Novell 最佳PC端I/O與AP管理解決方案 Sanctuary suite 采易資訊系統股份有限公司 台北:02-89838222 台中:04-22536536 東莞:0769-22319776
The Device Control Problem 姆指碟 壽司 The Device Control Problem
便利性與安全性的考量 精巧小玩意? 或是 多功能隨身碟? 2500 歌曲儲存裝置? 或是 拷貝資料庫的大容量Disk Intelligent Device Management 2500 歌曲儲存裝置? 或是 拷貝資料庫的大容量Disk Intelligent Device Management Information leakage is a primary issue in Today’s enterprise loss, theft, regulatory non-compliance Kazaa, Napster can flood networks with non-business traffic Can expose enterprise to new security vulnerabilities New path for malware – via removable devices Removable media often used to transfer data in and out of the network Music and image files have tremendous impact on storage and network bandwidth
你知道使用者拷貝了那些資料嗎 音樂檔案? OR 輕巧資料儲存裝置? Information leakage is a primary issue in Today’s enterprise loss, theft, regulatory non-compliance Kazaa, Napster can flood networks with non-business traffic Can expose enterprise to new security vulnerabilities New path for malware – via removable devices Removable media often used to transfer data in and out of the network Music and image files have tremendous impact on storage and network bandwidth 音樂檔案? OR 輕巧資料儲存裝置?
PC端資安方案1: Novell Sanctuary Suite 新聞: 政府明年將重視機敏單位控管隨身碟 產品競爭優點: 市場上唯一同時提供控管電腦周邊存取和AP執行的管理工具. 尤其是AP程式控管對資安特別重要, 特別是對未知型的攻擊, 木馬, Virus, 蠕蟲.... 等程式所帶來的風險 促銷方案,請參考 采易資訊系統股份有限公司 相關網站 HTTP://WWW.COLORLIFE.COM.TW
零時差攻擊
Today’s Hot Topic: IT security Threat Percentage of firms that rated the following as one of the top threats to their organizations Base: 149 technology decision-makers at North American SMBs and Enterprises (multiple response accepted) Natalie Lambert - Analyst January 31, 2006
Today’s Countermeasures at Glance… 應用軟體 黑心軟體 R I S K 己知 病毒 蠕蟲 特洛依 間諜軟體 認證 作業糸統 商用軟體 未知 病毒 蠕蟲 特洛依 間諜軟體 Considering the 15 years old black list approach, only known malware is denied (by applying a signature to known malware only). This exposes organizations at high risk waiting for virus definitions updates (2 to 4 days) or patches for respective Operating Systems from vendors (8 to 15 days) when a security breach is discovered (without talking about required tests when implementing OS patches on machines running critical business applications!) Old ways are resource intensive 未認證 遊戲 分享工具 未授權軟體
Why Sanctuary™?
Novell Sanctuary 管理周邊裝置 存取權限控管 更多外接裝置管理 USB LPT FireWire Bluetooth 姆指碟 USB 印表機 ZIP 磁碟 管理周邊裝置 存取權限控管 更多外接裝置管理 智慧卡 請取器 PDAs USB LPT FireWire Bluetooth WiFi IrDA PCMCIA COM IDE S-ATA Desktop 掃瞄器 磁帶機 CD/DVD 撥放器/ 燒錄器 硬碟 數位相機 軟碟機 無線 網路卡 藍牙設備 數據機
如何開始? Policy 4 Steps: Discover Develop Enforce Audit Acceptable Use Users Policy Acceptable Use Governance Devices Applications The challenge begins with understanding the users and the systems they will be using. – Knowledge is Power Then understanding the applications that they will need (in addition to those that they may WANT) in addition to understanding the devices, including memory sticks, iPods, and portable hard drives that can be attached to their PCs And culminates in the enterprise’s policy governing their use. An unenforceable policy is worse than no policy, it points out weaknesses in the enterprise’s defenses without recourse!! Policy is important in establishing what the enterprise considers acceptable from a productivity and a risk perspective. Many of today’s new removable media and new P2P apps are beneficial – as long as they are used in ways that pose minimal risk and challenge to IT infrastructure and resources.
Managed Device Access Control 會計部 業務部 網路管理. 支援 部門使用者 外部使用者 個人使用者 群組使用者 使用者根據其所被賦予的權限來使用周邊和裝置與媒介 (R/W) What are users / user groups’ needs in terms of device / media access rights to perform their allowed tasks? Active Directory 0. 識別裝置和周邊媒體 2 賦予存取授權屬性 1.1預設所有的裝置等級 Scanners (Biometrics) PDAs CD/DVD ROMs DEVICES Blackberry 可移除裝置 周邊裝置列表 7290 Series USB DISK Pro MP3裝置 PalmOne Treo 650 1.2 定義裝置種類/品牌 0. Identify Devices the different all devices (standard and even specific to your organization). Identify as well CD/DVD ROMs that are useful for specific users or user groups Devices Classification Devices are automatically assigned to predefined Device Classes 2 Define new specific devices Define specific device by type or brand Encryption option Ability to authorize any removable media to any user (and not to user group) and then encrypt the data on the removable media 3. Assign rights & attributes To users and/or groups According to classes / specific devices 完成分類: CD/DVD ZIP存取 1.3 加入指定的周邊裝置
Managed Device Access Control 使用者 核心設備 分類列表 & 己知設備 設備份類 加密設備 DEVICE CLASS & LISTED DEVICES 發出存取設備 請求 OS Kernel Request 己知設備檢查 使用者自訂設備 己知設備? Yes 檢查設定規則: - 使用者帳號 - 群組帳號 - 己授權設備 認證 存取 設備 OK Log Same principle as for Sanctuary Application Control. Lists are cached locally on the user machine. Whenever a user wants to access a device, the OS request at the kernel level is intercepted by Sanctuary Device Control driver. If the device is a known device (listed in the device class list), the driver checks the user rights in the ACL. In this case, the user have the rights to access his device, for instance a CD burner drive. The rights can be set per attribute, such as Read and Write. Access Control List (ACL) Shadowing Option
Managed Device Access Control 使用者 核心程式 分類列表 & 己知設備 設備分類 加密設備 USER DEFINED DEVICE TYPE 發出存取設備 請求 OS Kernel Request 己知設備檢查 使用者自訂設備 No 己知設備? Known Device? Device Access Denied Yes 檢查設定規則 : - 使用者帳號 - 群組帳號 - 己授權設備 - 存取細項設定 (暫時,排程, 讀/寫 等..) No Authorization 認證 抄錄檔案選項 Yes If the user does not have any rights on the device, the user will be sent a message saying he does not have access (option to show message or even to hide the drive icons from the list of drives on his machine) If the device is not even recognize, its usage will in any case be denied. Sanctuary Device Control is flexible enough to allow specific devices down to a specific brand / model, so that you can even define standard corporate devices and deny any other ones (even if they all belong to the same device class) 存取控制清單 (ACL)
Novell Sanctuary Console 直覺式的管理介面 可依不同PC或使用者自訂中文警示訊息 即時性的狀態回報 靈活的權限控管可設定 全時/在線/離線等不同權限控管
Sanctuary Agent Client
Stops Malware COLD! 不僅週邊裝置有安全問題..還有AP 應用軟體 黑心軟體 己知 病毒 蠕蟲 木馬 間諜和式 未知 病毒 認證 作業糸統 商用軟體 Stops Malware COLD! 未知 病毒 蠕蟲 木馬 間諜程式 未認證 遊戲 分享工具 盜版軟體 Current approaches which attempt to barricade all the bad things and their potential entry points Anti-Virus software which is a mis-positioned clean-up tool PFW’s which focus on network access behaviors and restrict connectivity IDS/IPS which attempt to detect “unusual” application behaviors All of the above, which react to symptoms rather than stopping problems at their source (Detect – React – Restore classical approach is resource and time consuming to organizations) Sanctuary, using “Default Deny” logic, allows organizations to Be secure from ‘day-zero’ Make gains on problem areas with current resources Take on regulatory issues without added resources Manage without additional administrative infrastructure resources (devices and applications) Sanctuary is a non-disruptive solution – transparent Prevention rather than detection It enables organizations to take their time to evaluate / test / deploy / updates & patch = Peace of mind for CIO/CSO Guarantees availability Organizations keep their way of doing business and reduce to a minimum the risk of being disrupted Match the new needs for flexibility and logical type of organizations: the world is your perimeter Sanctuary gives you the ability to set your trusted environment for both Devices & Applications, using the simple principle of default – deny: unless explicitly authorized by Admin, absolutely NO device can be plugged/used and NO application / code (thus including malware) can be loaded into the end point memory and executed. Rather than taking a negative approach to security, Sanctuary makes the presumption that you know what is allowed in your environment (executables and devices) and how they may be used. It takes care of the rest for you, from identifying resources to developing a policy, Sanctuary’s position is to provide a comprehensive, ‘positive’ security solution and all the means to develop, deploy, administer and manage your environment. SecureWave takes a positive, practical approach to resolve never-ending issues. The Positive Model versus ‘black-lists’ Provides complete protection from ‘day-zero’ Know the good/authorized, deny all else Extremely easy to deploy and administer Enables enterprises to take advantage of new technology without compromising security Employs sound security principles based on ‘least privilege’ concepts -- Sanctuary solutions are designed to provide a secure, stable working environment that: Is free from the latest malware threats Free from the burdens of unapproved personal software: New security threat vectors and vulnerabilities Systems and network overhead Destabilization Prevent problems at their root rather than reacting to the symptoms Enable the safe use of new technologies rather than fighting them Are “future-proof” solutions, not obsolete with the newest threat or technology Act as enablers for new technologies and working habits KNOW What, when, by whom, how… software executables and devices, enterprise wide Who is attempting to violate/abuse corporate security policy ENABLE Users to operate anywhere without fear of disruption Business units to establish and enforce flexible security policies Enterprises to turn patch deployment into routine maintenance PREVENT All malware threats including spyware Introduction of unwanted and rogue applications Use of uncontrolled devices leading to sensitive data leakage
Endpoint Scenarios: Unknown Malware Threats Keylogger AV AS PFW Spyware Worms Virus Bots Trojans 未知黑心軟體 資訊設備 傳統防護機制 惡意程式碼
Endpoint Scenarios: Unauthorized Software Kazaa AV AS PFW Yahoo IM E-Donkey World of App Trillian AOL IM Napster 不明程式 資訊設備 傳統防護機制
過去的方法: 黑名單 (Blackllists) How Blacklists work (例如防毒軟體) Attempt to detect and react to suspicious behaviors “Seek and Destroy” Malware Block or stonewall communications ports Use of GPO’s can’t stop Malware Why Blacklists fail Cannot stop Zero-Day attacks (無法阻止零時差攻擊 ) Cannot detect the unknown (無法偵測未知的東西) Requires constant updates (需要經常性更新) Behavior models produce false positives (行為模式常導致誤判)
Novell Sanctuary Suite的方法 : 白名單 Sanctuary White List Approach Stops Spyware Cold (防止間諜軟體) No Scanning or Black List Signatures (不用掃瞄或黑名單) Defends Data Against Theft (防止資料被偷竊) Only Trusted Applications Are Authorized (只有被信任的AP能執行) Only Trusted Devices Are Authorized (只有被信任的Devicce能使用) Everything is “Guilty Until Proven Innocent” (預設所有都是有問題的, 直到證實 安全)
Authenticated Execution Trusted Code Execution 使用者 核心程式 認證簽章資料庫 使用 SHA-1 演算法產生 數位簽章 0x7ddf86e8a4672a420760b8809a1c 0xcbac13bb07f7dd0e10e93f4b63de9 0xd535561209f0199f63b72c2ebc13c 0x20ee7cf645efeba7C81bd660fe307 發出存取程式 需求 0x20ee7cf645efeba7C81bd660fe307 0x20ee7cf645efeba7C81bd660fe307 比對驗證簽章 資料庫 執行程式 List of locally authorized files signatures OK 認證 The signature verification occurs every time the Operating system has determined that the file(s) that the end user has attempted to launch is an executable. When the file has been loaded in memory Sanctuary Custom Edition will freeze the execution and will calculate the SHA-1 hash of the entire binary file. SHA-1 has been measured at over 30mb/sec on a typical desktop computer and does not interfere with overall performances Sanctuary Custom Edition, unlike AV, will not interfere with disk read/writes as it does not monitor the file system Once a SHA-1 hash has been generated it will then be compared with the list of approved ones. The comparison occurs locally and it takes less than 1ms Performance aspect: fully transparent (1ms). This is why Citrix has partnered with SecureWave (Premier Partner) as even on 1000’s users servers, SecureWave solutions does not provide any performance / overload problem. Exhaustivity check: Sanctuary Custom Edition will check ALL executables, from DLLs to screen savers, to control panel applets and system services and drivers. You can define wether you want to log all executable files that have been launched or only the authorized ones (make statistics and/or control license usage) ----------------------- A hash is a short string of bits generated from some source data by some algorithm, implemented in a hash function. A well-designed hash function will be as collision-free as possible (a hash collision occurs when two different inputs produce the same hash). Such a hash can be used as a fingerprint of the hashed data. A secure hash function is a one-way function, in that it is computationally hard to find specific input data that will result in a given hash. Ideally, "computationally hard" means that the only way is to try different inputs until one happens to produce the desired hash (exhaustive search). In the case of SecureEXE, an attacker wanting to disguise a malicious program as an allowed one would have to alter his program in such a way that it produces, when hashed, the same fingerprint as an allowed program, while maintaining its ability to gain something for the attacker. 0x4969b6ca2e9651565c75338bcbb1 No Matching Signature 0x20ee7cf645efeba7C81bd660fe307 Log
Authenticated Execution Default Deny 使用者 核心程式 認證簽章資料庫 使用 SHA-1演算法產生 數位簽章 0x7ddf86e8a4672a420760b8809a1c 0xcbac13bb07f7dd0e10e93f4b63de9 0xd535561209f0199f63b72c2ebc13c 0x4e4f36b5b2cf0c9ec85372ff8a7548 發出存取程式 需求 0x20ee7cf645efeba7C81bd660fe307 未經驗證簽署 0x20ee7cf645efeba7C81bd660fe307 比對驗證簽章 資料庫 拒取程式存取 Not OK 認證 The signature verification occurs every time the Operating system has determined that the file(s) that the end user has attempted to launch is an executable. When the file has been loaded in memory Sanctuary Custom Edition will freeze the execution and will calculate the SHA-1 hash of the entire binary file. SHA-1 has been measured at over 30mb/sec on a typical desktop computer and does not interfere with overall performances Sanctuary Custom Edition, unlike AV, will not interfere with disk read/writes as it does not monitor the file system Once a SHA-1 hash has been generated it will then be compared with the list of approved ones. The comparison occurs locally and it takes less than 1ms Performance aspect: fully transparent (1ms). This is why Citrix has partnered with SecureWave (Premier Partner) as even on 1000’s users servers, SecureWave solutions does not provide any performance / overload problem. Exhaustivity check: Sanctuary Custom Edition will check ALL executables, from DLLs to screen savers, to control panel applets and system services and drivers. You can define wether you want to log all executable files that have been launched or only the authorized ones (make statistics and/or control license usage) ----------------------- A hash is a short string of bits generated from some source data by some algorithm, implemented in a hash function. A well-designed hash function will be as collision-free as possible (a hash collision occurs when two different inputs produce the same hash). Such a hash can be used as a fingerprint of the hashed data. A secure hash function is a one-way function, in that it is computationally hard to find specific input data that will result in a given hash. Ideally, "computationally hard" means that the only way is to try different inputs until one happens to produce the desired hash (exhaustive search). In the case of SecureEXE, an attacker wanting to disguise a malicious program as an allowed one would have to alter his program in such a way that it produces, when hashed, the same fingerprint as an allowed program, while maintaining its ability to gain something for the attacker. Log
Application contorl Client The signature verification occurs every time the Operating system has determined that the file(s) that the end user has attempted to launch is an executable. When the file has been loaded in memory Sanctuary Custom Edition will freeze the execution and will calculate the SHA-1 hash of the entire binary file. SHA-1 has been measured at over 30mb/sec on a typical desktop computer and does not interfere with overall performances Sanctuary Custom Edition, unlike AV, will not interfere with disk read/writes as it does not monitor the file system Once a SHA-1 hash has been generated it will then be compared with the list of approved ones. The comparison occurs locally and it takes less than 1ms Performance aspect: fully transparent (1ms). This is why Citrix has partnered with SecureWave (Premier Partner) as even on 1000’s users servers, SecureWave solutions does not provide any performance / overload problem. Exhaustivity check: Sanctuary Custom Edition will check ALL executables, from DLLs to screen savers, to control panel applets and system services and drivers. You can define wether you want to log all executable files that have been launched or only the authorized ones (make statistics and/or control license usage) ----------------------- A hash is a short string of bits generated from some source data by some algorithm, implemented in a hash function. A well-designed hash function will be as collision-free as possible (a hash collision occurs when two different inputs produce the same hash). Such a hash can be used as a fingerprint of the hashed data. A secure hash function is a one-way function, in that it is computationally hard to find specific input data that will result in a given hash. Ideally, "computationally hard" means that the only way is to try different inputs until one happens to produce the desired hash (exhaustive search). In the case of SecureEXE, an attacker wanting to disguise a malicious program as an allowed one would have to alter his program in such a way that it produces, when hashed, the same fingerprint as an allowed program, while maintaining its ability to gain something for the attacker.
Novell Sanctuary Report
技術支援服務 采易資訊系統(股)公司 HTTP://WWW. COLORLIFE. COM 技術支援服務 采易資訊系統(股)公司 HTTP://WWW.COLORLIFE.COM.TW 台中:04-22536536 台北:02-893838222 東莞:0769-22319776