borders of organizations and prevents rogue employees from deliberately leaking data through removable storage and media.

Comprehensive External Storage Encryption Suite - Safend Protector allows administrators to mandate the encryption of all data being transferred out of organization endpoints to approved removable storage devices, such as USB flash drives, Disk on Keys, memory sticks, SD cards, external hard drives, and CD/DVD media.

Offline Usage of Encrypted Devices - Specific, pre-approved users can access encrypted devices outside the protected organization on unprotected machines using an access password.

Configurable Password Policy - Administrators can define the security criteria for user-defined access passwords. Administrators can pre-define password parameters such as minimal password length and the types of characters it contains, in order to comply with the organization's security guidelines.

Track Offline Usage of Encrypted Devices - Safend Protector provides administrators with improved visibility on the usage of encrypted devices outside the organization. With this unique feature, every offline access to an encrypted device is tracked, providing a comprehensive log of each file transfer to/from this device. With this powerful log, administrators can audit users' actions even on non-company computers, in order to validate legitimate use of corporate data.

File Type Control - This feature provides an additional layer of granularity and security by inspecting files for their type as they are transferred to/from external storage devices. This technology allows for highly reliable classification of files by inspecting the file header contents rather than using file extensions, thus preventing users from easily bypassing the protection by renaming file extensions. With over 180 built-in file extensions covering all popular applications categorized into 14 file categories, policy definition has never been easier.

Content Inspection Integration - Safend offers a capability that leverages existing content monitoring and filtering solutions to enable ultra-granular data leakage prevention on endpoints. This feature provides yet another layer of security to the existing protection, so that capabilities extend beyond approving devices and files to monitoring the actual content of each file. With this new technology, each file that is downloaded from an endpoint to an external storage device can be inspected to determine whether it contains sensitive information of any kind (e.g. intellectual property, consumer data etc.). Once it is determined that the file contains sensitive information, the user is notified that this file should not be transferred to external devices, and a trace log is created for the administrator. With this log, the administrator is provided a fine-grained list of data breaches through external storage devices.

File Name Logging - Creates forensic logs of all data moving in and out of the organization via removable media and CD/DVD's.

File Shadowing - Collects copies of files moved to/from external storage devices. Administrators can set policies requiring shadowing of all data on each of the inbound and outbound channels separately as well as require shadowing for specific file types. Collected shadow files are securely stored in a central repository and available for review by authorized administrators.

Granular WiFi control - By MAC address, SSID, or the security level of the network.

Block Hybrid Network Bridging - Safend Protector allows administrators to control and prevent simultaneous use of various networking protocols that can lead to inadvertent or intentional hybrid network bridging (such as WiFi bridging and 3G card bridging). Configuring Safend Protector Clients to block access to WiFi, Bluetooth, Modems or IrDA links while the main wired TCP/IP network interface is connected to a network enables users to employ the various networking protocols only when they are disconnected from the network - avoiding the creation and potential abuse of a hybrid network bridge.

U3 and autorun control - Turns U3 USB drives into regular USB drives while attached to organization endpoints, and protects against dangerous auto-launch programs by blocking autorun.

Block USB and PS/2 Hardware Key-Loggers - Blocking USB hardware key loggers which can tap and record every keystroke in your endpoints as well as render PS/2 hardware key loggers useless.

Cisco NAC integration - Allows you to creates rules that mandate the presence of Safend Protector Client before the endpoint is allowed on your network. Refer to Safend Protector Installation Guide for further details.

OPSEC: Interoperability with Check Point VPN-1 - Safend Protector Client implements OPSEC Secure Verification Protocol (SCV). With SCV administrators can ensure that endpoints meet their designated security profile before they are allowed access to the company VPN. The interoperability between the Safend Protector Client and the VPN-1 Client allows administrators to ensure the Safend Protector Client is running, validate its version and ensure the latest policy is deployed, prior to allowing the Client onto the company VPN. Refer to Safend Protector Installation Guide for further details.

Management Features

Safend Protector Management Server - Enhances your Safend Protector system by keeping all of its data in one secure central location, and ensures its proper management. A single Management Server can be used to manage tens of thousands of endpoints, and can be accessed through the Safend Protector Management Console. Several Management Servers can be installed side by side in a cluster and seamlessly share the load of traffic from the endpoints and serve as a hot backup for each other.

Safend Protector Management Console - All of our management tools are combined into a single Management Console, which can be installed and run from any computer on your network. The Management Console provides unified management of policies, logs and Clients. The management console supports one-click deployment from the server website.

Extensive logging - Enables you to view and analyze the logs collected from all the endpoints in your organization, both immediately and over time.

Policy Server - This feature enables automatic distribution of policies from the Management Server to endpoints using the existing SSL infrastructure. To facilitate this, policies are associated to the AD or Novell objects from within the Management Console, as part of the process of defining a policy. With this feature, Safend maintains and strengthens its highly granular policy management with the ability to set policies which are more general (to OUs or Groups) as well as policies which pinpoint the specific user or computer.

Distribute Policies via Active Directory GPO - Safend Protector features tight integration with Active Directory for publishing policies via the GPO (Group Policy Objects) mechanism. This complements the ability to distribute policies directly from the Management Server, and is extremely useful for large organizations interested in leveraging existing AD infrastructures. Policies are saved as a GPO object in the AD and can be applied on users and computers. Administrators can also select a specific domain in their Domain Forest for publishing policies. This is useful for networks spread over multiple geographic locations.

Policy Merging - Administrators can apply several policies to a computer or user, and the Safend Protector Client can merge the permissions of all the policies applied to a computer/user. This is mainly useful when associating policies to user groups or for building hierarchies of permissions. Policy Summary - Allows you to view and save a printed copy of your policies for backup as well as for review by people without access to the Management Console.

Client Management - Allows you to browse the status of your Clients and check whether they are protected by the latest version of the Client, what policy they are using, when they were last updated and more. You can manage your Clients tighter by pushing policies and collecting logs at any time, with one click.

Role and Domain Partition Based Access - Allows you to create role-based access to the various parts of the system, including a definition of the Domain Partition which each Safend Protector Console user can manage. This accommodates the need of large organizations which employ several security officers, each responsible for a different part of the organization.

Immediate Updates - Enable you to push a new policy to Clients without having to wait for the policy update interval to complete. The new policy becomes effective immediately on all connected Clients. In addition, collect all the logs that were accumulated by the Clients on endpoints immediately, without having to wait for the log sending interval to complete.

Active Directory Synchronization - Allows you to look at Logs and Clients from your native organizational units view, through the organizational tree. The tree is continuously synchronized with your Active Directory to ensure it remains current at all times.

Novell eDirectory Synchronization - Similarly to its existing seamless integration with Active Directory, Safend Protector supports full integration with Novell's eDirectory. With this integration the Management Server can be configured to connect the eDirectory in order to import the organizational tree, including OUs, Groups, Users and Computers. This enables viewing of directory objects (computers/user groups) through the Management Console for policy association, log filtering and Client management purposes. Administrators can also choose the root path when synchronizing with eDirectory.

Built-In Real-Time Alerts - Enable you to issue alerts of your choice (e. g. e-mail, SNMP and more) to desired destinations. Administrators can set the destinations for sending alerts on a per-policy basis. As an example, it is possible for alerts from different computers/users to be sent to different email addresses.

Configurable End User Messages - Whenever Safend Protector Client enforces policies on a client, a message is provided to the user in order to notify him of the policy violation. Each of these messages can be customized by the administrator on a per-policy or as a global setting. Messages can be defined in multiple languages.

Internal Database - Safend Protector includes a built-in MySQL database in order to simplify the installation of small-medium systems. This database is automatically installed with the Management Server and is fully maintained by the application. No user maintenance is required.

Database Management - Administrators can set the amount of days for logs to be stored, as well as set a quota for the database files. Safend Protector Management Server also features manual as well as scheduled backups for its keys, configuration and logs (logs backup only available for Internal Database). These backups can be used to when recovering from hardware failures as well as when upgrading hardware platforms.

External Database - Customers with existing database infrastructures may prefer to use these for storing Safend Protector configuration and log information instead of using the built-in internal database provided with the Management Server installation package. This provides higher system scalability and leverages existing infrastructures and know-how. Upon installation, Safend Protector Management Server can connect to an existing Microsoft SQL (MSSQL) database instead of creating its internal database. Day-to-day maintenance of this database is still handled by Safend Protector including indexing, purging, and key/configuration backup. However, in this case it is the administrator's responsibility to backup log data.

Additional Features

Built-In Policies for Regulatory Compliance - Safend Protector assists organizations in complying with regulatory requirements such as HIPAA, SOX and PCI. It includes detailed guidelines on how to configure, operate, and maintain the product in order to assure compliance. Safend Protector includes built-in policies with the recommended settings for each regulatory standard. These built-in policies can be applied "as is" or can be modified to better accommodate the specific organization's security and business needs. To assist with this customization of policy settings, Safend Protector includes detailed guidance explaining the specific impact of the policy security settings and the associated mapping of these settings to regulatory policy statements.

Windows XP 64 bit Support - Safend Protector Client can be now installed on Windows XP 64 bit operating system endpoints.

Tamper Resistance - To achieve true endpoint security, a solution needs to be virtually impossible to circumvent, disable, or uninstall. The solution needs to enforce the security policies set by administrators, without fail. Safend Protector includes redundant, multi-tiered anti-tampering features to guarantee permanent control over enterprise endpoints.

MSI Based Client Deployment - The client installation is packaged in an MSI file, featuring silent as well as manual installation. The client can be deployed with any 3rd party tool for MSI deployment, and more specifically Active Directory GPO, Microsoft SMS and IBM Tivoli.

Suspend Client - Enables you to suspend Client operation temporarily, without having to uninstall it, even when the endpoint does not have any Internet connection. This allows access to any device for the duration of the suspension, after which the original policy enforcement is resumed.

Stealth Mode - Safend Protector Client can be configured to be invisible on endpoints. In this mode, the user doesn't see the product icon and no end user messages are shown.

Multilingual - Safend Protector speaks your language, allowing easier local administration.

Safend Protector Add-On:
Safend Encryptor
As incidents of stolen and lost computers continue to make the headlines, it is crucial for organizations to secure the data stored on the hard drives of PCs and laptops. Safend Encryptor, a license activated add-on to Safend Protector, provides a solution for protecting sensitive data; it encrypts the data stored on PCs and laptops and the result is that sensitive data cannot be read by any unauthorized user in the case of loss or theft. Safend Encryptor utilizes Total Data Encryption technology that encrypts all data files, while avoiding unnecessary encryption of the operating system and program files. This innovative concept minimizes the risk of operating system failure, and poses negligible performance impact on user productivity. Leveraging this unique encryption technology, Safend Encryptor provides a genuinely transparent Hard Disk Encryption solution, by using the existing Windows login interface for user authentication. Safend Encryptor's Hard Disk encryption is performed in real time, with minimal performance impact on the PC or laptop, and utilizes the industry standard AES algorithm with 256 bit key length.

Transparent to End Users - Transparently uses Windows login to access the encrypted data and therefore does not require any end-user training.

Transparent to Help Desk - Transparently uses the generic AD domain password reset process. No dedicated password recovery procedure is required.

Encryption Enforced by Policy - Encryption of data on internal hard drives is controlled by the same policy containing the Protector Security definition, so the complete set of endpoint security setting are defined and distributed in a single security policy.

Key Management - Individual machine keys are backed-up and securely stored in the data base.

Technician Mode - Allows IT administrators to perform maintenance work without gaining access to the encrypted data.

Data Recovery - Offers an intuitive, easy to implement recovery process in case of malfunction.

Full Audit Trail - Comprehensive logs are provided for all activities.

Safend Protector Add-On:
Safend Reporter
While Safend Reporter is sold separately, it is complimentary and a natural extension of Safend Protector. This product introduces an extensive reporting mechanism, which provides a new level of visibility into the Safend protected organization. Safend Reporter includes several built-in reports that are designed to accommodate the security and operational needs of the security and IT personnel. The information is provided in a clear, easy to understand format for the benefit of non-technical viewers, such as executives within the organization.

Security Reports - The security reports allow easy detection of specific employees and departments that frequently disregard internal security policies,

Administrative Reports - The administrative reports assist in the deployment, policy distribution and overall visibility of endpoint activity within the organization.

Drill down reports - The Safend Reporter interface allows a step-by-step drill down into different aspects of the report, and enables a quick and intuitive transition from a high-level view to specific detailed information.

Reports Export - The reports can either be viewed from within the Safend Protector Management Console, using the newly added Report World, or be exported to one of several popular formats for viewing and analysis outside of the Management Console.

Report Scheduling - The reports can be scheduled and sent periodically by email to predefined recipients in order to ensure continuous tracking of the organization's data security status and compliance to internal security policies.

Safend Auditor
With no endpoint client installation required, Safend Auditor transparently and rapidly queries all organizational network endpoints, locating and documenting all devices that are or have been locally connected. Safend Auditor checks all USB, PCMCIA, FireWire, and WiFi ports - granularly identifying endpoint devices connected for each user, both currently and historically.