IO Port Restriction
Definition
Limiting access to computer input/output (IO) ports to restrict unauthorized devices.
How It works
Software-based restriction uses agent software installed on a computer system. The agent software monitors all IO port system traffic. The agent software is configurable to limit the use of certain devices connected to IO ports. The restriction software can also be configured to limit the access to files and applications on external storage devices connected to IO ports.
Hardware-based restriction can also be employed to limit access to IO ports. For example, a hardware USB filter device that is placed between the host system and the external devices can filter IO port connections based on configurable rules. When new devices are connected to the USB filter the type of device is determined. Using an allow list a connection determination is made for the device.
Some implementations detect when a device is connected in order to authorize the connection against a list of approved devices, in some cases by device type. For example, if the device is determined to be a storage device, then the contained files and executables are examined to more accurately identify the device type.
Types of restrictions that may be applied:
- Device connection
- Device command filtering
- Device file system read or write restrictions
Considerations
- Agent software will need to be installed on host systems
- Configurations for allow/deny for devices and files will need to be maintained
References
The following references were used to develop the IO Port Restriction knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)