Integrated Endpoint Security Managementin Novell® ZENworks® 11 Configuration Management
David FerreSenior Product ManagerNovell/[email protected]
© Novell, Inc. All rights reserved.2
Presentation Contents
• Background
• Features and Functionality
• Integration Into ZENworks® Control Center (ZCC)
• Question and Answer
Background
© Novell, Inc. All rights reserved.4
Today’s Computing Environment• The workforce has become mobile
– At the enterprise level, laptops have surpassed desktop deployments
– Wireless NICs are standard on new PCs and wireless networks have proliferated
– Mobility increases productivity and agility • What is the key requirement to
enable mobility?– Remote access to data, which
can be either locally stored or accessed via the Internet
• A Polar Relationship– Increased agility and productivity requires
moving data to the endpoint or providing remote access to the data, which increases risks and their associated costs.
Novell® ZENworks® Endpoint Security Management:Features and Functionality
© Novell, Inc. All rights reserved.6
Complete Endpoint Security
© Novell, Inc. All rights reserved.7
Driver Level Protection
1. File system driver> Can block the execution of any file> Non-intrusive approach to handling storage without affecting other
functionality
2. Storage filter driver> Handle anything that enumerates with a file system> Read-only or disable
3. Mini-filter driver> Encryption> Access all I/O events on system
4. TDI filter driver> Block network access from any application> Replacing with WFP (Windows Filtering Platform)
5. NDIS layer firewall and Wireless driver> Stateful and session based> Handle network traffic before it is allowed to the OS> NDIS 5.1 for XP, NDIS 6.0 for Windows Vista/7
© Novell, Inc. All rights reserved.8
Location-Aware – Always. Everywhere.
• Automatically adjusts controls and protection according to the device’s location
• No user interaction required
• Ideal for removable storage and USB device control, complete network control including firewall rules, wireless controls, and VPN enforcement
Location Aware Enforcement
Novell® ZENworks® Endpoint Security Management:Integration Into ZENworks Control Center
© Novell, Inc. All rights reserved.10
Overview of New Functionality
• Location awareness for other Novell® ZENworks® products
• Multiple policies and session based assignment
• Conflict resolution
• Overview of each feature
© Novell, Inc. All rights reserved.11
Locations and Network Environments
• Network environments can be defined and associated with a location
• Locations used for policy application
© Novell, Inc. All rights reserved.12
Location WizardStep 1
© Novell, Inc. All rights reserved.13
Location WizardStep 2
• Wizard for location creation allows network environment to be defined
• Network environment: create, assign existing, or none
© Novell, Inc. All rights reserved.14
Location WizardStep 3
• Wizard for location creation allows network environment to be defined
• Network environment: create, assign existing, or none
© Novell, Inc. All rights reserved.15
Location WizardStep 4
• IP address of gateway, DNS, DHCP, and WINS• MAC address of gateway, DHCP, and WINS• Dial-up connection or adapter name• Access point SSID• Client’s host IP address or DNS suffix
© Novell, Inc. All rights reserved.16
Novell® ZENworks® Endpoint Security Management (ZESM) Policies
1. Application Control2. Communications Hardware Control3. Encryption4. Firewall5. Location Assignment6. Security Settings7. Storage Device Control8. USB Connectivity9. VPN Enforcement10. Wireless Control
© Novell, Inc. All rights reserved.17
Novell® ZENworks® Endpoint Security Management Policy Assignment
• Assign policies to users, devices, or add to group– Some policies assignable only to devices (eg. Data encryption)
• Assign “default” policies for entire Enterprise
© Novell, Inc. All rights reserved.18
Novell® ZENworks® Endpoint Security Management Policy Conflict Device vs. User
• Device Only: Applies only the policies associated to the device and ignore the policies associated to the user. This is the default value.
• User Only: Applies only the policies associated to the user and ignores the policies associated to the device.
• User Last: Not supported by ZESM.• Device Last: Not supported by ZESM.
NOTE: The Policy Conflict Resolution setting is taken from the device-associated policy with the highest precedence.
© Novell, Inc. All rights reserved.19
Location assigned policy settings
Globally assigned policy settings
Location assigned policy settings
Globally assigned policy settings
Novell® ZENworks® Endpoint Security ManagementPolicy Assignment and Session Application Handling
Policy Assignment Session Application
Location takes precedent over global
Apply most restrictive rule first
User Only
Device Only
Policy
Note: some settings will have “Apply Global Settings” as an option in the policy’s enforcement
More restrictive – block/disable
Less restrictive – allow/enable
Note: During “Session Application” the assigned policies may be carried over from “Device”, “Enterprise”, or “Resource” assignment policies. If the policy is device only, the policy would be carried over into the “session” application phase. When these are carried over, the same precedence for location over global and most restrictive are still applicable
User Group Folder
Device Group Folder
At time of device assignment, you select “user only” or “device only” to handle conflicts between user and device assignments
User assignment takes precedent over user group assignment (more specific)
© Novell, Inc. All rights reserved.20
Novell® ZENworks® Endpoint Security Management Policy Application
Session Application (Session Policy)Pre-Login (Root Policy)
I
3
IIniti
al In
stal
latio
n
Apply Resource Policy (No Policy Published) If there are no “Device” or “Enterprise” policies per policyette, apply “Resource” policy (no enforcement)2
During “Post Desktop”, apply any policies per policyette that are assigned and leave “Enterprise” policy enforcement if no policyette assigned to “User” (Overrides other policies from “Boot Policy”)
Apply Enterprise Policy Apply “Enterprise” policy1
At the time of “log out”, agent will return to policy enforced from “Boot Policy” and will not “Unpublish”Log Out4
Start
Session application based on:1.) Normal login (include SmartCard integration)2.) Right click Zicon and select “Log In”3.) Command line based log in (development only)
Post DesktopIf(sessionPolicy)Override Boot PolicyElseApply Boot Policy and NOT mark this as “session policy”Logout
Don’t “unpublish” policies, but rather apply Boot Policy and NOT mark this as “session policy”
Update Session Policy (Post desktop, if different than current boot policy)
© Novell, Inc. All rights reserved.21
Novell® ZENworks® Endpoint Security Management Policy Application Sequence
Resource Policy
Enterprise Policy
Session Policy
Start
2
Location Global Policy Application Order:1.) Session/Location2.) Session/Global3.) Enterprise/Location4.) Enterprise/Global5.) Resource/Location6.) Resource/Global
Session Policy
BootPolicy
1
43
65
A
B
C
© Novell, Inc. All rights reserved.22
Create New Policy Wizard
© Novell, Inc. All rights reserved.23
Create New Policy Wizard (cont.)
© Novell, Inc. All rights reserved.24
Application Control
• Policy summary: Block the execution or network access of known applications by file name
• Location based: Global and location (identical)• Conflict resolution: Cumulative (merge policies)
– Merge/Conflict Rules: > Most restrictive:
» Block execution
» Block network
» Allow
© Novell, Inc. All rights reserved.25
Application Control(cont.)
© Novell, Inc. All rights reserved.26
Communications Hardware Control
• Policy summary: Enable and disable communications devices and adapters
• Location based: Global and location• Conflict Resolution: Cumulative (merge policies)
– Merge/Conflict Rules:> Most restrictive
» Disable All Access
» Disable when wired
» Allow All Access
» Apply Global Settings (user, device, enterprise, resource)
© Novell, Inc. All rights reserved.27
Communications Hardware Control(cont.)
© Novell, Inc. All rights reserved.28
Communications Hardware Control(cont.)
© Novell, Inc. All rights reserved.29
Communications Hardware Control(cont.)
© Novell, Inc. All rights reserved.30
Encryption
• Policy summary: File based encryption for folders on fixed disk and removable storage
• Location based: Global only (and device based only)• Conflict Resolution: Cumulative (merge policies)
– Merge/Conflict Rules:> Merge safe harbor locations and key lists> If encryption applied in policy, do not remove and decrypt on policy changes
unless it is the policy that was published with encryption> Passwords for decryption need to be merged> Require strong password versus no strong password, the require strong
password requirement is most restrictive and wins (is enforced)> If two policies conflict when RSD is encrypted and another is not, the
encryption wins (RSD would be encrypted)
© Novell, Inc. All rights reserved.31
Encryption(cont.)
© Novell, Inc. All rights reserved.32
Encryption Key Management
© Novell, Inc. All rights reserved.33
Firewall
• Policy summary: Stateful firewall operating at driver level
• Location based: Global and location• Conflict Resolution: Cumulative (merge
policies)– Enforced as singular per location– Merge/Conflict Rules:
> Layer 2 ACL trumps layer 3 ACL> ACL trumps port rule> Most restrictive ACL or port rule
wins against same rule type (ACL and ACL/port and port)
• Order of application:– Default behavior – open, stateful,
closed> Port Rules
» Open» Stateful» Closed
– ACLs> No Port Rules> Port Rules
– nACLs> Port Rules> No Port Rules
© Novell, Inc. All rights reserved.34
Firewall(cont.)
© Novell, Inc. All rights reserved.35
Location Assignment
• Policy summary: used to control locations that are applicable to user/device and thus assigned security policies
• Location based: Global only• Conflict Resolution: Cumulative (merge policies)
– Merge/Conflict Rules:> Allow Manual Change – most restrictive is “don’t allow manual change”, so if
there is a conflict then “don’t allow manual change”> Show Location in Agent List – most restrictive is to “not show in list”, so if
there is a conflict then “don’t show in agent list”> Display message – show all messages if multiple exist
© Novell, Inc. All rights reserved.36
Location Assignment (cont.)
© Novell, Inc. All rights reserved.37
Security Settings
• Policy summary: security settings for Novell® ZENworks® Endpoint Security Management (ZESM) agent
• Location based: Global only• Conflict resolution: Cumulative (merge policies)
– Merge/Conflict Rules:> Uninstall Password – allow multi-value> Password Override – allow multi-value> Enable client self defense – “enabled” is most restrictive and should be used
if set. Change to drop down box, “enabled”, disabled”, or “no change”
© Novell, Inc. All rights reserved.38
Security Settings(cont.)
© Novell, Inc. All rights reserved.39
Storage Device Control
• Policy summary: control storage devices (disable/read-only)
• Location based: Global and location• Conflict Resolution: Cumulative (merge policies)
– Merge/Conflict Rules:> Disable AutoPlay is most restrictive, then disable AutoRun, then enable, then
apply global> Disable is most restrictive, then read-only, then allow, apply global
© Novell, Inc. All rights reserved.40
Storage Device Control(cont.)
© Novell, Inc. All rights reserved.41
USB Connectivity
• Policy summary: control all USB devices (not just storage)
• Location based: Global and location• Conflict Resolution: Cumulative (merge policies)
– Merge/Conflict Rules:> Apply global on 2 “General Settings”> Apply default on 4 “Device Group Access Settings”> Disable USB devices is most restrictive and wins> Merge with most restrictive on USB Device Access Settings and also have a
checkbox for “merge global”
© Novell, Inc. All rights reserved.42
USB Connectivity(cont.)
© Novell, Inc. All rights reserved.43
USB ConnectivityPreferred Devices
General Control:1.USB Devices: “Allow All Access” or "Disable All Access“. This is an overall USB
handling.
2.Default Device Access: “Allow All Access” or "Disable All Access“. This is how devices are handled that are not specified by the device group access or advanced settings
3.Device Group Access: a.) Human Interface Device (HID), b.) Mass Storage Class, c.) Printing Class, and d.) Scanning/Imaging (PTP). Settings
4.Advanced settings: a.) “Default Device Access”, b.) “Always Allow“, c.) “Always Block“, d.) "Allow“, or e.) "Block"
© Novell, Inc. All rights reserved.44
USB ConnectivityPreferred Devices (cont.)
• Device Specific Control:1.Manufacturer
2.Product
3.Friendly Name
4.Serial Number
5.USB Version – 4 hex chars, 0 to FFFF http://www.linux-usb.org/usb.ids (current legal values 100, 110, 200, version in Binary Coded Decimal. 300 is currently being worked on)
6.Device Class - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class
7.Device Sub-Class - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class
© Novell, Inc. All rights reserved.45
USB ConnectivityPreferred Devices (cont.)
8.Device Protocol - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class
9.Vendor ID - 4 hex chars http://www.linux-usb.org/usb.ids
10.Product ID - 4 hex chars http://www.linux-usb.org/usb.ids
11.BCD Device - 4 hex chars, 0 to FFFF, http://www.linux-usb.org/usb.ids (device version according for vendor ID and product ID in Binary Coded Decimal)
12.OS Device ID - OS dependent (Windows - string starting with on of the well known device groups on window USB, USBStor.... sometimes referred to as the PNP id.)
13.OS Device Class - OS dependent ( Windows - GUID in brace form, used to group devices in device manager)
14.Comment
© Novell, Inc. All rights reserved.46
Novell® ZENworks® Endpoint Security ManagementDevice versus Storage Control
Bus Type
Printer
“Disable All Access” for USB Devices works at this level, disabling the bus itself
USB connectivity works at this level for USB type devices (eg. Windows Device Manager)
Storage Device Control works at this level
Device Type
Storage Mouse Keyboard
Volume
How Windows Enumerates Devices
© Novell, Inc. All rights reserved.47
Device Scanner Tool
© Novell, Inc. All rights reserved.48
VPN Enforcement
• Policy summary: ensure all communications are encrypted when device is remote/mobile
• Location based: Global and location• Conflict Resolution: Singular
– Merge/Conflict Rules:> Singular only – ZENworks® Control Center (ZCC) only hands most recent
assigned> Closest wins and then ordering for policies
© Novell, Inc. All rights reserved.49
VPN Enforcement(cont.)
• Required components/configuration for VPN enforcement
– Trigger location: typically use Unknown location> Stateful firewall to allow communication for authentication, etc.
– Switch to location: create one called VPN location> All closed fw with single ACL to VPN concentrator> No network environment for location> When Internet access verified, will change to this location and lock down
– Launch> Can launch to a link for SSL VPN or launch a file for traditional VPN like
Cisco, or can deliver a message
© Novell, Inc. All rights reserved.50
VPN Enforcement(cont.)
© Novell, Inc. All rights reserved.51
Wireless Control
• Policy summary: control Wi-Fi access to SSID, minimum security levels, etc.
• Location based: Global and location• Conflict Resolution: Cumulative (merge policies)
– Merge/Conflict Rules:> Disable ad hoc - most restrictive> Block Wi-Fi® - most restrictive> Disable Wi-Fi transmissions – most restrictive> Merge APs – for managed, take the latest for conflict of key on same index
(date modified first then version of the policy second)> Minimum wireless security – most restrictive
•
© Novell, Inc. All rights reserved.52
Wireless Control(cont.)
© Novell, Inc. All rights reserved.53
Enterprise Policy Settings
• “Configuration” link, “Configuration” tab, “Management Zone Settings” snapshot, “Endpoint Security Management”, “Enterprise Policy Settings”
© Novell, Inc. All rights reserved.54
Novell® ZENworks® Endpoint Security Management Agent Deployment
• “Configuration” link, “Configuration” tab, “Management Zone Settings” snapshot, “Device Management”, “ZENworks® Agent” (install, enable/disable, and reboot)
© Novell, Inc. All rights reserved.55
Override Password Generator
© Novell, Inc. All rights reserved.56
Licensing/Solution Activation
• “Configuration” link, “Configuration” tab, “Licenses” snapshot, “Novell® ZENworks® Endpoint Security Management” link
Questions and Answers
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.