integrated endpoint security management in novell zenworks 11 configuration management

Integrated Endpoint Security Managementin Novell® ZENworks® 11 Configuration Management

David FerreSenior Product ManagerNovell/DFerre@novell.com

© Novell, Inc. All rights reserved.2

Presentation Contents

• Background

• Features and Functionality

• Integration Into ZENworks® Control Center (ZCC)

• Question and Answer

Background

© Novell, Inc. All rights reserved.4

Today’s Computing Environment• The workforce has become mobile

– At the enterprise level, laptops have surpassed desktop deployments

– Wireless NICs are standard on new PCs and wireless networks have proliferated

– Mobility increases productivity and agility • What is the key requirement to

enable mobility?– Remote access to data, which

can be either locally stored or accessed via the Internet

• A Polar Relationship– Increased agility and productivity requires

moving data to the endpoint or providing remote access to the data, which increases risks and their associated costs.

Novell® ZENworks® Endpoint Security Management:Features and Functionality

© Novell, Inc. All rights reserved.6

Complete Endpoint Security

© Novell, Inc. All rights reserved.7

Driver Level Protection

1. File system driver> Can block the execution of any file> Non-intrusive approach to handling storage without affecting other

functionality

2. Storage filter driver> Handle anything that enumerates with a file system> Read-only or disable

3. Mini-filter driver> Encryption> Access all I/O events on system

4. TDI filter driver> Block network access from any application> Replacing with WFP (Windows Filtering Platform)

5. NDIS layer firewall and Wireless driver> Stateful and session based> Handle network traffic before it is allowed to the OS> NDIS 5.1 for XP, NDIS 6.0 for Windows Vista/7

© Novell, Inc. All rights reserved.8

Location-Aware – Always. Everywhere.

• Automatically adjusts controls and protection according to the device’s location

• No user interaction required

• Ideal for removable storage and USB device control, complete network control including firewall rules, wireless controls, and VPN enforcement

Location Aware Enforcement

Novell® ZENworks® Endpoint Security Management:Integration Into ZENworks Control Center

© Novell, Inc. All rights reserved.10

Overview of New Functionality

• Location awareness for other Novell® ZENworks® products

• Multiple policies and session based assignment

• Conflict resolution

• Overview of each feature

© Novell, Inc. All rights reserved.11

Locations and Network Environments

• Network environments can be defined and associated with a location

• Locations used for policy application

© Novell, Inc. All rights reserved.12

Location WizardStep 1

© Novell, Inc. All rights reserved.13

Location WizardStep 2

• Wizard for location creation allows network environment to be defined

• Network environment: create, assign existing, or none

© Novell, Inc. All rights reserved.14

Location WizardStep 3

• Wizard for location creation allows network environment to be defined

• Network environment: create, assign existing, or none

© Novell, Inc. All rights reserved.15

Location WizardStep 4

• IP address of gateway, DNS, DHCP, and WINS• MAC address of gateway, DHCP, and WINS• Dial-up connection or adapter name• Access point SSID• Client’s host IP address or DNS suffix

© Novell, Inc. All rights reserved.16

Novell® ZENworks® Endpoint Security Management (ZESM) Policies

1. Application Control2. Communications Hardware Control3. Encryption4. Firewall5. Location Assignment6. Security Settings7. Storage Device Control8. USB Connectivity9. VPN Enforcement10. Wireless Control

© Novell, Inc. All rights reserved.17

Novell® ZENworks® Endpoint Security Management Policy Assignment

• Assign policies to users, devices, or add to group– Some policies assignable only to devices (eg. Data encryption)

• Assign “default” policies for entire Enterprise

© Novell, Inc. All rights reserved.18

Novell® ZENworks® Endpoint Security Management Policy Conflict Device vs. User

• Device Only: Applies only the policies associated to the device and ignore the policies associated to the user. This is the default value.

• User Only: Applies only the policies associated to the user and ignores the policies associated to the device.

• User Last: Not supported by ZESM.• Device Last: Not supported by ZESM.

NOTE: The Policy Conflict Resolution setting is taken from the device-associated policy with the highest precedence.

© Novell, Inc. All rights reserved.19

Location assigned policy settings

Globally assigned policy settings

Location assigned policy settings

Globally assigned policy settings

Novell® ZENworks® Endpoint Security ManagementPolicy Assignment and Session Application Handling

Policy Assignment Session Application

Location takes precedent over global

Apply most restrictive rule first

User Only

Device Only

Policy

Note: some settings will have “Apply Global Settings” as an option in the policy’s enforcement

More restrictive – block/disable

Less restrictive – allow/enable

Note: During “Session Application” the assigned policies may be carried over from “Device”, “Enterprise”, or “Resource” assignment policies. If the policy is device only, the policy would be carried over into the “session” application phase. When these are carried over, the same precedence for location over global and most restrictive are still applicable

User Group Folder

Device Group Folder

At time of device assignment, you select “user only” or “device only” to handle conflicts between user and device assignments

User assignment takes precedent over user group assignment (more specific)

© Novell, Inc. All rights reserved.20

Novell® ZENworks® Endpoint Security Management Policy Application

Session Application (Session Policy)Pre-Login (Root Policy)

I

3

IIniti

al In

stal

latio

n

Apply Resource Policy (No Policy Published) If there are no “Device” or “Enterprise” policies per policyette, apply “Resource” policy (no enforcement)2

During “Post Desktop”, apply any policies per policyette that are assigned and leave “Enterprise” policy enforcement if no policyette assigned to “User” (Overrides other policies from “Boot Policy”)

Apply Enterprise Policy Apply “Enterprise” policy1

At the time of “log out”, agent will return to policy enforced from “Boot Policy” and will not “Unpublish”Log Out4

Start

Session application based on:1.) Normal login (include SmartCard integration)2.) Right click Zicon and select “Log In”3.) Command line based log in (development only)

Post DesktopIf(sessionPolicy)Override Boot PolicyElseApply Boot Policy and NOT mark this as “session policy”Logout

Don’t “unpublish” policies, but rather apply Boot Policy and NOT mark this as “session policy”

Update Session Policy (Post desktop, if different than current boot policy)

© Novell, Inc. All rights reserved.21

Novell® ZENworks® Endpoint Security Management Policy Application Sequence

Resource Policy

Enterprise Policy

Session Policy

Start

2

Location Global Policy Application Order:1.) Session/Location2.) Session/Global3.) Enterprise/Location4.) Enterprise/Global5.) Resource/Location6.) Resource/Global

Session Policy

BootPolicy

1

43

65

A

B

C

© Novell, Inc. All rights reserved.22

Create New Policy Wizard

© Novell, Inc. All rights reserved.23

Create New Policy Wizard (cont.)

© Novell, Inc. All rights reserved.24

Application Control

• Policy summary: Block the execution or network access of known applications by file name

• Location based: Global and location (identical)• Conflict resolution: Cumulative (merge policies)

– Merge/Conflict Rules: > Most restrictive:

» Block execution

» Block network

» Allow

© Novell, Inc. All rights reserved.25

Application Control(cont.)

© Novell, Inc. All rights reserved.26

Communications Hardware Control

• Policy summary: Enable and disable communications devices and adapters

• Location based: Global and location• Conflict Resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Most restrictive

» Disable All Access

» Disable when wired

» Allow All Access

» Apply Global Settings (user, device, enterprise, resource)

© Novell, Inc. All rights reserved.27

Communications Hardware Control(cont.)

© Novell, Inc. All rights reserved.28

Communications Hardware Control(cont.)

© Novell, Inc. All rights reserved.29

Communications Hardware Control(cont.)

© Novell, Inc. All rights reserved.30

Encryption

• Policy summary: File based encryption for folders on fixed disk and removable storage

• Location based: Global only (and device based only)• Conflict Resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Merge safe harbor locations and key lists> If encryption applied in policy, do not remove and decrypt on policy changes

unless it is the policy that was published with encryption> Passwords for decryption need to be merged> Require strong password versus no strong password, the require strong

password requirement is most restrictive and wins (is enforced)> If two policies conflict when RSD is encrypted and another is not, the

encryption wins (RSD would be encrypted)

© Novell, Inc. All rights reserved.31

Encryption(cont.)

© Novell, Inc. All rights reserved.32

Encryption Key Management

© Novell, Inc. All rights reserved.33

Firewall

• Policy summary: Stateful firewall operating at driver level

• Location based: Global and location• Conflict Resolution: Cumulative (merge

policies)– Enforced as singular per location– Merge/Conflict Rules:

> Layer 2 ACL trumps layer 3 ACL> ACL trumps port rule> Most restrictive ACL or port rule

wins against same rule type (ACL and ACL/port and port)

• Order of application:– Default behavior – open, stateful,

closed> Port Rules

» Open» Stateful» Closed

– ACLs> No Port Rules> Port Rules

– nACLs> Port Rules> No Port Rules

© Novell, Inc. All rights reserved.34

Firewall(cont.)

© Novell, Inc. All rights reserved.35

Location Assignment

• Policy summary: used to control locations that are applicable to user/device and thus assigned security policies

• Location based: Global only• Conflict Resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Allow Manual Change – most restrictive is “don’t allow manual change”, so if

there is a conflict then “don’t allow manual change”> Show Location in Agent List – most restrictive is to “not show in list”, so if

there is a conflict then “don’t show in agent list”> Display message – show all messages if multiple exist

© Novell, Inc. All rights reserved.36

Location Assignment (cont.)

© Novell, Inc. All rights reserved.37

Security Settings

• Policy summary: security settings for Novell® ZENworks® Endpoint Security Management (ZESM) agent

• Location based: Global only• Conflict resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Uninstall Password – allow multi-value> Password Override – allow multi-value> Enable client self defense – “enabled” is most restrictive and should be used

if set. Change to drop down box, “enabled”, disabled”, or “no change”

© Novell, Inc. All rights reserved.38

Security Settings(cont.)

© Novell, Inc. All rights reserved.39

Storage Device Control

• Policy summary: control storage devices (disable/read-only)

• Location based: Global and location• Conflict Resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Disable AutoPlay is most restrictive, then disable AutoRun, then enable, then

apply global> Disable is most restrictive, then read-only, then allow, apply global

© Novell, Inc. All rights reserved.40

Storage Device Control(cont.)

© Novell, Inc. All rights reserved.41

USB Connectivity

• Policy summary: control all USB devices (not just storage)

• Location based: Global and location• Conflict Resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Apply global on 2 “General Settings”> Apply default on 4 “Device Group Access Settings”> Disable USB devices is most restrictive and wins> Merge with most restrictive on USB Device Access Settings and also have a

checkbox for “merge global”

© Novell, Inc. All rights reserved.42

USB Connectivity(cont.)

© Novell, Inc. All rights reserved.43

USB ConnectivityPreferred Devices

General Control:1.USB Devices: “Allow All Access” or "Disable All Access“. This is an overall USB

handling.

2.Default Device Access: “Allow All Access” or "Disable All Access“. This is how devices are handled that are not specified by the device group access or advanced settings

3.Device Group Access: a.) Human Interface Device (HID), b.) Mass Storage Class, c.) Printing Class, and d.) Scanning/Imaging (PTP). Settings

4.Advanced settings: a.) “Default Device Access”, b.) “Always Allow“, c.) “Always Block“, d.) "Allow“, or e.) "Block"

© Novell, Inc. All rights reserved.44

USB ConnectivityPreferred Devices (cont.)

• Device Specific Control:1.Manufacturer

2.Product

3.Friendly Name

4.Serial Number

5.USB Version – 4 hex chars, 0 to FFFF http://www.linux-usb.org/usb.ids  (current legal values 100, 110, 200, version in Binary Coded Decimal.  300 is currently being worked on)

6.Device Class - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class

7.Device Sub-Class - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class

© Novell, Inc. All rights reserved.45

USB ConnectivityPreferred Devices (cont.)

8.Device Protocol - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class

9.Vendor ID - 4 hex chars http://www.linux-usb.org/usb.ids

10.Product ID - 4 hex chars http://www.linux-usb.org/usb.ids

11.BCD Device - 4 hex chars, 0 to FFFF, http://www.linux-usb.org/usb.ids  (device version according for vendor ID and product ID in Binary Coded Decimal)

12.OS Device ID - OS dependent (Windows - string starting with on of the well known device groups on window USB, USBStor.... sometimes referred to as the PNP id.)

13.OS Device Class - OS dependent ( Windows - GUID in brace form, used to group devices in device manager)

14.Comment

© Novell, Inc. All rights reserved.46

Novell® ZENworks® Endpoint Security ManagementDevice versus Storage Control

Bus Type

Printer

“Disable All Access” for USB Devices works at this level, disabling the bus itself

USB connectivity works at this level for USB type devices (eg. Windows Device Manager)

Storage Device Control works at this level

Device Type

Storage Mouse Keyboard

Volume

How Windows Enumerates Devices

© Novell, Inc. All rights reserved.47

Device Scanner Tool

© Novell, Inc. All rights reserved.48

VPN Enforcement

• Policy summary: ensure all communications are encrypted when device is remote/mobile

• Location based: Global and location• Conflict Resolution: Singular

– Merge/Conflict Rules:> Singular only – ZENworks® Control Center (ZCC) only hands most recent

assigned> Closest wins and then ordering for policies

© Novell, Inc. All rights reserved.49

VPN Enforcement(cont.)

• Required components/configuration for VPN enforcement

– Trigger location: typically use Unknown location> Stateful firewall to allow communication for authentication, etc.

– Switch to location: create one called VPN location> All closed fw with single ACL to VPN concentrator> No network environment for location> When Internet access verified, will change to this location and lock down

– Launch> Can launch to a link for SSL VPN or launch a file for traditional VPN like

Cisco, or can deliver a message

© Novell, Inc. All rights reserved.50

VPN Enforcement(cont.)

© Novell, Inc. All rights reserved.51

Wireless Control

• Policy summary: control Wi-Fi access to SSID, minimum security levels, etc.

• Location based: Global and location• Conflict Resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Disable ad hoc - most restrictive> Block Wi-Fi® - most restrictive> Disable Wi-Fi transmissions – most restrictive> Merge APs – for managed, take the latest for conflict of key on same index

(date modified first then version of the policy second)> Minimum wireless security – most restrictive

•

© Novell, Inc. All rights reserved.52

Wireless Control(cont.)

© Novell, Inc. All rights reserved.53

Enterprise Policy Settings

• “Configuration” link, “Configuration” tab, “Management Zone Settings” snapshot, “Endpoint Security Management”, “Enterprise Policy Settings”

© Novell, Inc. All rights reserved.54

Novell® ZENworks® Endpoint Security Management Agent Deployment

• “Configuration” link, “Configuration” tab, “Management Zone Settings” snapshot, “Device Management”, “ZENworks® Agent” (install, enable/disable, and reboot)

© Novell, Inc. All rights reserved.55

Override Password Generator

© Novell, Inc. All rights reserved.56

Licensing/Solution Activation

• “Configuration” link, “Configuration” tab, “Licenses” snapshot, “Novell® ZENworks® Endpoint Security Management” link

Questions and Answers

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.