Upload
hathien
View
222
Download
4
Embed Size (px)
Citation preview
Rohde & Schwarz Cybersecurity
Secure endpoints:
proactive protection against cyberattacks
Webinar 2. March 2017
Martin Heiliger-Zemanek
The Rohde & Schwarz group at a glance
Sichere Endpoints – Proaktiver Schutz vor Cyberangriffen
ı HistoryEstablished in 1933 in Munich
ı Corporate formIndependent family-owned company
ı Global presenceIn over 70 countries, approximately 60 locations worldwide
ı Revenue1,92 Billion Euro (GJ 14/15, July to June)
ı ExportsMore than 90%
ı Employees9800 worldwide, thereof ca. 5900 in Germany
Rohde & Schwarz business areas
T&M instruments
and systems for
Wireless
communications
General purpose
electronics
Aerospace &
defense
applications
Broadcast, T&M and
studio equipment
for
Network operators
Broadcasters
Studios
Film industry
Manufacturers of
entertainment
equipment
Communications
systems for
Air traffic control
Armed forces
Encryption
technology for
Armed forces
Government
authorities
Critical
infrastructures
IT security products
for
Economy
Authorities
Radiomonitoring
equipment for
Regulatory
authorities
Homeland and
external security
Network operators
Radar intelligence
systems
Test and
Measurement
Broadcast
and Media
Secure
Communications
Cybersecurity Radiomonitoring
& Radiolocation
Service
Secure endpoints: proactive protection against cyberattacks 3
Strategic goal: “We build the European Trusted Supplier for
Cybersecurity Products and Solutions”
Secure endpoints: proactive protection against cyberattacks 4
Secure networks and
network analyticsNext-generation firewalls & UTM
Application awareness and DPI
Vulnerability management
Encrypted backbone / WANLayer 3 IP encryption
Layer 2 Ethernet encryption
Secure remote access
Tap-proof communicationVoice encryption apps & devices
Secure messaging
Fax & Radio encryption
Secure endpoints
and applicationsFull-disk encryption
Secure browsing & cloud
Secure desktop & mobile
Web application firewalls
Trusted managementCA, PKI, HSMs
Crypto management
Configuration, Policy
Firmware deployment Trusted solutions
from a single source
Rohde & Schwarz Cybersecurity – product overview
Secure endpoints: proactive protection against cyberattacks 5
Tap-proof
communications
Secure endpoints &
trusted management
Secure networks Network analytics
❙ Browser in the Box
❙ TrustedDisk
❙ TrustedDesktop
❙ TrustedObjects Manager
❙ TrustedIdentity Manager
❙ PanBox
❙ R&S®CryptoServer
❙ NP+
❙ GP Firewalls
❙ R&S®SITLine ETH
❙ TrustedVPN
❙ BizzTrust
❙ TopSec Mobile
❙ CryptoGateway
❙ Fax- and Voice Encryption
❙ RadioCrypt
❙ HandsetCrypt
❙ ELCRODAT
❙ R&S®MMC3000
❙ R&S®PACE 2
❙ R&S®Net Reporter 2
❙ R&S®Net Sensor
The Internet as a source of danger
ı Increase in cybercrime
Number of attacks increased by 8% compared to last year
3.4 million infected endpoints (2016)
ı Companies lose data and information
Using malware, attackers attain sensitive company data and can cause significant economic
damage.
ı Infected websites
Secure endpoints: proactive protection against cyberattacks 6
Protection against the dangers of the Internet
Secure endpoints: proactive protection against cyberattacks 7
Secure separation of intranet and Internet using a two browsers
strategy with Browser in the Box
Intranet browser Browser in the Box
ı Product-related data
ı Documents on product development
ı Strategic concepts
ı Browser-based in-house
applications
ı Emails
ı Research
ı News
Secure endpoints: proactive protection against cyberattacks 8
Why use Browser in the Box ?
Secure endpoints: proactive protection against cyberattacks 9
Conventional methods of counteracting threats
ı No Internet at the workplace
Designated computers for Internet access
ı Internet with reduced functionality
Deactivation of active content
ı Alternative browsers
ıTerminal server
Central server running the web browser; access via desktop viewer
Secure endpoints: proactive protection against cyberattacks 10
Browser in the Box: secure browser for clients
ı Technology
Encapsulated browser using virtual machines
ı Characteristics
1. High security while maintaining all web functionalities
Separation of workplace environment and Internet
Transparency for users
2. Profitable due to use of available client resources
Easy to install and centrally administrated
Secure endpoints: proactive protection against cyberattacks 11
Browser in the Box Enterprise: easy administration
Secure endpoints: proactive protection against cyberattacks 12
Browser in the Box Enterprise: isolation on computer level
Secure endpoints: proactive protection against cyberattacks 13
Browser in the Box Enterprise: isolation on network level
Secure endpoints: proactive protection against cyberattacks 14
Browser in the Box Client: convenience
ı User friendliness
High transparency due to Seamless Mode
Support of active content
Plug-ins, persistent bookmarks, printing and downloading based on standards is possible
The browser configuration (bookmarks, plug-ins, proxy settings, etc.) is stored for all users → this
data is not reset during restart
ı Flexibility
The administrator can define exactly what configuration data has to be persistent
Individual images are possible
ı Host platforms
Windows (7, 8 and 10)
Secure endpoints: proactive protection against cyberattacks 15
Browser in the Box: secure download
Secure endpoints: proactive protection against cyberattacks 16
Browser in the Box: secure upload
Secure endpoints: proactive protection against cyberattacks 17
Browser in the Box: secure printing
Secure endpoints: proactive protection against cyberattacks 18
Browser in the Box: secure clipboard
ı Monitoring the flow of information
Unidirectional (workplace → Browser in the Box or Browser in the Box → workplace)
Bidirectional (workplace ↔ Browser in the Box )
Administrated centrally
ı Optional user confirmation for “Paste” operations
No undetected flow of information, e.g. due to malware in the guest that reads the clipboard
Secure endpoints: proactive protection against cyberattacks 19
Browser in the Box: Enterprise management features
ı User management
Synchronization with Active Directory
Individual management of rights for users or groups
ı Tunnel management
Automatic configuration of the Browser in the Box client
Automatic generation and distribution of certificates
ı Image management
Upload of newly created and signed images
Allocation of images to users or groups
Distribution of image updates as diffs
Secure endpoints: proactive protection against cyberattacks 20
Browser in the Box: security features
ı Security
Isolation using virtual machines (VM)
Isolated Browser in the Box user environment
Security analysis of the VM technology in cooperation with the German Federal Office for
Information Security (BSI)
Hardened Linux as guest OS
Start from a clean snapshot
Secure Ipsec tunnel to the gateway; only data from Browser in the Box is routed to the
Internet and vice versa
Secure update process (only signed images)
Secure endpoints: proactive protection against cyberattacks 21
TrustedDisk: hard disk and device encryption with
central management and VS-NfD approval by the
German Federal Office for Information Security
Secure endpoints: proactive protection against cyberattacks 22
TrustedDisk highlights
ı High operating convenience
Full device encryption for Windows 7 and 8
Initial encryption is running in the background, it is possible to
continue working
Encryption of system partitions and mobile storage devices
Multi-user capability, flexible and simple management of rights
ı High security
Comprehensive pre-boot authentication
Multi-level authentication using hardware tokens and PINs
Secure random number generation, flexible re-encryption
VS-NfD approved for Windows 7 and 8
Secure endpoints: proactive protection against cyberattacks 23
TrustedDisk: possible applications
ı Stand-alone version without central management
Recommended for companies with up to 20 clients
SmartCard authentication
VS-NfD approved
ı Central management using TrustedObjects Manager
For companies with more than 20 clients
Additional functionality compared to the stand-alone version
Approved for use with the approved TrustedDisk stand-alone version
Secure endpoints: proactive protection against cyberattacks 24
TrustedDisk: versions
ı Advantages of the stand-alone version without central management
No additional hardware required (space/power consumption)
No changes to the network (firewall/VLANs)
No costs for TOM
ı Advantages of the version with central management using the TrustedObjects Manager
Additional functionality compared to the stand-alone version
Access to directory services (LDAP)
Central PUK management
Overview of client statuses (encryption status/connection)
Central logging of events
Certificates are stored locally in the TOM
Secure endpoints: proactive protection against cyberattacks 25
TrustedDisk: scope of delivery
ı Client
TrustedDisk Enterprise client license
SmartCard reader (according to Whitelist)
SmartCard Infineon SLE66CX680PE incl. CardOS 4.4
CardOS 5.0 in the future
ı In addition for central management
TrustedObjects Manager license
TrustedObjects Manager 19 inch appliance
Secure endpoints: proactive protection against cyberattacks 26
Central management using TrustedObjects Manager
ı Central management:
Central user management
Access to a directory service (LDAP)
Central PUK management
Overview of client statuses (encryption status/connection)
Central logging of events
Flexible rollout scenario of TrustedDisk and the SmartCards
Personalization of SmartCards using multiple certificates (e.g. for VPN)
Recovery of existing TrustedDisk clients
Secure endpoints: proactive protection against cyberattacks 27
TrustedDisk: the client software
Secure endpoints: proactive protection against cyberattacks 28
Hardware and software requirements
ı BIOS: legacy boot mode, no UEFI
ı BIOS: SATA AHCI mode, or IDE mode
ı Hard disk: MBR-formatted, no GPT
ı Windows 7 / 8 / 10
ı Original Microsoft MBR (no OEM MBR or similar)
ı Supported SmartCard reader and SmartCard
ı Windows installation on two partitions (boot and system partition)
Secure endpoints: proactive protection against cyberattacks 29
Partitions
ı Windows standard partitions:
100 MB (or more) boot partition
System partition
ı Can be verified in the Windows disk management
Secure endpoints: proactive protection against cyberattacks 30
Highlights of TrustedDisk version 2.3
ı New bootloader:
Revised GUI
System starts faster because the PIN can be entered immediately when the token is plugged-in
PIN is changed by the PUK
ı Advanced features:
Encryption and re-encryption run completely in the background
Changes of rights to the system partition using Windows
Support of PKCS#11
ı Simplified rollout:
FDE activation using the command line (fdeinit.exe)
Rollout of any number of certificates/rights at FDE activation
Recovery of clients with the previous TrustedDisk rights
Personalization of Tokens by the administrator with automatic generation of a PIN letter
Secure endpoints: proactive protection against cyberattacks 31
TrustedDisk: usage
Secure endpoints: proactive protection against cyberattacks 32
Pre-boot authentication
ı TrustedDisk bootloader
ı The encrypted partition is started by
authentication using the token and PIN
Secure endpoints: proactive protection against cyberattacks 33
Pre-boot phase
ı Change the PIN using the PUK
Secure endpoints: proactive protection against cyberattacks 34
Proactively secure your
endpoints against cyberattacks.
Secure endpoints: proactive protection against cyberattacks 35
Rohde & Schwarz Cybersecurity GmbH
Phone: +49 30 65 884 - 223
Mail: [email protected]
Web: cybersecurity.rohde-schwarz.com