The World is Changing. Information security can be frustrating because it’s never really “done.” You never get to declare victory and go home early. Unfortunately, this isn’t just vendor-driven churning of solutions; it’s part of the fundamental nature of security. Part of the reason is that, whether you like it or not, you are engaged in a genuine arms-race with hackers and criminals.
But even more fundamental than that is the fact that security is a reflection of your business priorities and processes, and as they change, so too must your security.
One recent and profound change in business processes that is still reshaping security is the rise in mobility. Data that used to sit on a mainframe or server back at corporate headquarters now lives on a thousand laptops. A network that used to be a static collection of cables is now dynamically reshaped by wireless connections. Data that used to move through predictable network paths now moves around on gigabyte thumb drives, completely invisible to network scans and controls.
All of these changes mean that the old-style security solutions, such as perimeter firewalls and perimeter anti-virus, simply don’t cut it any more. You still need them, but they cannot protect you from the newest generation of threats. Yes, you should worry about a hacker trying to penetrate your network and steal critical data off a server. But what about the copies of that same data living on an executive’s corporate laptop? What use is a wonderful perimeter firewall when the laptop is left in the back of a taxi, or used on a hotel’s insecure network, or at a wireless hot-spot?
> New Problems Demand New Solutions
In short, you need to complement your traditional security measures with new solutions that directly target these new threats. That was the thinking behind Novell’s recent acquisition of Senforce Technologies, and the subsequent release of ZENworks Endpoint Security Management.
ZENworks Endpoint Security Management gives security administrators the ability to centrally define corporate security policies for endpoints such as notebooks and workstations, and have those policies actively enforced 24x7. Enforcement is done via kernel-level drivers on the endpoint itself, so there are no gaps in security even when a device is off-LAN or completely isolated.
Topics Covered in this Article:
- Introduction: the World Is Changing
- New Problems Demand New Solutions
- Breadth of Features is Critical
- How It All Works
- Location, Location, Location
This combination of distributed enforcement and centralized management is critical for proper risk management. If you let the end-user make their own security decisions, you immediately introduce several serious problems
- You are frequently interrupting the end-user, taking them away from their real job;
- You are asking them to become amateur security specialists, which invariably means that bad decisions are made; and
- You have no consistency across the enterprise. In this scenario, there is no real “policy,” just a cloud of good intentions that gives you a no-compliance story and no real risk management.
> Breadth of Features Is Critical
Because mobility is not just a technical issue, but a fundamental change in how we use technology, it raises an entire range of security concerns. Obviously, you can’t address this broad range of issues with a single technical “magic bullet,” so ZENworks Endpoint Security Management was designed to provide multiple enforcement mechanisms, all within a single integrated management framework and executed by a single agent. These mechanisms include:
- highly granular control over inbound and outbound packet flows via an endpoint firewall.
- comprehensive control over wireless, including the ability of administrators to:
• completely disable wireless where desired (for example, to impose a “no wireless when wired” policy to prevent dual homing threats),
• white-list access points (to prevent accidental associations), or
• enforce minimal standards of encryption (for example, to require WPA encryption as an acceptable minimum, ruling out WEP);
- comprehensive control over removable media, giving administrators the ability to completely block such devices, white-list specific allowed devices, or make them read-only;
- the ability to enforce the automatic encryption of data being transferred to removable media, and/or the encryption of data stored on the hard disk based on file/directory information. This encryption is done without requiring the end-user to do anything or remember anything;
- the ability for the administrator to actively force the end-user to use a corporate VPN, rather than simply making it available to them and “hoping for the best;”
- the ability to control which applications can execute on the end-point;
- the ability to use the ZENworks Security Client to automatically respond to security events and, without any administrator involvement, take real-time scripted action in response;
- the ability to control—through policy—all physical ports and protocols such as Bluetooth, IrDA, serial, parallel, modems and so on.
All of these security controls operate in real time without any end-user intervention.
All of these changes mean that the old-style security solutions, like perimeter firewalls and perimeter antivirus, simply don’t cut it any more. You still need them, but they cannot protect you from the newest generation of threats.
> How It All Works
The solution contains several distinct components. As shown in Figure 1, these are:
- The ZENworks Security Client. This is the agent that enforces security on the endpoint. It provides the security “muscle,” while the centrally created policy provides the “brains.”
- The Policy Distribution Service. This is responsible for the distribution of security policies to the ZENworks Security Client, and the receipt of reporting data from the Client. The Policy Distribution Service can be deployed in the DMZ, outside the enterprise firewall, to ensure regular policy updates for mobile endpoints. This means that Clients can be updated without their needing any sort of LAN connectivity.
- The Management Service. This lives back in a secure place on the network, and is responsible for user policy assignment and component authentication; the retrieval of reporting data and the creation of reports, and the creation and storage of security policies.
- The Management Console. This is the visible user interface for administrators, and can run directly on the server hosting the Management Service, or on some other workstation with secure access to the Management Service server. The Management Console is used to both configure the Management Service and to create and manage user and group security policies. Policies can be created, copied, edited, disseminated or deleted using the editor.
- The Client Location Assurance Service. This optional service provides a cryptographic guarantee that the ZENworks Security Client is actually in a given location, and not being spoofed. See Location, Location, Location for more details.
It is important that security settings be controlled and defined centrally. Otherwise, you can’t even claim to have a security policy: you’ve just got some good intentions and some misused security tools.
Creating and Distributing Policies
Policies are created via the Management Console, which provides a simple GUI for capturing the administrator’s security requirements. For example, if you want to prevent the dual homing threats that arise when your endusers connect simultaneously to both your wired network and some other, possibly dangerous, wireless connection, you simply check the “no wireless when wired” box. Policies are captured in an XML blob, which is then compressed, encrypted with AES-256, and digitally signed before being distributed to the endpoints under management via the Policy Distribution Service.
Note that this product is new to the ZENworks product line, and its management console has not yet been integrated into the ZENworks framework. (That said, integration is already a priority for the ZENworks Product Development team.)
How The Agent Works
The enforcement on the endpoint is primarily done using kernellevel drivers. For example, the endpoint firewall uses a Network Driver Interface Specification (NDIS) intermediate miniport driver to filter packets at the very bottom of the network stack. By catching packets as soon as they come up from the hardware abstraction layer, the ZENworks Security Client provides particularly efficient, robust and secure filtering of packets.
An additional benefit of this architecture within the client is that the kernel-level drivers see much more than just user-generated traffic; they also see the internal management traffic the operating system uses to provide core functionality. For example, wireless functionality such as the “roam table” of visible access points passes through parts of the kernel controlled by the ZENworks Security Client, and the agent can filter that list against a policy-provided white list. Doing so makes it easy for administrators to control to which access points the end-user can connect, dramatically reducing the threat from accidental associations. And because the filtering is done in the kernel rather than in application space, the filtering works for all wireless management applications.
Naturally, drivers in the network stack cannot provide the entire range of security enforcement features described earlier. The ZENworks Security Client uses several other drivers in the file system stack to provide other functionality, such as data encryption and control over removable media. There are also some removable media security features within ZENworks Endpoint Security Management.
ZENworks Endpoint Security Management was designed for the enterprise market, and has several features to make it an efficient, powerful tool for securing larger organizations. These features include:
- User- or machine-targeted policies. When you think about all the security enforcement features provided by ZENworks Endpoint Security Management, it quickly becomes clear that there can’t be a single “one-size-fits-all” policy that will be equally appropriate for everyone throughout the enterprise. Your executives have a fundamentally different work profile (and threat profile) from your support staff, and your sales people are completely different animals from your internal IT people. What you need—and what ZENworks Endpoint Security Management gives you—is the ability to construct different policies for different people, and then target the policies at their intended recipients. To do this, ZENworks Endpoint Security Management hooks into your enterprise identity repository (whether that be eDirectory, Active Directory or any other LDAP-compliant identity repository), and lets you target policies at individual users, groups or organizational units, or any other level of identity container. You can even target policies at machines, rather than the users, making it easy to impose security controls on shared machines.
- Sophisticated reporting and audit capabilities. For an enterprise solution, it is essential that security enforcement not be “set and forget.” You need the enforcement backed up by highly scalable reporting and audit mechanisms. ZENworks Endpoint Security Management lets you specify what reports you want to see, and the ZENworks Security Client will generate the appropriate report data, encrypt it, and pass it back via the Distribution Service to the Management Server. There it can be aggregated, analyzed and turned into specific reports.
- Strong client self-defense. If your enterprise is to have a strong compliance story, it is essential that endusers not be able to turn the enforcement off, or get around it in any way. To avoid these problems, the ZENworks Security Client was designed to be extremely resistant to attacks by the enduser, even if they have Administrator privileges on the host in question. Any attempts to kill processes, unbind drivers or hack the registry are detected in real-time, prevented and logged for administrative action.
People rightly get a little nervous when they hear about “new kernel-level driver technology.” It’s a bit like hearing a doctor say, “This is the first time anyone has had THIS operation.” Exploiting the benefits of new technology is one thing; being a guinea pig is another! Note that ZENworks Endpoint Security Management is actually mature, field-proven technology that came over with the acquisition of Senforce Technologies, and that the product has a large existing install-base and a four-year history. Novell customers are seeing a new offering from the company, not untested technology.
> Location, Location, Location
As mentioned earlier, there is no such thing as a “one-size-fits-all” policy that is appropriate for all people across an enterprise. To maximize security and minimize productivity costs, there’s often no alternative but to create several different policies and target them at different groups.
Because we live in a mobile world, the situation is actually even more complicated than that. Even for a given specific person, there isn’t really a single policy that is always appropriate for them. To give a realworld example that we often see, when a user is on their corporate network, it’s reasonable from a security perspective to allow all sorts of networking traffic to flow through the endpoint firewall, because there are real productivity gains to be had from allowing file sharing, network printing and so on. But when that same user crosses the street to an Internet café, and moves from the relative safety of the corporate LAN to the raw Internet, the risk profile changes dramatically, and a completely different security profile needs to be applied.
ZENworks Endpoint Security Management was built to address the concerns of a mobile workforce, so obviously it was important that we deal with this aspect of mobility. For this reason, policies (and policy enforcement) in ZENworks Endpoint Security Management are location aware. Administrators can create policies that should apply in certain network locations, and down on the endpoint; the agent (which has full visibility of network parameters such as IP addresses, default gateways, DHCP server addresses, and so on) identifies which location is currently applicable, and applies the right security policy for that context. This makes it simple for administrators to create policies that say things like “when my users are on the corporate LAN, allow networking traffic to flow, but when they are at an Internet café, make those ports stateful rather than open.” This location awareness is all completely automatic, and does not require the enduser to do anything.
The world has changed, and while the oldstyle security measures like perimeter firewalls and perimeter anti-virus are still important, they are no longer enough by themselves. To protect your assets in a mobile world, you need to provide real-time security enforcement directly on these mobile devices. There’s simply nowhere else to do it! While this enforcement must be distributed, it is important that security settings be controlled and defined centrally. Otherwise, you can’t even claim to have a security policy; you just have some good intentions and some misused security tools.
ZENworks Endpoint Security Management was designed to solve these precise issues. Security administrators can sit down at the console and say “Our corporate policy is that users MUST do this,” and that policy is securely distributed to all the end users and actively enforced. It doesn’t matter whether the issue is with packet flows across the network, with securing wireless, with controlling removable media, or with encrypting sensitive data. This product brings all these issues under the control of the administrator within a single, unified management and reporting framework.