Integrated Endpoint Security Management in Novell ZENworks 11 Configuration Management

Integrated Endpoint Security Management
in Novell ZENworks 11 Configuration Management
® ®

David Ferre
Senior Product Manager
Novell/DFerre@novell.com

Presentation Contents

• Background

• Features and Functionality

• Integration Into ZENworks Control Center (ZCC)
®

• Question and Answer

2 © Novell, Inc. All rights reserved.

Today’s Computing Environment
• The workforce has become mobile
– At the enterprise level, laptops have
surpassed desktop deployments
– Wireless NICs are standard on new
PCs and wireless networks have
proliferated
– Mobility increases productivity and
agility • What is the key requirement to
enable mobility?
– Remote access to data, which
can be either locally stored or
accessed via the Internet

• A Polar Relationship
– Increased agility and productivity requires
moving data to the endpoint or providing
remote access to the data, which
increases risks and their associated costs.

Novell ZENworks Endpoint Security Management:
® ®

Features and Functionality

Complete Endpoint Security


Driver Level Protection
1. File system driver
> Can block the execution of any file
> Non-intrusive approach to handling storage without affecting other
functionality
2. Storage filter driver
> Handle anything that enumerates with a file system
> Read-only or disable
3. Mini-filter driver
> Encryption
> Access all I/O events on system
4. TDI filter driver
> Block network access from any application
> Replacing with WFP (Windows Filtering Platform)
5. NDIS layer firewall and Wireless driver
> Stateful and session based
> Handle network traffic before it is allowed to the OS
> NDIS 5.1 for XP, NDIS 6.0 for Windows Vista/7

Location Aware Enforcement
Location-Aware – Always. Everywhere.

• Automatically adjusts controls and • Ideal for removable storage and USB device
protection according to the control, complete network control including
device’s location firewall rules, wireless controls, and VPN
• No user interaction required enforcement


Novell ZENworks Endpoint Security Management:
® ®

Integration Into ZENworks Control Center

Overview of New Functionality

• Location awareness for other Novell ZENworks
® ®

products

• Multiple policies and session based assignment

• Conflict resolution

• Overview of each feature


Locations and Network Environments

• Network environments can be defined and associated with a
location
• Locations used for policy application


Location Wizard
Step 1


Location Wizard
Step 2

• Wizard for location creation allows network environment to be
defined
• Network environment: create, assign existing, or none


Location Wizard
Step 3

• Wizard for location creation allows network environment to be
defined
• Network environment: create, assign existing, or none


Location Wizard
Step 4
• IP address of gateway, DNS, DHCP, and WINS
• MAC address of gateway, DHCP, and WINS
• Dial-up connection or adapter name
• Access point SSID
• Client’s host IP address or DNS suffix


Novell ZENworks Endpoint Security Management
® ®

(ZESM) Policies
1. Application Control
2. Communications Hardware Control
3. Encryption
4. Firewall
5. Location Assignment
6. Security Settings
7. Storage Device Control
8. USB Connectivity
9. VPN Enforcement
10. Wireless Control

® ®

Policy Assignment

• Assign policies to users, devices, or add to group
– Some policies assignable only to devices (eg. Data encryption)
• Assign “default” policies for entire Enterprise


® ®

Policy Conflict Device vs. User

• Device Only: Applies only the policies associated to the device and ignore the
policies associated to the user. This is the default value.
• User Only: Applies only the policies associated to the user and ignores the policies
associated to the device.
• User Last: Not supported by ZESM.
• Device Last: Not supported by ZESM.

NOTE: The Policy Conflict Resolution setting is taken from the device-associated policy with the highest precedence.


Novell ZENworks Endpoint Security ManagementPolicy
® ®

Assignment and Session Application Handling

Policy Assignment Session Application
User assignment takes
precedent over user group
assignment (more specific) Note: During “Session Application” the assigned policies may
be carried over from “Device”, “Enterprise”, or “Resource”
User Only assignment policies. If the policy is device only, the policy
would be carried over into the “session” application phase.
When these are carried over, the same precedence for
location over global and most restrictive are still applicable
User Group Folder

Policy

Location takes
precedent over
global
Note: some settings will
Device have “Apply Global
Only Device Group Folder
Settings” as an option in
the policy’s enforcement
Location
Location Globally
Globally
At time of device assigned
assigned assigned
assigned
assignment, you select policy
policy policy
policy
“user only” or “device only” settings
settings settings
settings Apply most restrictive
to handle conflicts between rule first
user and device
assignments

More Less
restrictive – restrictive –
block/disabl allow/enable
e


® ®

Policy Application
Pre-Login (Root Policy) Session Application (Session Policy)

Session application based on:
1.) Normal login (include SmartCard integration)
2.) Right click Zicon and select “Log In”
Start 3.) Command line based log in (development only)

Apply Enterprise Policy 1 Apply “Enterprise” policy

If there are no “Device” or “Enterprise” policies per
Apply Resource Policy (No Policy Published) 2 policyette, apply “Resource” policy (no enforcement)
I
IInitial Installation

Update Session Policy
During “Post Desktop”, apply any policies per
policyette that are assigned and leave “Enterprise” 3 (Post desktop, if different than current boot policy)
policy enforcement if no policyette assigned to
“User” (Overrides other policies from “Boot Policy”)

4 Log Out At the time of “log out”, agent will return to policy
enforced from “Boot Policy” and will not “Unpublish”
Post Desktop
If(sessionPolicy)
Override Boot Policy
Else
Apply Boot Policy and NOT mark this as “session policy”
Logout

Don’t “unpublish” policies, but rather apply Boot Policy and NOT mark
this as “session policy”


® ®

Policy Application Sequence

Start Location Global Policy Application Order:
1.) Session/Location
2.) Session/Global
Session A
Policy Session Policy 1 2 3.) Enterprise/Location
4.) Enterprise/Global
5.) Resource/Location
B 6.) Resource/Global
Enterprise Policy 3 4
Boot
Policy
C
Resource Policy 5 6


Create New Policy Wizard


Create New Policy Wizard
(cont.)


Application Control

• Policy summary: Block the execution or network access
of known applications by file name
• Location based: Global and location (identical)
• Conflict resolution: Cumulative (merge policies)
– Merge/Conflict Rules:
> Most restrictive:
» Block execution
» Block network
» Allow


Application Control
(cont.)


Communications Hardware Control

• Policy summary: Enable and disable communications
devices and adapters
• Location based: Global and location
• Conflict Resolution: Cumulative (merge policies)
> Most restrictive
» Disable All Access
» Disable when wired
» Allow All Access
» Apply Global Settings (user, device, enterprise, resource)


(cont.)


Encryption

• Policy summary: File based encryption for folders on
fixed disk and removable storage
• Location based: Global only (and device based only)
> Merge safe harbor locations and key lists
> If encryption applied in policy, do not remove and decrypt on policy changes
unless it is the policy that was published with encryption
> Passwords for decryption need to be merged
> Require strong password versus no strong password, the require strong
password requirement is most restrictive and wins (is enforced)
> If two policies conflict when RSD is encrypted and another is not, the
encryption wins (RSD would be encrypted)


Encryption
(cont.)


Encryption Key Management


Firewall
• Policy summary: Stateful firewall • Order of application:
operating at driver level – Default behavior – open, stateful,
• Location based: Global and location closed
• Conflict Resolution: Cumulative (merge > Port Rules
policies) » Open
– Enforced as singular per location » Stateful
– Merge/Conflict Rules: » Closed
> Layer 2 ACL trumps layer 3 ACL – ACLs
> ACL trumps port rule > No Port Rules
> Most restrictive ACL or port rule > Port Rules
wins against same rule type (ACL
and ACL/port and port) – nACLs
> Port Rules
> No Port Rules


Firewall
(cont.)


Location Assignment

• Policy summary: used to control locations that are
applicable to user/device and thus assigned security
policies
• Location based: Global only
> Allow Manual Change – most restrictive is “don’t allow manual change”, so if
there is a conflict then “don’t allow manual change”
> Show Location in Agent List – most restrictive is to “not show in list”, so if
there is a conflict then “don’t show in agent list”
> Display message – show all messages if multiple exist


Location Assignment
(cont.)


Security Settings

• Policy summary: security settings for Novell ZENworks ® ®

Endpoint Security Management (ZESM) agent
• Location based: Global only
• Conflict resolution: Cumulative (merge policies)
> Uninstall Password – allow multi-value
> Password Override – allow multi-value
> Enable client self defense – “enabled” is most restrictive and should be used
if set. Change to drop down box, “enabled”, disabled”, or “no change”


Security Settings
(cont.)


Storage Device Control

• Policy summary: control storage devices (disable/read-
only)
> Disable AutoPlay is most restrictive, then disable AutoRun, then enable, then
apply global
> Disable is most restrictive, then read-only, then allow, apply global


Storage Device Control
(cont.)


USB Connectivity

• Policy summary: control all USB devices (not just
storage)
> Apply global on 2 “General Settings”
> Apply default on 4 “Device Group Access Settings”
> Disable USB devices is most restrictive and wins
> Merge with most restrictive on USB Device Access Settings and also have a
checkbox for “merge global”


USB Connectivity
(cont.)


USB Connectivity
Preferred Devices

General Control:
1.USB Devices: “Allow All Access” or "Disable All Access“. This is an overall USB
handling.
2.Default Device Access: “Allow All Access” or "Disable All Access“. This is how
devices are handled that are not specified by the device group access or
advanced settings
3.Device Group Access: a.) Human Interface Device (HID), b.) Mass Storage
Class, c.) Printing Class, and d.) Scanning/Imaging (PTP). Settings
4.Advanced settings: a.) “Default Device Access”, b.) “Always Allow“, c.) “Always
Block“, d.) "Allow“, or e.) "Block"


USB Connectivity
Preferred Devices (cont.)

• Device Specific Control:
1.Manufacturer
2.Product
3.Friendly Name
4.Serial Number
5.USB Version – 4 hex chars, 0 to FFFF http://www.linux-usb.org/usb.ids (current
legal values 100, 110, 200, version in Binary Coded Decimal. 300 is currently
being worked on)
6.Device Class - 00h through FFh (first two chars hex and final always h)
http://www.usb.org/developers/defined_class
7.Device Sub-Class - 00h through FFh (first two chars hex and final always h)
http://www.usb.org/developers/defined_class


USB Connectivity
Preferred Devices (cont.)

8.Device Protocol - 00h through FFh (first two chars hex and final always h) http://
www.usb.org/developers/defined_class
9.Vendor ID - 4 hex chars http://www.linux-usb.org/usb.ids
10.Product ID - 4 hex chars http://www.linux-usb.org/usb.ids
11.BCD Device - 4 hex chars, 0 to FFFF, http://www.linux-usb.org/usb.ids (device
version according for vendor ID and product ID in Binary Coded Decimal)
12.OS Device ID - OS dependent (Windows - string starting with on of the well known
device groups on window USB, USBStor.... sometimes referred to as the PNP id.)
13.OS Device Class - OS dependent ( Windows - GUID in brace form, used to group
devices in device manager)
14.Comment


® ®

Device versus Storage Control

How Windows Enumerates Devices
“Disable All Access” for USB
Bus Type Devices works at this level,
disabling the bus itself

USB connectivity works at
Device Type this level for USB type
devices (eg. Windows Device
Manager)

Printer Storage Keyboard Mouse

Storage Device Control works at
Volume
this level


Device Scanner Tool


VPN Enforcement

• Policy summary: ensure all communications are
encrypted when device is remote/mobile
• Conflict Resolution: Singular
> Singular only – ZENworks Control Center (ZCC) only hands most recent
®

assigned
> Closest wins and then ordering for policies


VPN Enforcement
(cont.)

• Required components/configuration for VPN
enforcement
– Trigger location: typically use Unknown location
> Stateful firewall to allow communication for authentication, etc.
– Switch to location: create one called VPN location
> All closed fw with single ACL to VPN concentrator
> No network environment for location
> When Internet access verified, will change to this location and lock down
– Launch
> Can launch to a link for SSL VPN or launch a file for traditional VPN like
Cisco, or can deliver a message


VPN Enforcement
(cont.)


Wireless Control

• Policy summary: control Wi-Fi access to SSID,
minimum security levels, etc.
> Disable ad hoc - most restrictive
> Block Wi-Fi - most restrictive
®

> Disable Wi-Fi transmissions – most restrictive
> Merge APs – for managed, take the latest for conflict of key on same index
(date modified first then version of the policy second)
> Minimum wireless security – most restrictive

•


Wireless Control
(cont.)


Enterprise Policy Settings

• “Configuration” link, “Configuration” tab, “Management
Zone Settings” snapshot, “Endpoint Security
Management”, “Enterprise Policy Settings”


® ®

Agent Deployment

• “Configuration” link, “Configuration” tab, “Management
Zone Settings” snapshot, “Device Management”,
“ZENworks Agent” (install, enable/disable, and reboot)
®


Override Password Generator


Licensing/Solution Activation

• “Configuration” link, “Configuration” tab, “Licenses”
snapshot, “Novell ZENworks Endpoint Security
® ®

Management” link


Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.

Integrated Endpoint Security Management in Novell ZENworks 11 Configuration Management

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (18)

Ähnlich wie Integrated Endpoint Security Management in Novell ZENworks 11 Configuration Management

Ähnlich wie Integrated Endpoint Security Management in Novell ZENworks 11 Configuration Management (20)

Mehr von Novell

Mehr von Novell (20)

Integrated Endpoint Security Management in Novell ZENworks 11 Configuration Management