We've received some inquiries about the new ZENworks Endpoint Security Management product, so we thought we'd share some of the cool features in it. This week we'll look at the way it protects your company from hackers who try to weasel their way into the information your employees have stored on their laptops by tricking users into unsafe access points, gaining access to the corporate network using an employee's wireless network card, and other devious practices.
Corporations have taken steps to ensure the security and privacy of their own internal wireless networks, but this protection often stops at the enterprise perimeter. Nevertheless, every day your employees sit in the airport, at the hotel or a coffee shop checking their e-mail or downloading customer records or other sensitive data. The question is not whether your company is ready to use wireless: it's really about how you get the wireless genie back into the bottle before experiencing a serious compromise.
Unprotected wireless networks pose multiple threats to businesses. Users can inadvertently compromise both local and corporate data, from a wireless hotspot or even from the office. Hackers can easily find an openings in an unprotected system on an access point or hotspot and run scripted, peer-to-peer attacks. They can gain access to confidential data such as customer lists, project plans and even username and password combinations.
Novell ZENworks® USB/Wireless Security provide the industry's first centrally managed endpoint security software solutions to control and manage wireless connectivity.
Your IT department can:
- Exercise complete control over wireless connectivity
- Ensure use of only approved wireless NIC cards
- Completely silence the wireless radio, if desired
- Automatically distribute WEP pre-shared keys without user intervention
- Permit communication only via approved wireless devices
- Control network connectivity via LAN, modem, Bluetooth™, Infrared, 1394 (FireWire™), and serial and parallel ports, preventing unintended or rogue access through these connection points
- Receive timely information on rogue access points and unauthorized WLANs
- Automatically adapt user connectivity permissions by network location
- Block unsafe wireless connections such as ad-hoc connections and those not protected by WEP, WPA and 802.11i, or other standards.
- Enforce and automate using VPN clients, traditional or SSL when the devices are in unknown/undefined network environments.
Your users can:
- Securely access authorized wireless APs even in risky environments
- Easily connect without entering complicated security key information
- Securely remain productive in any wireless location
- Safely conduct business in multiple locations
- Avoid making difficult security decisions
Hackers can not:
- Gain access to the corporate network via a user's wireless network card
- Scan notebook PC ports and read sensitive data over wireless hotspots
- Plant malware on mobile devices through wireless access
- Divert sensitive communications to rogue access points
- Trick users into making unsafe connections with unauthorized or "ad-hoc" access points
The patent-pending AccessAware™ technology centrally manages and controls mobile WLAN connectivity and access point visibility by NIC, user/group and location.
Wireless Security Features
Global Wi-Fi Control - Provides policy-based controls to globally prevent and disable such 'at risk' networking behaviors as network adapter bridging, wireless ad hoc connections, and Wi-Fi connectivity when the PC has a wired connection. When necessary, ALL Wi-Fi adapters can be disabled by policy, up to and including complete silencing of built-in and 3rd party Wi-Fi radios.
Access Point Control - Controls Wi-Fi access point connectivity by group and location, while preventing connections to rogue access points. AccessAware enables security administrators to automatically distribute and apply WEP pre-shared keys without user intervention. Administrators can control key length and can even set signal strength thresholds to manage AP switching.
Rogue Access Point Control - Blocks users from connecting to unauthorized access points and reports these devices to the management console for immediate remediation.
Location-based Wi-Fi Connectivity Control - WhereAwareT technology adapts endpoint Wi-Fi policies as users move from location to location, either inside or outside of your corporate security perimeter. Administrators can control the minimum encryption strength required for connectivity, ensuring users are connecting to access points with the appropriate encryption strength.
Wi-Fi Adapter Control - AdapterAwareT technology provides security administrators with full control over user Wi-Fi connectivity. Administrators specify which, if any, Wi-Fi adapters can be used limiting connectivity to a specific brand or type. This feature reduces IT support costs associated with employees using unsupported hardware. AdapterAware can entirely disable Wi-Fi and other wireless devices (including BluetoothT, IrDA, etc.), or restrict Wi-Fi connectivity to pre-defined locations.
When deployed, ZENworks USB/Wireless Security:
- Prevents connections to rogue access points, ad hoc connections, or 'evil twin' / man-in-the-middle attacks
- Prevents or disables "at risk" networking behavior, such as network adapter bridging
- Controls Wi-Fi usage by network location (in the office, on the road, at home)
- Delivers a self-defending client
- Disables Wi-Fi connectivity when using a wired LAN
- Disallows Wi-Fi ad hoc network connections by location
- Enforces use of Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) on all Wi-Fi connections
- Ensures endpoints can only connect via approved Wi-Fi access points
- Ensures use of pre-approved Wi-Fi adapters to make wireless connections while providing the added benefit of reducing IT product support costs
- Enables security administrators to automatically distribute and apply WEP and/or WPA pre-shared keys without any end-user intervention; enforcing VPN usage; disabling or restricting use of Bluetooth and infrared communication ports
Q: What is the difference between ZENworks Endpoint Security Management, and ZENworks USB/Wireless Security?
A: Novell ZENworks Endpoint Security Management 3.5 simplifies endpoint security by combining security policy enforcement for data, devices, and connectivity under a single management console, allowing organizations to manage, control and enforce security policies for Removable Storage, Wireless Communications including MESH and WiMAX, Application Control, Machine Posture/Integrity, Data Encryption and Advanced Personal Firewall. Its lightweight footprint in both size and traffic, its ease of management, and its comprehensive functionality earned it the Secure Computing Magazine's "Reader's Trust Award for Best Endpoint Security Solution" in 2007.
ZENworks USB/Wireless Security is a simplified version of the product that provides comprehensive USB control, connectivity security, and file encryption features; and does not include some of the additional security features that are available in ZENworks Endpoint Security Management. If you have purchased ZENworks USB/Wireless Security, you should use the ZENworks Endpoint Security Management manuals; all functionality described in the manuals will be essentially the same, with only certain policy features unavailable in the ZENworks USB/Wireless Security Management Console. The unavailable features are indicated with the following notation in the manuals: "This feature is only available in the ESM installation, and cannot be used for UWS security policies." Features without this notation are available for both products.
If you have any questions about USB/Wireless Security, post comments below and we'll do our best to track down and post the answers.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.