Presentation is loading. Please wait.

Presentation is loading. Please wait.

Check Point Endpoint Security - Media Encryption

Similar presentations


Presentation on theme: "Check Point Endpoint Security - Media Encryption"— Presentation transcript:

1 Check Point Endpoint Security - Media Encryption
Version 4.93

2 Course Objectives Chapter 1: Endpoint Security Media EncryptionOverview Apply Endpoint Security Media Encryption in a corporate environment where appropriate, based on Protector's use and methodology. Given your corporate network's structure and security policies, select the Endpoint Security Media Encryption components best suited to address security requirements. Given corporate requirements, install and configure Endpoint Security Media Encryption Server. Chapter 2: Deploying Endpoint Security Media Encryption Determine the most appropriate settings necessary to apply corporate requirements using the Endpoint Security Media Encryption Management Console. Create and apply profile templates using Device Manager, Removable Media Manager, Encryption Policy Manager, and Program Security Guard. Create and apply users, computers, and user and computer groups for Endpoint Security Media Encryption according to corporate Security Policy requirements. Install and deploy Endpoint Security Media Encryption Client.

3 Course Objectives (cont.)
Chapter 3: Endpoint Security Media Encryption Client Test the deployed profiles using pre-constructed security risks. Execute actions to initiate alerts for PSG, RMM and EPM. Add a new device using the Device Configuration Editor in the management console, and test the new device from the client. Encrypt, decrypt and verify removable media using the Encryption Policy Manager. Chapter 4: Logging, Auditing and Reporting Use Pointsec Protector's internal logging and auditing functions to track and monitor user actions. Configure and execute reports based on Endpoint Security Media Encryption audit events using pre-configured reports. By filtering audit events, identify a new device to add into Device Manager using the Device Configuration Editor in the administration console.

4 Preface Welcome to the Check Point Endpoint Security Media Encryption course. This course provides an understanding of basic concepts and skills necessary to configure and manage Pointsec Protector. During this course, you will configure a Protector Server to manage client machines, and learn about managing and monitoring client media access. (See “Course Objectives” in this handbook for a list of objectives.) Follow along as the class progresses, and take notes for future reference.

5 Course Layout The following professionals benefit best from this course: Systems administrators Support analysts Network engineers Check Point Certified Specialist – Endpoint Security Media Encryption (CPCS-ESME) The Check Point Certified Specialist – Endpoint Security Media Encryption (CPCS-ESME) certification is designed for partners and customers seeking to validate their knowledge of Check Point’s Media Encryption product, formally known as Pointsec Protector. This certification signifies that an individual has passed the CPCS-Media Encryption exam, and has demonstrated the knowledge required to configure and implement Check Point Media Encryption on an enterprise network.

6 Recommended Setup for Labs
Supplemental Materials USB Drive A Note on using VMware VMware is not supported by Check Point. If you choose to use VMware for these labs, VMware 6.x or greater is recommended. Use the VMware “guest” machine for the Endpoint Security Media Encryption Server. Use the VMware “host” machine for the Endpoint Security Media Encryption Client.

7 Recommended Lab Topology

8 Recommended Lab Topology
IP Addresses Rome Media Encryption Server Media Encryption Client Oslo Toronto Madrid Zurich Cambridge Sydney Singapore

9 Chapter 1: Endpoint Security Media Encryption Overview
Objectives: Apply Endpoint Security Media Encryption in a corporate environment where appropriate, based on Protector's use and methodology. Given your corporate network's structure and security policies, select the Endpoint Security Media Encryption components best suited to address security requirements. Given corporate requirements, install and configure Endpoint Security Media Encryption Server. Key Terms: Removable Media Manager (RMM) Program Security Guard (PSG) Device Manager (DM) Encryption Policy Manager (EPM)

10 The Threats Unauthorized access Unauthorized media use
Theft of company data Introduction of unauthorized files Introduction of unlicensed software Maintaining PC integrity No control of data-flow into and out of the company

11 About Endpoint Security Media Encryption
Transparently encrypts removable media including USB Flash Drives and Removable Hard Disks using a 128-bit AES algorithm Is independently certified Deploys quickly, which meets compliance objectives and conserves resources Controls input and output on all connection ports Centrally manages devices individually by type, brand, or model Scales to meet the needs of any size enterprise or government agency Provides complete audit of device usage Integrates transparently with Windows 2000/2003 Active Directory and Novell eDirectory Maintains high productivity because the application runs transparently to users

12 About Endpoint Security Media Encryption
Endpoint Security Media Encryption Elements and Features Two basic elements: Endpoint Security Media Encryption Server Endpoint Security Media Encryption Client Five (5) Key Components: Device Management Removable Media Management Encryption Policy Manager Program Security Guard Auditing

13 Device Manager DEVICE MANAGER
Supports both Black and White List security Controls the use of removable media I/O devices on all connection ports (USB, Firewire, IDE, etc.) Both known & unknown. Manages devices by type, brand, model or individual device Prevents the installation of unknown devices Endpoint Security Media Encryptioncontains the ability to control the many different types of devices that can be used on a client workstation. Device Manager can be considered as the first line of protection that Endpoint Security Media Encryptionprovides by managing the use of these devices and/or ports. Device Manager can be configured to allow full, read-only or no access to any device type, i.e., floppy disks, USB removable storage, etc. Access to both known and unknown devices are permitted from all ports including USB, Firewire and Bluetooth. This control stops known and unknown malicious code infestation (i.e., viruses, worms, Trojans and spyware). In addition: Device specific settings can be applied based on the model or brand of the device. It supports both Black List and White List security. It prevents the installation of unknown devices Further granular control can be achieved for removable media devices using Removable Media Manager & the Encryption Policy Manager. 13

14 Removable Media Manager
DEVICE MANAGEMENT Supports both Black and White List security Controls the use of removable media I/O devices on all connection ports (USB, Firewire, IDE, etc.) Both known & unknown. Manages devices by type, brand, model or individual device Prevents the installation of unknown devices REMOVABLE MEDIA MANAGER Digitally signs and approves devices Detects changes performed externally from the home network, where permitted, and enforces device policy verification Integrates automatically with most 3rd party anti-virus scanners Enforces a configurable content check of new devices Endpoint Security Media Encryptionis the only tool on the market to give you this level of authorisation for removable memory devices. We were the originators of this type of control and have been active in this area since By using Removable Media Manager, you will be able to authorise individual media such as floppy disks, USB removable disks etc. for use on all your Endpoint Security Media Encryptionworkstations on your network. Once removable media has been authorised, it can be used on the Endpoint Security Media Encryptionnetwork environment. The Removable Media Manager: Provides virus scans, content scans, checks and authorises devices before use and each time they have left your organisation’s environment using a unique digital signature. Detects changes performed externally from the home network, where permitted, and enforces device policy verification. Integrates automatically with most 3rd party anti-virus scanners. Enforces a configurable content check of new devices. 14

15 Encryption Policy Manager
DEVICE MANAGEMENT Supports both Black and White List security Controls the use of removable media I/O devices on all connection ports (USB, Firewire, IDE, etc.) Both known & unknown. Manages devices by type, brand, model or individual device Prevents the installation of unknown devices REMOVABLE MEDIA MANAGEMENT Digitally signs and approves devices Detects changes performed externally from the home network, where permitted, and enforces a device policy verification Provides an additional layer of Anti-Virus protection by generically blocking malicious code Enforces a configurable content check of new devices ENCRYPTION POLICY MANAGER Transparently secures removable media storage devices using strong encryption to prevent data leakage Enables secure offline access of encrypted devices without the need to install software or local admin rights Provides the ability to share encrypted data on a user, group, organization, or site level Supports encrypted device revocation and key recovery The Encryption Policy Manager or EPM, provides transparent encryption for removable media. All key management is provided by the server software without the need to understand such things as key pairs. All encryption is performed seamlessly using AES (128 and 256 bit) encryption and once media has been encrypted it appears as conventional media to the users that have been granted access. This transparency is a key feature of the Encryption Policy Manager. Only when a user is denied access to EPM media, or an attempt is made to access the encrypted data from a computer that is not part of your Endpoint Security Media Encryptionsecure environment, will the user be aware that the media is EPM protected. Security Administrators will be assured to know that they will have access to all data encrypted by whomever on the network, since the module supports a key escrow scheme. EPM Enforces that all devices are encrypted prior to any data being transferred. Offline access or access on trusted sites can be configured, and devices can be assigned to a unique user, group or organisation. Offline access can be provided without requiring any installations or administrative rights on third party machines. 15

16 Program Security Guard
DEVICE MANAGEMENT Supports both Black and White List security Controls the use of removable media I/O devices on all connection ports (USB, Firewire, IDE, etc.) Both known & unknown. Manages devices by type, brand, model or individual device Prevents the installation of unknown devices REMOVABLE MEDIA MANAGEMENT Digitally signs and approves devices Detects changes performed externally from the home network, where permitted, and enforces a device policy verification Provides an additional layer of Anti-Virus protection by generically blocking malicious code Enforces a configurable content check of new devices ENCRYPTION POLICY MANAGER Transparently secures removable media storage devices using strong encryption to prevent data leakage Enables secure offline access of encrypted devices without the need to install software or local admin rights Provides the ability to share encrypted data on a user, group, organization or site level Supports encrypted device revocation and key recovery PROGRAM SECURITY GUARD Prevents the introduction of malicious & unauthorized file types Blocks the creation, deletion, or modification of defined file types Allows “trusted” applications to bypass the process check Prevents the installation of unlicensed software Allows companies to become FAST compliant Program Security Guard PSG is a simple to configure and yet powerful feature of Pointsec Protector. PSG is used to block the introduction or modification of any file type you specify. This can be any executable file, such as EXE, DLL, SYS etc., media and audio files such AVI, MP3, WMA etc. or can be customised to include any other file type that you would like to control. All file types protected by PSG will be blocked from being introduced to the system from any location including the Internet. For example, EXE files are blocked by default. This prevents new executable files from being copied to your network or hard drive. It acts as a good back-up to your anti-virus software, since all malicious code is executable by nature. Certain processes such as anti-virus scanning software and software deployment tools are exempt from PSG control to allow them to function correctly. Other processes can be exempt if they have a need to either modify existing prohibited file types or if they add new prohibited file types from time to time. 16

17 Auditing AUDITING DEVICE MANAGEMENT REMOVABLE MEDIA MANAGEMENT
Supports both Black and White List security Controls the use of removable media I/O devices on all connection ports (USB, Firewire, IDE, etc.) Both known & unknown. Manages devices by type, brand, model or individual device Prevents the installation of unknown devices REMOVABLE MEDIA MANAGEMENT Digitally signs and approves devices Detects changes performed externally from the home network, where permitted, and enforces a device policy verification Provides an additional layer of Anti-Virus protection by generically blocking malicious code Enforces a configurable content check of new devices ENCRYPTION POLICY MANAGER Transparently secures removable media storage devices using strong encryption to prevent data leakage Enables secure offline access of encrypted devices without the need to install software or local admin rights Provides the ability to share encrypted data on a user, group, organization or site level Supports encrypted device revocation and key recovery PROGRAM SECURITY GUARD Prevents the introduction of malicious & unauthorized file types Blocks the deletion or modification of administrator defined file types Allows “trusted” applications to bypass the process check Prevents the installation of unlicensed software Allows companies to become FAST compliant AUDITING Detailed auditing of attempted security breaches Complete audit of device usage (CD/DVD, USB, etc.) whether on or off the Network Client side filtering to ensure only relevant information is sent to the server Fully configurable filters and audit analysis report Configurable alerts and html reporting Endpoint Security Media Encryptionprovides detailed logs of attempted security breaches. All events are centrally logged in the Endpoint Security Media EncryptionServers Microsoft SQL database providing the ability to create structured queries and detailed reports as well as ed alerts. Endpoint Security Media Encryptionalso provides central auditing of all file operations on CDs/DVDs and other removable media. The administrator can configure the auditing of certain events to produce alerts to defined addresses. All file operations on removable media devices, including attempted security breaches can be monitored. In addition, configurable filters and audit analysis reporting of attempted security breaches is provided, stored in a MS SQL database. You have: Detailed auditing of attempted security breaches. Complete audit of device usage (floppy, CD/DVD, USB flash media, diskOnKey, etc.) Client side filtering to ensure only relevant information is sent to the server. Fully configurable filters and audit analysis reports. Configurable alerts and html reporting. 17

18 About Endpoint Security Media Encryption
Endpoint Security Media Encryption Architecture Each Endpoint Security Media Encryption Server installation is comprised of three separate components: Endpoint Security Media Encryption Database Endpoint Security Media Encryption File Server Management Console

19 About Endpoint Security Media Encryption
Client Connections

20 About Pointsec Protector
License Handling Licenses available for Port Management and Media Encryption Some computers in a network may run: Only Port Management enabled (Encryption tab is not available) Only Media Encryption enabled (only the Encryption tab is available) Both features enabled Run the License Manager and install additional licenses from either: The central logs The startup warning screen

21 Endpoint Security Media EncryptionServer Installation
Lab 1: Endpoint Security Media EncryptionServer Installation

22 Chapter 1: Review Where do most security breaches occur?
List 5 general features of Pointsec Protector. What are the 4 main components of Endpoint Security Media Encryptionresponsible for controlling access to files in encrypted media? What two functions does the Endpoint Security Media Encryptionfile server perform?

23 Chapter 2: Deploying Pointsec Protector
Objectives: Determine the most appropriate settings necessary to apply corporate requirements using the Endpoint Security Media EncryptionManagement Console. Determine the profile type best suited to your specific requirements. Create and apply profile templates. Configure and apply Removable Media Manager. Configure and apply Encryption Policy Manager. Configure and apply Program Security Guard. Create and apply users, computers, and user and computer groups for Pointsec Protector according to corporate Security Policy requirements. Install and deploy Endpoint Security Media EncryptionClient.

24 Chapter 2: Key Terms Endpoint Security Media EncryptionManagement Console Profile Templates User Groups Deployment Process Expreset.ini Media Revocation Device Manager (DM) Removable Media Manager (RMM) Encryption Policy Manager (EPM) Program Security Guard (PSG)

25 Endpoint Security Media EncryptionServer
Configuration methodology: Create the Security Policy. Create the group or groups. Add users to the group or groups. Deploy the client to the end-users.

26 Endpoint Security Media EncryptionServer (cont.)
Endpoint Security Media EncryptionManagement Console Allows system administrators to centrally manage Endpoint Security Media EncryptionClient software Create and manage user/group-based policy profiles for the control of Removable Media Manager (RMM), Program Security Guard (PSG), Device Manager (DM), and Encryption Policy Manager (EPM) Perform dynamic management of Endpoint Security Media EncryptionClient workstations View and process audit events Manage automated alerts Manage Endpoint Security Media Encryptionsecurity infrastructure Manage removable media encryption settings (EPM)

27 Endpoint Security Media EncryptionServer (cont.)
Profile Templates A collection of Endpoint Security Media Encryptionpolicy settings that determine a user’s rights Are created from within the management console from the Profile Templates node The default template is highly restrictive All profiles include tabs to configure each of the main components, including DM, RMM, PSG, and EPM.

28 Endpoint Security Media EncryptionServer (cont.)
User Groups Created within the Endpoint Security Media EncryptionDatabase and a profile template is assigned to the group Deployment Process Create new profile templates Create new groups and assign the required profile templates Specify the required alerts Configure the Endpoint Security Media Encryptionsecurity settings Back-up the media ID Export the default profile Manually install at least two Client workstations for testing Set up and configure a silent Endpoint Security Media EncryptionClient installation for future multi-client deployments

29 Endpoint Security Media EncryptionServer (cont.)
Profile Update Process

30 Creating the Security Policy
Endpoint Security Media EncryptionServer Properties General tab -displays Endpoint Security Media EncryptionServer information, media revocation, and license information. Applications tab - displays settings for the expreset.ini file, the Device Manager configuration editor, and the EPM site identification. Security tab - add and remove administrators’ basic permissions to Administrate, Manage Reports and Special permissions Configuration tab - allows you to edit SMTP settings Console Settings tab - allows you to restrict the number of viewed users and workstations

31 Creating the Security Policy
Profiles

32 Creating the Security Policy
Profiles Each profile template is split into nine tabs: General Device Manager Removable Media Manager Encryption Program Security Guard User Interface Auditing Advanced Security

33 Creating the Security Policy
Profiles – Device Manager Controls the many different types of devices that can be used on a client workstation across the network Configurable to allow full, read only no access Read only, no network Read only, execute Full access, no network Full access, execute Full access, execute, no network Access to both known and unknown devices are permitted from all ports including USB, Firewire and Bluetooth

34 Creating the Security Policy
Profiles – Removable Media Manager Provides virus scans, content scans, checks and authorizes devices before use Uses a unique digital signature Detects changes performed externally from the home network Integrates automatically with most 3rd party anti-virus scanners

35 Creating the Security Policy
Profiles - Encryption Using AES (128 and 256 bit) encryption Media appears as conventional media to the users that have been granted access Enforces that all devices are encrypted prior to any data being transferred

36 Creating the Security Policy
Profiles – Program Security Guard Used to block the introduction or modification of any file type Customizable to include any other file type Blocks executable files from being copied to your network or hard drive Back-ups anti-virus software

37 Creating the Security Policy
Profiles – User Interface Used to configure the Endpoint Security Media EncryptionClient user interface Full, short or no client menus can be permitted Warning messages can be configured as balloon notifications User can be permitted to disable RMM, PSG or DM

38 Creating the Security Policy
Profiles - Auditing Detailed auditing of attempted security breaches. Complete audit of device usage Client side filtering Fully configurable filters and audit analysis reports Configurable alerts and HTML reporting

39 Creating the Security Policy
Profiles – Advanced Tab Contains settings for Client Anti-tamper protection, Polling server intervals, client log synchronization and webRH support

40 Creating the Security Policy
Profiles – Security Delegate administration based on geographic location and/or role The administrator can configure user groups that are permitted to modify and delete the selected profile

41 Creating User and Computer Groups
When creating a new group using the New Group Wizard, you will be prompted to select the profile for this group. Two basic groups: Default Group - used when a user connects to the server and does not have a profile available in the Endpoint Security Media EncryptionEnterprise Server user database Users with Custom Profiles - to assign special profile rights to individual users rather than just groups

42 Creating User and Computer Groups
Users with Custom Profiles Offline users - Offline profile settings can be edited by clicking User Groups > Offline users > Properties

43 Creating User and Computer Groups
Group Properties Edit the configuration profile Add or remove profiles Assign multiple profiles

44 Creating User and Computer Groups
Useful where certain devices on defined computers should be accessible to any user that logs on For example: a scanner on a graphics workstation To access the New Group wizard, click Groups > Computer Groups > New > Group of Computers In computer group’s properties, select whether the computer profile will override the user profile or vise versa Offline profiles can be configured when a computer in a group cannot establish a connection to the Endpoint Security Media EncryptionServer or a logged-on user is a local user In the group Properties > Licensing tab, specify which Endpoint Security Media Encryptionfeatures should be disabled for the computers in this group

45 Deploy Client to End-Users
Using Active Directory and GPOs Using MS SMS v2.0/2003 To install Endpoint Security Media EncryptionClient silently using any mechanism, an install template file must be created by recording a standard install. Known as a template installation, it is used for silent deployments.

46 Deploy Client to End-Users
Silent Network Installation 2 methods: Using Active Directory and Group Policy Objects (GPOs) Using MS SMS v2.0/2003 To install Endpoint Security Media EncryptionClient silently using GPOs: Create a GPO using the Protector installation file (.msi) Deploy to users using Active Directory A supplemental lab is available. Check with your instructor.

47 The Administration Console
Lab 2: The Administration Console Lab 3: Group Creation Lab 4: Client Installation

48 Chapter 2: Review What purpose does the Default profile provide? Under what conditions should the Default profile be modified? When a Endpoint Security Media Encryption user is offline, what profile are they using? Why would it be advantageous to use computer groups instead of user groups? What is the process for installing Endpoint Security Media Encryption client on multiple machines simultaneously?

49 Chapter 3: Endpoint Security Media Encryption Client
Objectives: Test the deployed profiles using pre-constructed security risks. Execute actions to initiate alerts for PSG, RMM and EPM. Add a new device using the Device Configuration Editor in the management console, and test the new device from the client. Encrypt, decrypt and verify removable media using the Encryption Policy Manager. Key Terms: Refresh Host Reload Profile

50 Client and Server Interaction
Server and client use TCP/IP and port 9738 To change the port number, go to HK_local_machine\Software\Reflex\DisknetServer\Server Name Client Registration – can be viewed in the Logged-on computers view in the console Computer Management – client information can be viewed by right-clicking the client, and selecting Properties Profile Updating – client can be configured to have it’s profile updated at regular intervals automatically, or it can be pushed using the command Reload profile

51 Client-Side Functionality
Client Menu Device Manager Displays device settings permitted by the loaded profile EPM Client The client can be permitted to decrypt encrypted removable media devices

52 Client-Side Functionality
Viewing the Currently Loaded Profile By clicking CTRL-SHIFT-F6 while the client menu is displayed:

53 Lab 5: Test User Access Lab 6: Decrypting Devices Lab 7: Configuring PSG

54 Chapter 3: Review What is the difference between Refresh Host and Reload Profile? How is it possible to create a custom user as opposed to a custom profile? You are an administrator who has configured a profile with the option Users can remove EPM encryption from media, and permitted the client to have the Endpoint Security Media Encryptionicon with a short menu. However, the user complains that he is unable to decrypt his media. What could be the problem, and how is it resolved?

55 Chapter 4: Logging, Auditing and Reporting
Objectives: Use Pointsec Protector's internal logging and auditing functions to track and monitor user actions. Configure and execute reports based on Endpoint Security Media Encryptionaudit events using pre-configured reports. By filtering audit events, identify a new device to add into Device Manager using the Device Configuration Editor in the administration console.

56 Auditing Tab Features Events List The options are: Ignore it.
Register the event in the log, which is stored locally on the client machine until the next client/server synchronization takes place. Immediate, where alerts will be uploaded immediately to the server, overriding synchronization settings.

57 Auditing Tab Features Removable Media Audit Rules
Provides the ability to audit all file operations performed on removable media devices and CD/DVD drives

58 Auditing Tab Features Removable Media Audit Rules can record the following information: ID: The log ID number is an incremental number and is used to make searching events easier. Date & Time: Records information about the time and date that the audit event occurred. Host Name: The machine name on which the event occurred. Operation Type: The type of operation that was performed on the removable media device. User Name: Records the Domain and User name of the current user. Alert: Details whether there is an alert configured for the selected event (Yes/No)

59 Auditing and Event Logging
Filtering Logs Click the Build Filter button on the tool bar

60 Auditing and Event Logging
Log Events - double-clicking any event displays event information

61 Auditing and Event Logging
Log Events – Device Information Details additional information about authorized and blocked devices, and can be used to add new device IDs Click Add this device to the device manager to add a new device

62 Auditing and Event Logging
Log Export logged data can be exported to a comma-delimited text file for importing to any third party data analysis tool. Log Properties auto-archive old events to a location on the machine RMM Audit Events When RMM auditing is enabled, all selected activities for the defined users will be logged to the Endpoint Security Media EncryptionDatabase

63 Alerts Creating an Alert
Right-click on the Alerts node, and select New > Alert, (or select the option Alert > New Alert from the console) The User Groups tab permits the option of applying this alert to all groups, or selected groups The Action tab provides the option to add new addresses designating where the alerts are to be sent

64 Reports Creating a Report
Right-click on the Reports node and select New > Report initiating the New Report Wizard Specify a Report type from the list Edit the report parameters as desired Decide when you want the report to be generated Provide a description for the report After generation, select View Report

65 Adding a Device using Device Manager
Lab 8: Logging and Reporting Lab 9: Adding a Device using Device Manager

66 Chapter 4: Review What happens on the client if no anti-virus scanner or Pointsec DataScan is detected during media authorization? In order to ensure that an alert will be activated immediately and sent to , what of the two settings must be enabled?


Download ppt "Check Point Endpoint Security - Media Encryption"

Similar presentations


Ads by Google