Webinar 2. March 2017 Martin Heiliger-Zemanek · PDF fileMarch 2017 Martin Heiliger-Zemanek. ... Firmware deployment Trusted solutions ... TopSec Mobile CryptoGateway

Rohde & Schwarz Cybersecurity

Secure endpoints:

proactive protection against cyberattacks

Webinar 2. March 2017

Martin Heiliger-Zemanek

The Rohde & Schwarz group at a glance

Sichere Endpoints – Proaktiver Schutz vor Cyberangriffen

ı HistoryEstablished in 1933 in Munich

ı Corporate formIndependent family-owned company

ı Global presenceIn over 70 countries, approximately 60 locations worldwide

ı Revenue1,92 Billion Euro (GJ 14/15, July to June)

ı ExportsMore than 90%

ı Employees9800 worldwide, thereof ca. 5900 in Germany

Rohde & Schwarz business areas

T&M instruments

and systems for

Wireless

communications

General purpose

electronics

Aerospace &

defense

applications

Broadcast, T&M and

studio equipment

for

Network operators

Broadcasters

Studios

Film industry

Manufacturers of

entertainment

equipment

Communications

systems for

Air traffic control

Armed forces

Encryption

technology for

Armed forces

Government

authorities

Critical

infrastructures

IT security products

for

Economy

Authorities

Radiomonitoring

equipment for

Regulatory

authorities

Homeland and

external security

Network operators

Radar intelligence

systems

Test and

Measurement

Broadcast

and Media

Secure

Communications

Cybersecurity Radiomonitoring

& Radiolocation

Service

Secure endpoints: proactive protection against cyberattacks 3

Strategic goal: “We build the European Trusted Supplier for

Cybersecurity Products and Solutions”


Secure networks and

network analyticsNext-generation firewalls & UTM

Application awareness and DPI

Vulnerability management

Encrypted backbone / WANLayer 3 IP encryption

Layer 2 Ethernet encryption

Secure remote access

Tap-proof communicationVoice encryption apps & devices

Secure messaging

Fax & Radio encryption

Secure endpoints

and applicationsFull-disk encryption

Secure browsing & cloud

Secure desktop & mobile

Web application firewalls

Trusted managementCA, PKI, HSMs

Crypto management

Configuration, Policy

Firmware deployment Trusted solutions

from a single source

Rohde & Schwarz Cybersecurity – product overview


Tap-proof

communications

Secure endpoints &

trusted management

Secure networks Network analytics

❙ Browser in the Box

❙ TrustedDisk

❙ TrustedDesktop

❙ TrustedObjects Manager

❙ TrustedIdentity Manager

❙ PanBox

❙ R&S®CryptoServer

❙ NP+

❙ GP Firewalls

❙ R&S®SITLine ETH

❙ TrustedVPN

❙ BizzTrust

❙ TopSec Mobile

❙ CryptoGateway

❙ Fax- and Voice Encryption

❙ RadioCrypt

❙ HandsetCrypt

❙ ELCRODAT

❙ R&S®MMC3000

❙ R&S®PACE 2

❙ R&S®Net Reporter 2

❙ R&S®Net Sensor

The Internet as a source of danger

ı Increase in cybercrime

Number of attacks increased by 8% compared to last year

3.4 million infected endpoints (2016)

ı Companies lose data and information

Using malware, attackers attain sensitive company data and can cause significant economic

damage.

ı Infected websites


Protection against the dangers of the Internet


Secure separation of intranet and Internet using a two browsers

strategy with Browser in the Box

Intranet browser Browser in the Box

ı Product-related data

ı Documents on product development

ı Strategic concepts

ı Browser-based in-house

applications

ı Emails

ı Research

ı News


Why use Browser in the Box ?


Conventional methods of counteracting threats

ı No Internet at the workplace

Designated computers for Internet access

ı Internet with reduced functionality

Deactivation of active content

ı Alternative browsers

ıTerminal server

Central server running the web browser; access via desktop viewer


Browser in the Box: secure browser for clients

ı Technology

Encapsulated browser using virtual machines

ı Characteristics

1. High security while maintaining all web functionalities

Separation of workplace environment and Internet

Transparency for users

2. Profitable due to use of available client resources

Easy to install and centrally administrated


Browser in the Box Enterprise: easy administration


Browser in the Box Enterprise: isolation on computer level


Browser in the Box Enterprise: isolation on network level


Browser in the Box Client: convenience

ı User friendliness

High transparency due to Seamless Mode

Support of active content

Plug-ins, persistent bookmarks, printing and downloading based on standards is possible

The browser configuration (bookmarks, plug-ins, proxy settings, etc.) is stored for all users → this

data is not reset during restart

ı Flexibility

The administrator can define exactly what configuration data has to be persistent

Individual images are possible

ı Host platforms

Windows (7, 8 and 10)


Browser in the Box: secure download


Browser in the Box: secure upload


Browser in the Box: secure printing


Browser in the Box: secure clipboard

ı Monitoring the flow of information

Unidirectional (workplace → Browser in the Box or Browser in the Box → workplace)

Bidirectional (workplace ↔ Browser in the Box )

Administrated centrally

ı Optional user confirmation for “Paste” operations

No undetected flow of information, e.g. due to malware in the guest that reads the clipboard


Browser in the Box: Enterprise management features

ı User management

Synchronization with Active Directory

Individual management of rights for users or groups

ı Tunnel management

Automatic configuration of the Browser in the Box client

Automatic generation and distribution of certificates

ı Image management

Upload of newly created and signed images

Allocation of images to users or groups

Distribution of image updates as diffs


Browser in the Box: security features

ı Security

Isolation using virtual machines (VM)

Isolated Browser in the Box user environment

Security analysis of the VM technology in cooperation with the German Federal Office for

Information Security (BSI)

Hardened Linux as guest OS

Start from a clean snapshot

Secure Ipsec tunnel to the gateway; only data from Browser in the Box is routed to the

Internet and vice versa

Secure update process (only signed images)


TrustedDisk: hard disk and device encryption with

central management and VS-NfD approval by the

German Federal Office for Information Security


TrustedDisk highlights

ı High operating convenience

Full device encryption for Windows 7 and 8

Initial encryption is running in the background, it is possible to

continue working

Encryption of system partitions and mobile storage devices

Multi-user capability, flexible and simple management of rights

ı High security

Comprehensive pre-boot authentication

Multi-level authentication using hardware tokens and PINs

Secure random number generation, flexible re-encryption

VS-NfD approved for Windows 7 and 8


TrustedDisk: possible applications

ı Stand-alone version without central management

Recommended for companies with up to 20 clients

SmartCard authentication

VS-NfD approved

ı Central management using TrustedObjects Manager

For companies with more than 20 clients

Additional functionality compared to the stand-alone version

Approved for use with the approved TrustedDisk stand-alone version


TrustedDisk: versions

ı Advantages of the stand-alone version without central management

No additional hardware required (space/power consumption)

No changes to the network (firewall/VLANs)

No costs for TOM

ı Advantages of the version with central management using the TrustedObjects Manager

Additional functionality compared to the stand-alone version

Access to directory services (LDAP)

Central PUK management

Overview of client statuses (encryption status/connection)

Central logging of events

Certificates are stored locally in the TOM


TrustedDisk: scope of delivery

ı Client

TrustedDisk Enterprise client license

SmartCard reader (according to Whitelist)

SmartCard Infineon SLE66CX680PE incl. CardOS 4.4

CardOS 5.0 in the future

ı In addition for central management

TrustedObjects Manager license

TrustedObjects Manager 19 inch appliance


Central management using TrustedObjects Manager

ı Central management:

Central user management

Access to a directory service (LDAP)

Central PUK management

Overview of client statuses (encryption status/connection)

Central logging of events

Flexible rollout scenario of TrustedDisk and the SmartCards

Personalization of SmartCards using multiple certificates (e.g. for VPN)

Recovery of existing TrustedDisk clients


TrustedDisk: the client software


Hardware and software requirements

ı BIOS: legacy boot mode, no UEFI

ı BIOS: SATA AHCI mode, or IDE mode

ı Hard disk: MBR-formatted, no GPT

ı Windows 7 / 8 / 10

ı Original Microsoft MBR (no OEM MBR or similar)

ı Supported SmartCard reader and SmartCard

ı Windows installation on two partitions (boot and system partition)


Partitions

ı Windows standard partitions:

100 MB (or more) boot partition

System partition

ı Can be verified in the Windows disk management


Highlights of TrustedDisk version 2.3

ı New bootloader:

Revised GUI

System starts faster because the PIN can be entered immediately when the token is plugged-in

PIN is changed by the PUK

ı Advanced features:

Encryption and re-encryption run completely in the background

Changes of rights to the system partition using Windows

Support of PKCS#11

ı Simplified rollout:

FDE activation using the command line (fdeinit.exe)

Rollout of any number of certificates/rights at FDE activation

Recovery of clients with the previous TrustedDisk rights

Personalization of Tokens by the administrator with automatic generation of a PIN letter


TrustedDisk: usage


Pre-boot authentication

ı TrustedDisk bootloader

ı The encrypted partition is started by

authentication using the token and PIN


Pre-boot phase

ı Change the PIN using the PUK


Proactively secure your

endpoints against cyberattacks.


Rohde & Schwarz Cybersecurity GmbH

Phone: +49 30 65 884 - 223

Mail: [email protected]

Web: cybersecurity.rohde-schwarz.com