Enterprises are constantly challenged with security and support issues arising from one major area: end users and their PCs. Malware, data leakage caused by removable media and spyware, and resulting regulatory compliance (information privacy) issues dominate enterprise IT's Top 10 Concerns lists from a variety of analyst firms.
Existing security solutions can't stem the tide of ever-increasing security threats, primarily because enterprise endpoints are porous. And new hardware technologies and P2P applications continue to appear on the market. Who would have ever considered an iPod to pose a security risk a few years ago? Who would have expected the wave of boutique spyware explicitly crafted to target individual organizations?
Traditional security solutions don't address today's risks simply because they rely on signatures or some other means to react to symptoms after a threat has already appeared.
Novell recently partnered with SecureWave to resell its Sanctuary Suite, providing a terrific new complement to the functionality that the ZENworks 7 Suite provides. Sanctuary provides the critical components you need to solve problems associated with endpoint executables and devices. Moreover, Sanctuary works in a simple, unique way that puts control back in your hands while giving end users the flexibility they demand.
Sanctuary and ZENworks: A Perfect Complement to Each Other
With Novell and SecureWave, you can ensure compliance with privacy regulations, enforce and audit application and device-usage policies, and improve security at your network's most risk-prone points: the desktop and laptop. Sanctuary uses the same user, group and endpoint device identities as the Novell identity and security management solutions to enforce security guidelines. Benefiting from a consistent approach to identity, you can reduce your costs and more easily administer and manage policies.
SecureWave also recently added Novell eDirectory support to Sanctuary, complementing the identity-centric management approach of Novell ZENworks. With integrated eDirectory support, you can enforce Sanctuary's policy-based security and access, according to each user's role. You can also audit access attempts that are made with removable media devices, whether successful or not, including what data was sought and by whom.
Sanctuary Suite Overview
Sanctuary gives you policy-based control for all devices and 16- and 32-bit applications used on enterprise endpoints. Using an automated White List approach, Sanctuary enables development, enforcement and auditing for application and device use. This automation maintains IT security, reduces the effort and cost associated with supporting endpoint technologies, and ensures compliance with regulations. By using a White List approach, you can turn your back on the volumes of unwanted applications, malware, and unauthorized devices, and instead focus on what is authorized and approved.
Sanctuary links application and device policies to Active Directory and eDirectory-based identities, and dramatically simplifies the management of endpoint application and device resources.
Sanctuary Suite Architecture
Sanctuary Suite utilizes an architecture comprising the:
- Application Server(s)
- Database (Microsoft SQL Server)
- Sanctuary Management Console(s)
- Sanctuary Client(s)
Figure 1 shows the basic architecture and communication paths and protocols used between the client and the server side components.
All access management and administration is done from a single or multiple locations. You don't need physical access to a PC to set or change user and/or machine permissions on that machine.
Each Sanctuary infrastructure requires one database. This is the master storage point for the user policies and permissions. The database uses Microsoft SQL Server 2000/2005 or the freeware MSDE2000/SQL 2005 Express. To ensure fault tolerance, you can install the SQL Server database in a cluster.
The Application Server, a Windows 2000/2003 service, communicates with the Sanctuary Clients and distributes the list of device and application permissions for each client computer and/or User/Group. You can use multiple Application Servers to balance the network and hardware load and assure failover functionality when one of them is not responding. The Sanctuary Management Console connects to the Application Server to carry out administrative changes. All communication with the Database is done through and by the Application Server(s), except for Novell eDirectory objects, which are synchronized using a script.
Traffic between the Client and Application Server is based on Private/Public key technology and compressed before sending it.
During the client installation, a kernel-level driver (Sanctuary Client), a communication service (SCOMC) and a notification service (RTNotify) are installed, which together are called the Sanctuary Client. The Sanctuary Client driver is a low-level kernel driver that runs on a Windows 2000/XP/2003/XPe Workstation and will enforce policies even if the other services are not available.
The client can be installed on a machine through a silent, unattended install, using Novell ZENworks for Desktops, SecureWave's own Client deployment tool, Logon scripts and group policies or other deployment tools that support Microsoft System Installer (MSI). The Sanctuary Client ensures that only those devices and applications the user has been authorized to use can be accessed on the computer. Any attempt to access an unauthorized device or application is barred and optionally logged independently from the computer where the user is logging on.
Each time a user logs on or the machine boots, the kernel driver on the client computer communicates with a SecureWave Application Server and requests a list of authorized files to execute and a Devices Access Control List (ACL). The Application Server then communicates with the Database (if its cache is empty) and downloads a cryptographically signed list of the hashes for the files the user is authorized to run as well as the Devices ACL. The lists are compressed and then forwarded to the Client computer. Strong executable authorization is achieved by using a secure 'fingerprint' hash function (FIPS standard SHA-1).
Once the hash is calculated, the driver checks if the current user has the right to execute the application. The authentication takes place when the file is loaded into memory for execution rather than when the file is read or written to disk. If the test is positive, then the execution is authorized; if not, access is denied, unless the optional Local Authorization function is enabled for this user. Sanctuary also provides Script Protection (VBS, VBA, JScript).
Grant or revoke access happens on the fly and does not require any action from the end user. The client driver has no user interface and the end user cannot interact with it. Sanctuary protects all computers at all times, also when users are disconnected, for example, when laptops are taken off the network. If the client driver cannot download the hash list for whatever reason, it uses the locally stored one. The client computer will continue to use that list until it is able to connect to one of the servers or permissions are imported through a secure policies file.
Sanctuary's support for Novell eDirectory enables enterprises that are using Novell Directory Services to take advantage of the identities stored within eDirectory. It also includes support for Workgroups and local workstation accounts, including the well-known groups and users such as LocalSystem, etc. You can manage it with the Sanctuary Management Console with the same ease of use as AD-oriented enterprises have come to expect from SecureWave. When using our synchronization script, Novell Organizational Units, Groups and Users from one or more trees are transferred to the SecureWave database. You can then proceed to Sanctuary's Administrator Console to assign the needed permissions and rules directly to Novell objects. (See Figure 2.)
Sanctuary Administration Tools
Three administration tools are common to both Sanctuary products:
- The Key Pair Generator creates a 2048-encryption key pair (private and public key) to assure signed communication between the Application Server and the Sanctuary Clients.
- The SXDomain synchronization command-line tool provides an alternative method to update the database with changes to the Active Directory Domains, Users, Groups and Workstations within your network. Use the Novell synchronization script to perform the same synchronization against Novell eDirectory trees.
- The Client Deployment tool lets you to install, upgrade, uninstall and query the Sanctuary clients.
The Sanctuary Management Console for both products generates many helpful reports.
You can access an audit trail of all Sanctuary Management Console changes made by Sanctuary administrators through the Audit Logs Viewer.
Sanctuary Device Control Administration Specifics
Sanctuary Device Control detects Plug and Play devices, even when they are added on the fly.
Supported devices include:
- TRemovable Storage Drives (such as USB memory sticks, MP3 players, media cards, PCMCIA hard drives and IDE/SCSI/SATA secondary hard-drives)
- DVD/CD Drives
- Floppy Disk Drives
- USB Printers
- LPT/Parallel and COM/Serial ports
- Tape Drives
- Palm, Blackberry and Windows CE Handheld devices
- Modems/Secondary Network Access devices
- Smart Card readers
- Imaging Devices (Scanners)
- Biometric Devices
- Wireless NICs
- Bluetooth Devices
- Infrared Ports
- PS/2 Ports
- USB Key loggers
In addition to blocking all unknown devices, Sanctuary Device Control also allows you to extend and maintain the list of supported devices, which cannot be associated with any of the predefined device classes. Devices, such as webcams, can be specified as a User-Defined device and permissions added to them in the usual way. So, you can define your corporate standard models and deny access to all others.
Device Use Permissions
New devices are automatically declared in one of the predefined classes during the plug and play discovering phase. Because USB, FireWire and PCMCIA are bus types, and not true ports, devices attached using these bus systems are recognized based on the device class to which they belong, and not by the way they are connected. For example, an external CD-ROM drive connected via USB port is recognized as part of the 'DVD/CD drives' class and therefore receives the same permissions as any other DVD/CD drive. Nevertheless, you can also define permissions for different device types within a class, so you can assign dissimilar policies for a specific company-approved model (even with specific firmware) installed only on a specific computer.
You can create a White List of corporate-approved devices and deny everything else. You can authorize at three levels using a White List:
- At the device class level: assign read, read/write or deny permissions to access a specific device.
- At a device group level: subclassify devices and group them in coherent units and then add specific permissions and rules.
- To the device itself: define a unique device and assign it to a unique person and/or machine. (See Figure 3.)
You can also enforce daily data copy limits to removable devices and/or floppy disk drives using Sanctuary.
You can apply all permission types at the same time. You can even define "root-level permissions." These permissions are attached to the root of the Device Explorer tree and apply to all device classes.
Scheduled Device Access lets you grant or deny permissions to use a device during a specific period and/or following a predefined schedule. You can use this feature to develop sophisticated security policies so certain devices can only be used from, for example, 9 a.m. to 5 p.m., Monday thru Friday.
You can also define online/offline permissions for individual users and grant or deny them access to certain devices when they are online and apply a different device policy when they are offline.
Media Authorization & Encryption
In Sanctuary Device Control, it is possible to grant a specific user the access to authorized DVDs/CDs or specific removable media, adding an additional level of security. You can limit the corporate use of DVDs/CDs to those specifically authorized and deny access to everything else. You can also encrypt removable media so it can be safely used and transported without the fear of exposing your confidential data to unauthorized users. Users can have access to their encrypted data even in computers that don't have the client software installed using the Sanctuary Device Control Stand-Alone Decryption tool and the Sanctuary Easy Exchange encryption mode. To gain access to the first type of media, the user must have the Sanctuary standalone decryption tool and a valid password and encryption key. You can access the second type of media with only a password.
Strong Auditing & Reporting Capability
SecureWave's powerful auditing and reporting capability helps you track user and administrator use and abuse:
- SecureWave's patent-pending I/O-shadowing technology allows you to supervise information (complete file, just the file name or stream) as it is saved to writable DVDs/CDs, removable devices, floppy disks or sent to a COM, LPT or Modem port. Full shadowing intercepts such operations by saving a duplicate of the data copied. An authorized administrator can then later view or open these shadowed file or stream copies.
- You can trace user activity showing illegal attempts to access unauthorized devices, connecting and disconnecting devices from their computers, client error reports and a user trying to exceed the data copy limit.
Sanctuary Application Control Administration Specifics
In addition to the tools shared with Sanctuary Device Control administration, Application Control extends the following functionalities in the Sanctuary Management Console:
- Build lists of executable files to be managed using the Scan Explorer: An easy way to scan complete or partial hard disks to locate new or unknown applications is to effectively take and compare snapshots of a computer at different times and identify files that are different between them.
- Organize executable files into logical File Groups: Sanctuary also proposes to add newly scanned applications to existing File Groups, if appropriate.
- Import SecureWave File Definitions, which are predefined signature lists for multilanguage editions of supported Microsoft Operating Systems and their service packs.
- Assign File Groups to users and User Groups using the User Explorer. (See Figure 4.)
- Use the Database Explorer to view and maintain the list of executables and their corresponding hashes as kept in Sanctuary's Database. (See Figure 5.)
- Use the Exe Explorer to select the executable files users are permitted to run.
- Use the Authorization Wizard to quickly identify and authorize executable files from network folders, CD/DVDs, or any other source. Its scan engine also transparently handles compressed archives in most common formats (CAB, MSI, ZIP, RAR). You can also integrate Windows Server Update Services with Sanctuary to help ease the pain of frequent Microsoft updates.
- Use the Log Explorer to provide a view on the detailed logging. Each time a client computer requests the use of an executable file, a log entry can be created. You can access and maintain the assignment details for the respective files from the log if required. The Log Explorer allows you to authorize unknown executables with one right mouse click, which makes the management of those executables a breeze.
- Set options in the way the client computers operate using Sanctuary.
A Shared Vision and Proven Technology
SecureWave shares Novell's vision of identity-based control and understands that blocking and restricting technology is not the answer; enabling companies to leverage new technologies while minimizing the risk is. The Novell and SecureWave partnership offers endpoint application and device control functionality you will appreciate.
More than 1,200 customers across the globe are using SecureWave's Sanctuary for a reason: it is the best first line of defense against the malware, unwanted applications, unlicensed programs and unauthorized device use.