Integrated Endpoint Security Management
in Novell ZENworks 11 Configuration Management
              ®            ®




Da...
Presentation Contents

    •   Background

    •   Features and Functionality

    •   Integration Into ZENworks Control C...
Background
Today’s Computing Environment
    •   The workforce has become mobile
              –   At the enterprise level, laptops h...
Novell ZENworks Endpoint Security Management:
     ®         ®



                        Features and Functionality
Complete Endpoint Security




6   © Novell, Inc. All rights reserved.
Driver Level Protection
         1. File system driver
              >   Can block the execution of any file
             ...
Location Aware Enforcement
                                          Location-Aware – Always. Everywhere.

         • Auto...
Novell ZENworks Endpoint Security Management:
     ®         ®



             Integration Into ZENworks Control Center
Overview of New Functionality

     •   Location awareness for other Novell ZENworks
                                     ...
Locations and Network Environments

     •   Network environments can be defined and associated with a
         location
 ...
Location Wizard
     Step 1




12   © Novell, Inc. All rights reserved.
Location Wizard
     Step 2

     •   Wizard for location creation allows network environment to be
         defined
     ...
Location Wizard
     Step 3

     •   Wizard for location creation allows network environment to be
         defined
     ...
Location Wizard
     Step 4
     •   IP address of gateway, DNS, DHCP, and WINS
     •   MAC address of gateway, DHCP, and...
Novell ZENworks Endpoint Security Management
                       ®                   ®



     (ZESM) Policies
     1. ...
Novell ZENworks Endpoint Security Management
                       ®                   ®



     Policy Assignment

     ...
Novell ZENworks Endpoint Security Management
                       ®                       ®



     Policy Conflict Devi...
Novell ZENworks Endpoint Security ManagementPolicy
                     ®                          ®



     Assignment an...
Novell ZENworks Endpoint Security Management
                                             ®                               ...
Novell ZENworks Endpoint Security Management
                       ®                   ®



     Policy Application Seque...
Create New Policy Wizard




22   © Novell, Inc. All rights reserved.
Create New Policy Wizard
     (cont.)




23   © Novell, Inc. All rights reserved.
Application Control

     •   Policy summary: Block the execution or network access
         of known applications by file...
Application Control
     (cont.)




25   © Novell, Inc. All rights reserved.
Communications Hardware Control

     •   Policy summary: Enable and disable communications
         devices and adapters
...
Communications Hardware Control
     (cont.)




27   © Novell, Inc. All rights reserved.
Communications Hardware Control
     (cont.)




28   © Novell, Inc. All rights reserved.
Communications Hardware Control
     (cont.)




29   © Novell, Inc. All rights reserved.
Encryption

     •   Policy summary: File based encryption for folders on
         fixed disk and removable storage
     •...
Encryption
     (cont.)




31   © Novell, Inc. All rights reserved.
Encryption Key Management




32   © Novell, Inc. All rights reserved.
Firewall
     •   Policy summary: Stateful firewall             •   Order of application:
         operating at driver lev...
Firewall
     (cont.)




34   © Novell, Inc. All rights reserved.
Location Assignment

     •   Policy summary: used to control locations that are
         applicable to user/device and th...
Location Assignment
     (cont.)




36   © Novell, Inc. All rights reserved.
Security Settings

     •   Policy summary: security settings for Novell ZENworks                ®                    ®


...
Security Settings
     (cont.)




38   © Novell, Inc. All rights reserved.
Storage Device Control

     •   Policy summary: control storage devices (disable/read-
         only)
     •   Location b...
Storage Device Control
     (cont.)




40   © Novell, Inc. All rights reserved.
USB Connectivity

     •   Policy summary: control all USB devices (not just
         storage)
     •   Location based: Gl...
USB Connectivity
     (cont.)




42   © Novell, Inc. All rights reserved.
USB Connectivity
     Preferred Devices

        General Control:
          1.USB Devices: “Allow All Access” or "Disable ...
USB Connectivity
     Preferred Devices (cont.)

     •   Device Specific Control:
          1.Manufacturer
          2.Pr...
USB Connectivity
     Preferred Devices (cont.)

     8.Device Protocol - 00h through FFh (first two chars hex and final a...
Novell ZENworks Endpoint Security Management
                       ®                       ®



     Device versus Storag...
Device Scanner Tool




47   © Novell, Inc. All rights reserved.
VPN Enforcement

     •   Policy summary: ensure all communications are
         encrypted when device is remote/mobile
  ...
VPN Enforcement
     (cont.)

     •   Required components/configuration for VPN
         enforcement
          –   Trigge...
VPN Enforcement
     (cont.)




50   © Novell, Inc. All rights reserved.
Wireless Control

     •   Policy summary: control Wi-Fi access to SSID,
         minimum security levels, etc.
     •   L...
Wireless Control
     (cont.)




52   © Novell, Inc. All rights reserved.
Enterprise Policy Settings

     •   “Configuration” link, “Configuration” tab, “Management
         Zone Settings” snapsh...
Novell ZENworks Endpoint Security Management
                       ®                   ®



     Agent Deployment

     •...
Override Password Generator




55   © Novell, Inc. All rights reserved.
Licensing/Solution Activation

     •   “Configuration” link, “Configuration” tab, “Licenses”
         snapshot, “Novell Z...
Questions and Answers
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, propriet...
Integrated Endpoint Security Management in Novell ZENworks 11 Configuration Management
Upcoming SlideShare
Loading in...5
×

Integrated Endpoint Security Management in Novell ZENworks 11 Configuration Management

1,964

Published on

In this session we'll preview the upcoming release of Novell ZENworks Endpoint Security Management—which has been integrated into the Novell ZENworks Control Center. This means that administrators will be able to deploy the security agent and define security policies from the same console used for configuration, asset and patch management. These security policies are then assigned to users or devices and adjustable by location. Policies include data encryption, storage control, USB control, communications hardware controls, application control, host-based firewall, wireless controls and VPN enforcement.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,964
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
105
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Integrated Endpoint Security Management in Novell ZENworks 11 Configuration Management

  1. 1. Integrated Endpoint Security Management in Novell ZENworks 11 Configuration Management ® ® David Ferre Senior Product Manager Novell/DFerre@novell.com
  2. 2. Presentation Contents • Background • Features and Functionality • Integration Into ZENworks Control Center (ZCC) ® • Question and Answer 2 © Novell, Inc. All rights reserved.
  3. 3. Background
  4. 4. Today’s Computing Environment • The workforce has become mobile – At the enterprise level, laptops have surpassed desktop deployments – Wireless NICs are standard on new PCs and wireless networks have proliferated – Mobility increases productivity and agility • What is the key requirement to enable mobility? – Remote access to data, which can be either locally stored or accessed via the Internet • A Polar Relationship – Increased agility and productivity requires moving data to the endpoint or providing remote access to the data, which increases risks and their associated costs. 4 © Novell, Inc. All rights reserved.
  5. 5. Novell ZENworks Endpoint Security Management: ® ® Features and Functionality
  6. 6. Complete Endpoint Security 6 © Novell, Inc. All rights reserved.
  7. 7. Driver Level Protection 1. File system driver > Can block the execution of any file > Non-intrusive approach to handling storage without affecting other functionality 2. Storage filter driver > Handle anything that enumerates with a file system > Read-only or disable 3. Mini-filter driver > Encryption > Access all I/O events on system 4. TDI filter driver > Block network access from any application > Replacing with WFP (Windows Filtering Platform) 5. NDIS layer firewall and Wireless driver > Stateful and session based > Handle network traffic before it is allowed to the OS > NDIS 5.1 for XP, NDIS 6.0 for Windows Vista/7 7 © Novell, Inc. All rights reserved.
  8. 8. Location Aware Enforcement Location-Aware – Always. Everywhere. • Automatically adjusts controls and • Ideal for removable storage and USB device protection according to the control, complete network control including device’s location firewall rules, wireless controls, and VPN • No user interaction required enforcement 8 © Novell, Inc. All rights reserved.
  9. 9. Novell ZENworks Endpoint Security Management: ® ® Integration Into ZENworks Control Center
  10. 10. Overview of New Functionality • Location awareness for other Novell ZENworks ® ® products • Multiple policies and session based assignment • Conflict resolution • Overview of each feature 10 © Novell, Inc. All rights reserved.
  11. 11. Locations and Network Environments • Network environments can be defined and associated with a location • Locations used for policy application 11 © Novell, Inc. All rights reserved.
  12. 12. Location Wizard Step 1 12 © Novell, Inc. All rights reserved.
  13. 13. Location Wizard Step 2 • Wizard for location creation allows network environment to be defined • Network environment: create, assign existing, or none 13 © Novell, Inc. All rights reserved.
  14. 14. Location Wizard Step 3 • Wizard for location creation allows network environment to be defined • Network environment: create, assign existing, or none 14 © Novell, Inc. All rights reserved.
  15. 15. Location Wizard Step 4 • IP address of gateway, DNS, DHCP, and WINS • MAC address of gateway, DHCP, and WINS • Dial-up connection or adapter name • Access point SSID • Client’s host IP address or DNS suffix 15 © Novell, Inc. All rights reserved.
  16. 16. Novell ZENworks Endpoint Security Management ® ® (ZESM) Policies 1. Application Control 2. Communications Hardware Control 3. Encryption 4. Firewall 5. Location Assignment 6. Security Settings 7. Storage Device Control 8. USB Connectivity 9. VPN Enforcement 10. Wireless Control 16 © Novell, Inc. All rights reserved.
  17. 17. Novell ZENworks Endpoint Security Management ® ® Policy Assignment • Assign policies to users, devices, or add to group – Some policies assignable only to devices (eg. Data encryption) • Assign “default” policies for entire Enterprise 17 © Novell, Inc. All rights reserved.
  18. 18. Novell ZENworks Endpoint Security Management ® ® Policy Conflict Device vs. User • Device Only: Applies only the policies associated to the device and ignore the policies associated to the user. This is the default value. • User Only: Applies only the policies associated to the user and ignores the policies associated to the device. • User Last: Not supported by ZESM. • Device Last: Not supported by ZESM. NOTE: The Policy Conflict Resolution setting is taken from the device-associated policy with the highest precedence. 18 © Novell, Inc. All rights reserved.
  19. 19. Novell ZENworks Endpoint Security ManagementPolicy ® ® Assignment and Session Application Handling Policy Assignment Session Application User assignment takes precedent over user group assignment (more specific) Note: During “Session Application” the assigned policies may be carried over from “Device”, “Enterprise”, or “Resource” User Only assignment policies. If the policy is device only, the policy would be carried over into the “session” application phase. When these are carried over, the same precedence for location over global and most restrictive are still applicable User Group Folder Policy Location takes precedent over global Note: some settings will Device have “Apply Global Only Device Group Folder Settings” as an option in the policy’s enforcement Location Location Globally Globally At time of device assigned assigned assigned assigned assignment, you select policy policy policy policy “user only” or “device only” settings settings settings settings Apply most restrictive to handle conflicts between rule first user and device assignments More Less restrictive – restrictive – block/disabl allow/enable e 19 © Novell, Inc. All rights reserved.
  20. 20. Novell ZENworks Endpoint Security Management ® ® Policy Application Pre-Login (Root Policy) Session Application (Session Policy) Session application based on: 1.) Normal login (include SmartCard integration) 2.) Right click Zicon and select “Log In” Start 3.) Command line based log in (development only) Apply Enterprise Policy 1 Apply “Enterprise” policy If there are no “Device” or “Enterprise” policies per Apply Resource Policy (No Policy Published) 2 policyette, apply “Resource” policy (no enforcement) I IInitial Installation Update Session Policy During “Post Desktop”, apply any policies per policyette that are assigned and leave “Enterprise” 3 (Post desktop, if different than current boot policy) policy enforcement if no policyette assigned to “User” (Overrides other policies from “Boot Policy”) 4 Log Out At the time of “log out”, agent will return to policy enforced from “Boot Policy” and will not “Unpublish” Post Desktop If(sessionPolicy) Override Boot Policy Else Apply Boot Policy and NOT mark this as “session policy” Logout Don’t “unpublish” policies, but rather apply Boot Policy and NOT mark this as “session policy” 20 © Novell, Inc. All rights reserved.
  21. 21. Novell ZENworks Endpoint Security Management ® ® Policy Application Sequence Start Location Global Policy Application Order: 1.) Session/Location 2.) Session/Global Session A Policy Session Policy 1 2 3.) Enterprise/Location 4.) Enterprise/Global 5.) Resource/Location B 6.) Resource/Global Enterprise Policy 3 4 Boot Policy C Resource Policy 5 6 21 © Novell, Inc. All rights reserved.
  22. 22. Create New Policy Wizard 22 © Novell, Inc. All rights reserved.
  23. 23. Create New Policy Wizard (cont.) 23 © Novell, Inc. All rights reserved.
  24. 24. Application Control • Policy summary: Block the execution or network access of known applications by file name • Location based: Global and location (identical) • Conflict resolution: Cumulative (merge policies) – Merge/Conflict Rules: > Most restrictive: » Block execution » Block network » Allow 24 © Novell, Inc. All rights reserved.
  25. 25. Application Control (cont.) 25 © Novell, Inc. All rights reserved.
  26. 26. Communications Hardware Control • Policy summary: Enable and disable communications devices and adapters • Location based: Global and location • Conflict Resolution: Cumulative (merge policies) – Merge/Conflict Rules: > Most restrictive » Disable All Access » Disable when wired » Allow All Access » Apply Global Settings (user, device, enterprise, resource) 26 © Novell, Inc. All rights reserved.
  27. 27. Communications Hardware Control (cont.) 27 © Novell, Inc. All rights reserved.
  28. 28. Communications Hardware Control (cont.) 28 © Novell, Inc. All rights reserved.
  29. 29. Communications Hardware Control (cont.) 29 © Novell, Inc. All rights reserved.
  30. 30. Encryption • Policy summary: File based encryption for folders on fixed disk and removable storage • Location based: Global only (and device based only) • Conflict Resolution: Cumulative (merge policies) – Merge/Conflict Rules: > Merge safe harbor locations and key lists > If encryption applied in policy, do not remove and decrypt on policy changes unless it is the policy that was published with encryption > Passwords for decryption need to be merged > Require strong password versus no strong password, the require strong password requirement is most restrictive and wins (is enforced) > If two policies conflict when RSD is encrypted and another is not, the encryption wins (RSD would be encrypted) 30 © Novell, Inc. All rights reserved.
  31. 31. Encryption (cont.) 31 © Novell, Inc. All rights reserved.
  32. 32. Encryption Key Management 32 © Novell, Inc. All rights reserved.
  33. 33. Firewall • Policy summary: Stateful firewall • Order of application: operating at driver level – Default behavior – open, stateful, • Location based: Global and location closed • Conflict Resolution: Cumulative (merge > Port Rules policies) » Open – Enforced as singular per location » Stateful – Merge/Conflict Rules: » Closed > Layer 2 ACL trumps layer 3 ACL – ACLs > ACL trumps port rule > No Port Rules > Most restrictive ACL or port rule > Port Rules wins against same rule type (ACL and ACL/port and port) – nACLs > Port Rules > No Port Rules 33 © Novell, Inc. All rights reserved.
  34. 34. Firewall (cont.) 34 © Novell, Inc. All rights reserved.
  35. 35. Location Assignment • Policy summary: used to control locations that are applicable to user/device and thus assigned security policies • Location based: Global only • Conflict Resolution: Cumulative (merge policies) – Merge/Conflict Rules: > Allow Manual Change – most restrictive is “don’t allow manual change”, so if there is a conflict then “don’t allow manual change” > Show Location in Agent List – most restrictive is to “not show in list”, so if there is a conflict then “don’t show in agent list” > Display message – show all messages if multiple exist 35 © Novell, Inc. All rights reserved.
  36. 36. Location Assignment (cont.) 36 © Novell, Inc. All rights reserved.
  37. 37. Security Settings • Policy summary: security settings for Novell ZENworks ® ® Endpoint Security Management (ZESM) agent • Location based: Global only • Conflict resolution: Cumulative (merge policies) – Merge/Conflict Rules: > Uninstall Password – allow multi-value > Password Override – allow multi-value > Enable client self defense – “enabled” is most restrictive and should be used if set. Change to drop down box, “enabled”, disabled”, or “no change” 37 © Novell, Inc. All rights reserved.
  38. 38. Security Settings (cont.) 38 © Novell, Inc. All rights reserved.
  39. 39. Storage Device Control • Policy summary: control storage devices (disable/read- only) • Location based: Global and location • Conflict Resolution: Cumulative (merge policies) – Merge/Conflict Rules: > Disable AutoPlay is most restrictive, then disable AutoRun, then enable, then apply global > Disable is most restrictive, then read-only, then allow, apply global 39 © Novell, Inc. All rights reserved.
  40. 40. Storage Device Control (cont.) 40 © Novell, Inc. All rights reserved.
  41. 41. USB Connectivity • Policy summary: control all USB devices (not just storage) • Location based: Global and location • Conflict Resolution: Cumulative (merge policies) – Merge/Conflict Rules: > Apply global on 2 “General Settings” > Apply default on 4 “Device Group Access Settings” > Disable USB devices is most restrictive and wins > Merge with most restrictive on USB Device Access Settings and also have a checkbox for “merge global” 41 © Novell, Inc. All rights reserved.
  42. 42. USB Connectivity (cont.) 42 © Novell, Inc. All rights reserved.
  43. 43. USB Connectivity Preferred Devices General Control: 1.USB Devices: “Allow All Access” or "Disable All Access“. This is an overall USB handling. 2.Default Device Access: “Allow All Access” or "Disable All Access“. This is how devices are handled that are not specified by the device group access or advanced settings 3.Device Group Access: a.) Human Interface Device (HID), b.) Mass Storage Class, c.) Printing Class, and d.) Scanning/Imaging (PTP). Settings 4.Advanced settings: a.) “Default Device Access”, b.) “Always Allow“, c.) “Always Block“, d.) "Allow“, or e.) "Block" 43 © Novell, Inc. All rights reserved.
  44. 44. USB Connectivity Preferred Devices (cont.) • Device Specific Control: 1.Manufacturer 2.Product 3.Friendly Name 4.Serial Number 5.USB Version – 4 hex chars, 0 to FFFF http://www.linux-usb.org/usb.ids  (current legal values 100, 110, 200, version in Binary Coded Decimal.  300 is currently being worked on) 6.Device Class - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class 7.Device Sub-Class - 00h through FFh (first two chars hex and final always h) http://www.usb.org/developers/defined_class 44 © Novell, Inc. All rights reserved.
  45. 45. USB Connectivity Preferred Devices (cont.) 8.Device Protocol - 00h through FFh (first two chars hex and final always h) http:// www.usb.org/developers/defined_class 9.Vendor ID - 4 hex chars http://www.linux-usb.org/usb.ids 10.Product ID - 4 hex chars http://www.linux-usb.org/usb.ids 11.BCD Device - 4 hex chars, 0 to FFFF, http://www.linux-usb.org/usb.ids  (device version according for vendor ID and product ID in Binary Coded Decimal) 12.OS Device ID - OS dependent (Windows - string starting with on of the well known device groups on window USB, USBStor.... sometimes referred to as the PNP id.) 13.OS Device Class - OS dependent ( Windows - GUID in brace form, used to group devices in device manager) 14.Comment 45 © Novell, Inc. All rights reserved.
  46. 46. Novell ZENworks Endpoint Security Management ® ® Device versus Storage Control How Windows Enumerates Devices “Disable All Access” for USB Bus Type Devices works at this level, disabling the bus itself USB connectivity works at Device Type this level for USB type devices (eg. Windows Device Manager) Printer Storage Keyboard Mouse Storage Device Control works at Volume this level 46 © Novell, Inc. All rights reserved.
  47. 47. Device Scanner Tool 47 © Novell, Inc. All rights reserved.
  48. 48. VPN Enforcement • Policy summary: ensure all communications are encrypted when device is remote/mobile • Location based: Global and location • Conflict Resolution: Singular – Merge/Conflict Rules: > Singular only – ZENworks Control Center (ZCC) only hands most recent ® assigned > Closest wins and then ordering for policies 48 © Novell, Inc. All rights reserved.
  49. 49. VPN Enforcement (cont.) • Required components/configuration for VPN enforcement – Trigger location: typically use Unknown location > Stateful firewall to allow communication for authentication, etc. – Switch to location: create one called VPN location > All closed fw with single ACL to VPN concentrator > No network environment for location > When Internet access verified, will change to this location and lock down – Launch > Can launch to a link for SSL VPN or launch a file for traditional VPN like Cisco, or can deliver a message 49 © Novell, Inc. All rights reserved.
  50. 50. VPN Enforcement (cont.) 50 © Novell, Inc. All rights reserved.
  51. 51. Wireless Control • Policy summary: control Wi-Fi access to SSID, minimum security levels, etc. • Location based: Global and location • Conflict Resolution: Cumulative (merge policies) – Merge/Conflict Rules: > Disable ad hoc - most restrictive > Block Wi-Fi - most restrictive ® > Disable Wi-Fi transmissions – most restrictive > Merge APs – for managed, take the latest for conflict of key on same index (date modified first then version of the policy second) > Minimum wireless security – most restrictive • 51 © Novell, Inc. All rights reserved.
  52. 52. Wireless Control (cont.) 52 © Novell, Inc. All rights reserved.
  53. 53. Enterprise Policy Settings • “Configuration” link, “Configuration” tab, “Management Zone Settings” snapshot, “Endpoint Security Management”, “Enterprise Policy Settings” 53 © Novell, Inc. All rights reserved.
  54. 54. Novell ZENworks Endpoint Security Management ® ® Agent Deployment • “Configuration” link, “Configuration” tab, “Management Zone Settings” snapshot, “Device Management”, “ZENworks Agent” (install, enable/disable, and reboot) ® 54 © Novell, Inc. All rights reserved.
  55. 55. Override Password Generator 55 © Novell, Inc. All rights reserved.
  56. 56. Licensing/Solution Activation • “Configuration” link, “Configuration” tab, “Licenses” snapshot, “Novell ZENworks Endpoint Security ® ® Management” link 56 © Novell, Inc. All rights reserved.
  57. 57. Questions and Answers
  58. 58. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×