integrated endpoint security management in novell zenworks 11 configuration management

Integrated Endpoint Security Managementin Novell® ZENworks® 11 Configuration Management

David FerreSenior Product ManagerNovell/[email protected]

© Novell, Inc. All rights reserved.2

Presentation Contents

• Background

• Features and Functionality

• Integration Into ZENworks® Control Center (ZCC)

• Question and Answer

Background


Today’s Computing Environment• The workforce has become mobile

– At the enterprise level, laptops have surpassed desktop deployments

– Wireless NICs are standard on new PCs and wireless networks have proliferated

– Mobility increases productivity and agility • What is the key requirement to

enable mobility?– Remote access to data, which

can be either locally stored or accessed via the Internet

• A Polar Relationship– Increased agility and productivity requires

moving data to the endpoint or providing remote access to the data, which increases risks and their associated costs.

Novell® ZENworks® Endpoint Security Management:Features and Functionality


Complete Endpoint Security


Driver Level Protection

1. File system driver> Can block the execution of any file> Non-intrusive approach to handling storage without affecting other

functionality

2. Storage filter driver> Handle anything that enumerates with a file system> Read-only or disable

3. Mini-filter driver> Encryption> Access all I/O events on system

4. TDI filter driver> Block network access from any application> Replacing with WFP (Windows Filtering Platform)

5. NDIS layer firewall and Wireless driver> Stateful and session based> Handle network traffic before it is allowed to the OS> NDIS 5.1 for XP, NDIS 6.0 for Windows Vista/7


Location-Aware – Always. Everywhere.

• Automatically adjusts controls and protection according to the device’s location

• No user interaction required

• Ideal for removable storage and USB device control, complete network control including firewall rules, wireless controls, and VPN enforcement

Location Aware Enforcement

Novell® ZENworks® Endpoint Security Management:Integration Into ZENworks Control Center


Overview of New Functionality

• Location awareness for other Novell® ZENworks® products

• Multiple policies and session based assignment

• Conflict resolution

• Overview of each feature


Locations and Network Environments

• Network environments can be defined and associated with a location

• Locations used for policy application


Location WizardStep 1



• Wizard for location creation allows network environment to be defined

• Network environment: create, assign existing, or none



• IP address of gateway, DNS, DHCP, and WINS• MAC address of gateway, DHCP, and WINS• Dial-up connection or adapter name• Access point SSID• Client’s host IP address or DNS suffix


Novell® ZENworks® Endpoint Security Management (ZESM) Policies

1. Application Control2. Communications Hardware Control3. Encryption4. Firewall5. Location Assignment6. Security Settings7. Storage Device Control8. USB Connectivity9. VPN Enforcement10. Wireless Control


Novell® ZENworks® Endpoint Security Management Policy Assignment

• Assign policies to users, devices, or add to group– Some policies assignable only to devices (eg. Data encryption)

• Assign “default” policies for entire Enterprise


Novell® ZENworks® Endpoint Security Management Policy Conflict Device vs. User

• Device Only: Applies only the policies associated to the device and ignore the policies associated to the user. This is the default value.

• User Only: Applies only the policies associated to the user and ignores the policies associated to the device.

• User Last: Not supported by ZESM.• Device Last: Not supported by ZESM.

NOTE: The Policy Conflict Resolution setting is taken from the device-associated policy with the highest precedence.


Location assigned policy settings

Globally assigned policy settings

Location assigned policy settings

Globally assigned policy settings

Novell® ZENworks® Endpoint Security ManagementPolicy Assignment and Session Application Handling

Policy Assignment Session Application

Location takes precedent over global

Apply most restrictive rule first

User Only

Device Only

Policy

Note: some settings will have “Apply Global Settings” as an option in the policy’s enforcement

More restrictive – block/disable

Less restrictive – allow/enable

Note: During “Session Application” the assigned policies may be carried over from “Device”, “Enterprise”, or “Resource” assignment policies. If the policy is device only, the policy would be carried over into the “session” application phase. When these are carried over, the same precedence for location over global and most restrictive are still applicable

User Group Folder

Device Group Folder

At time of device assignment, you select “user only” or “device only” to handle conflicts between user and device assignments

User assignment takes precedent over user group assignment (more specific)


Novell® ZENworks® Endpoint Security Management Policy Application

Session Application (Session Policy)Pre-Login (Root Policy)

I

3

IIniti

al In

stal

latio

n

Apply Resource Policy (No Policy Published) If there are no “Device” or “Enterprise” policies per policyette, apply “Resource” policy (no enforcement)2

During “Post Desktop”, apply any policies per policyette that are assigned and leave “Enterprise” policy enforcement if no policyette assigned to “User” (Overrides other policies from “Boot Policy”)

Apply Enterprise Policy Apply “Enterprise” policy1

At the time of “log out”, agent will return to policy enforced from “Boot Policy” and will not “Unpublish”Log Out4

Start

Session application based on:1.) Normal login (include SmartCard integration)2.) Right click Zicon and select “Log In”3.) Command line based log in (development only)

Post DesktopIf(sessionPolicy)Override Boot PolicyElseApply Boot Policy and NOT mark this as “session policy”Logout

Don’t “unpublish” policies, but rather apply Boot Policy and NOT mark this as “session policy”

Update Session Policy (Post desktop, if different than current boot policy)


Novell® ZENworks® Endpoint Security Management Policy Application Sequence

Resource Policy

Enterprise Policy

Session Policy

Start

2

Location Global Policy Application Order:1.) Session/Location2.) Session/Global3.) Enterprise/Location4.) Enterprise/Global5.) Resource/Location6.) Resource/Global

Session Policy

BootPolicy

1

43

65

A

B

C


Create New Policy Wizard


Create New Policy Wizard (cont.)


Application Control

• Policy summary: Block the execution or network access of known applications by file name

• Location based: Global and location (identical)• Conflict resolution: Cumulative (merge policies)

– Merge/Conflict Rules: > Most restrictive:

» Block execution

» Block network

» Allow


Application Control(cont.)


Communications Hardware Control

• Policy summary: Enable and disable communications devices and adapters

• Location based: Global and location• Conflict Resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Most restrictive

» Disable All Access

» Disable when wired

» Allow All Access

» Apply Global Settings (user, device, enterprise, resource)


Communications Hardware Control(cont.)


Encryption

• Policy summary: File based encryption for folders on fixed disk and removable storage

• Location based: Global only (and device based only)• Conflict Resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Merge safe harbor locations and key lists> If encryption applied in policy, do not remove and decrypt on policy changes

unless it is the policy that was published with encryption> Passwords for decryption need to be merged> Require strong password versus no strong password, the require strong

password requirement is most restrictive and wins (is enforced)> If two policies conflict when RSD is encrypted and another is not, the

encryption wins (RSD would be encrypted)


Encryption(cont.)


Encryption Key Management


Firewall

• Policy summary: Stateful firewall operating at driver level

• Location based: Global and location• Conflict Resolution: Cumulative (merge

policies)– Enforced as singular per location– Merge/Conflict Rules:

> Layer 2 ACL trumps layer 3 ACL> ACL trumps port rule> Most restrictive ACL or port rule

wins against same rule type (ACL and ACL/port and port)

• Order of application:– Default behavior – open, stateful,

closed> Port Rules

» Open» Stateful» Closed

– ACLs> No Port Rules> Port Rules

– nACLs> Port Rules> No Port Rules


Firewall(cont.)


Location Assignment

• Policy summary: used to control locations that are applicable to user/device and thus assigned security policies

• Location based: Global only• Conflict Resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Allow Manual Change – most restrictive is “don’t allow manual change”, so if

there is a conflict then “don’t allow manual change”> Show Location in Agent List – most restrictive is to “not show in list”, so if

there is a conflict then “don’t show in agent list”> Display message – show all messages if multiple exist


Location Assignment (cont.)


Security Settings

• Policy summary: security settings for Novell® ZENworks® Endpoint Security Management (ZESM) agent

• Location based: Global only• Conflict resolution: Cumulative (merge policies)

– Merge/Conflict Rules:> Uninstall Password – allow multi-value> Password Override – allow multi-value> Enable client self defense – “enabled” is most restrictive and should be used

if set. Change to drop down box, “enabled”, disabled”, or “no change”


Security Settings(cont.)


Storage Device Control

• Policy summary: control storage devices (disable/read-only)


– Merge/Conflict Rules:> Disable AutoPlay is most restrictive, then disable AutoRun, then enable, then

apply global> Disable is most restrictive, then read-only, then allow, apply global


Storage Device Control(cont.)


USB Connectivity

• Policy summary: control all USB devices (not just storage)


– Merge/Conflict Rules:> Apply global on 2 “General Settings”> Apply default on 4 “Device Group Access Settings”> Disable USB devices is most restrictive and wins> Merge with most restrictive on USB Device Access Settings and also have a

checkbox for “merge global”


USB Connectivity(cont.)


USB ConnectivityPreferred Devices

General Control:1.USB Devices: “Allow All Access” or "Disable All Access“. This is an overall USB

handling.

2.Default Device Access: “Allow All Access” or "Disable All Access“. This is how devices are handled that are not specified by the device group access or advanced settings

3.Device Group Access: a.) Human Interface Device (HID), b.) Mass Storage Class, c.) Printing Class, and d.) Scanning/Imaging (PTP). Settings

4.Advanced settings: a.) “Default Device Access”, b.) “Always Allow“, c.) “Always Block“, d.) "Allow“, or e.) "Block"


USB ConnectivityPreferred Devices (cont.)

• Device Specific Control:1.Manufacturer

2.Product

3.Friendly Name

4.Serial Number

5.USB Version – 4 hex chars, 0 to FFFF http://www.linux-usb.org/usb.ids (current legal values 100, 110, 200, version in Binary Coded Decimal. 300 is currently being worked on)

6.Device Class - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class

7.Device Sub-Class - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class

http://www.linux-usb.org/usb.ids

http://www.usb.org/developers/defined_class




USB ConnectivityPreferred Devices (cont.)

8.Device Protocol - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class

9.Vendor ID - 4 hex chars http://www.linux-usb.org/usb.ids

10.Product ID - 4 hex chars http://www.linux-usb.org/usb.ids

11.BCD Device - 4 hex chars, 0 to FFFF, http://www.linux-usb.org/usb.ids (device version according for vendor ID and product ID in Binary Coded Decimal)

12.OS Device ID - OS dependent (Windows - string starting with on of the well known device groups on window USB, USBStor.... sometimes referred to as the PNP id.)

13.OS Device Class - OS dependent ( Windows - GUID in brace form, used to group devices in device manager)

14.Comment









Novell® ZENworks® Endpoint Security ManagementDevice versus Storage Control

Bus Type

Printer

“Disable All Access” for USB Devices works at this level, disabling the bus itself

USB connectivity works at this level for USB type devices (eg. Windows Device Manager)

Storage Device Control works at this level

Device Type

Storage Mouse Keyboard

Volume

How Windows Enumerates Devices


Device Scanner Tool


VPN Enforcement

• Policy summary: ensure all communications are encrypted when device is remote/mobile

• Location based: Global and location• Conflict Resolution: Singular

– Merge/Conflict Rules:> Singular only – ZENworks® Control Center (ZCC) only hands most recent

assigned> Closest wins and then ordering for policies


VPN Enforcement(cont.)

• Required components/configuration for VPN enforcement

– Trigger location: typically use Unknown location> Stateful firewall to allow communication for authentication, etc.

– Switch to location: create one called VPN location> All closed fw with single ACL to VPN concentrator> No network environment for location> When Internet access verified, will change to this location and lock down

– Launch> Can launch to a link for SSL VPN or launch a file for traditional VPN like

Cisco, or can deliver a message


VPN Enforcement(cont.)


Wireless Control

• Policy summary: control Wi-Fi access to SSID, minimum security levels, etc.


– Merge/Conflict Rules:> Disable ad hoc - most restrictive> Block Wi-Fi® - most restrictive> Disable Wi-Fi transmissions – most restrictive> Merge APs – for managed, take the latest for conflict of key on same index

(date modified first then version of the policy second)> Minimum wireless security – most restrictive

•


Wireless Control(cont.)


Enterprise Policy Settings

• “Configuration” link, “Configuration” tab, “Management Zone Settings” snapshot, “Endpoint Security Management”, “Enterprise Policy Settings”


Novell® ZENworks® Endpoint Security Management Agent Deployment

• “Configuration” link, “Configuration” tab, “Management Zone Settings” snapshot, “Device Management”, “ZENworks® Agent” (install, enable/disable, and reboot)


Override Password Generator


Licensing/Solution Activation

• “Configuration” link, “Configuration” tab, “Licenses” snapshot, “Novell® ZENworks® Endpoint Security Management” link

Questions and Answers

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

integrated endpoint security management in novell zenworks 11 configuration management

Documents

user device

deviceassociated policy

location wizardstep

assignment policies

policy application

complete endpoint security

location creation

location assignment6