stormshield - technical presentation (en).pdf
TRANSCRIPT
1
2
Arkoon allows sensitive infrastructures to stay ahead of an ever-increasing threat through
versatile products and premium services
4 core competences:
– Network security
– Endpoint security
– Data security
– Security Management
The Company:
– $16,2M in 2012, profitable and growing
– 85 people / 30 in product development + 15 dedicated to innovation
– 35% of revenue affected to engineering
ARKOON NETWORK SECURITY
3
PRESENTATION
Version 6.0
10/15/2013
4
PROBLEMATICS
5
TARGETED ATTACKS
63% of attacks are targeted
The most sophisticated 4% represent
61% of leaked records
For 48% of these attacks, it took months or years
before discovery
Most leaked records:
– Authentication creds 35%
– Secrets, IP 24%
– Sales information 12%
Source : Verizon 2012
6
PERTE/VOL DE DONNEES
Negligence and malicious insiders continue to
cost millions to U.S. businesses
28% of data loss due to theft of data-bearing devices
33% involved criminal insiders
An average $5.5 Million per breach in 2011
Source : Ponemon 2011
7
KEY CAPABILITIES
StormShield combines various security rules for
preventing data theft :
– Control and audit of removable devices usage
– Enforce encryption for hard drives, USB sticks,
CD/DVD/BR
– Hardening of email clients, web browsers, messengers
– Prevent misuse of wireless devices such as
Wifi, 3G, Bluetooth, ...
8
STORMSHIELD
StormShield is the only proven protection against 0day exploits :
– 100% of discovered Acrobat Reader buffer overflows blocked
– 100% blocked for Flash
– 91% blocked for Internet Explorer
Some infamous attacks prevented by design by StormShield:
Conficker, Aurora, Stuxnet, Duqu …
9
STORMSHIELD PRESENTATION
10
FONCTION
NALITIES
StormShield include 7 different fonctionalities/modules :
– HIPS & Network Control
– Device Control
– Application Control
– Wireless Security
– Compliance
– Encryption
– Antivirus (OEM)
The StormShield solution is provided by default with the first 5 modules (in blank)
The « Encryption » and « Antivirus » modules require an additional license
HIPS &
Network
Control
ComplianceDevice
Control
Application
Control
Wireless
SecurityAntivirusEncryption
11
Hips & Network Control
� HIPS « Host-based Intrusion Prevention System » (granular levels)
– Protection against File creation (exe, msi, dll, bat …)
– Protection against « Memory overflow » (« Buffer overflow »)
– Protection against « Keyloggers »
– Protection against « Privilege escalation » (« UAC »)
– Protection against CPU overuse and against Spontaneous reboots
– Protection against Kernel component (drivers and « Rootkits »)
– Protection against Processus access
� FIREWALL
– IN and OUT Protection (@IP / @Mac, Protocol, Port, Service …)
– Protection using « Stateful » mode
� IDS
– Protection against « DOS » (« Deny Of Service »)
– Protection against « Floods »
– Protection against « Fragmented headers »
– Protection against « Port Scan »
12
Device Control
This module permits to allow, limit and/or deny these devices :
– Modems, 3G connections and Bluetooth
– LPT and COM ports
– USB Smart Card, Floppy, CD,DVD, Blu-Ray
– CD,DVD, Blu-Ray writers (possibility to limit the burning process using a StormShield application)
– PCMCIA and USB Sound cards
– USB HID (keyboards, mouse)
– USB still imaging and USB printers
– U3 feature
– USB and FireWire mass storage
Deep management for removables devices (hardware identification) :
– Specific Rights and Access (Read, Read/Write, Denied)
– Audit informaiton (plug/unplug, Read access, Write access)
– Encryption/Decryption (only for USB et FireWire mass storage)
– Extension file management (only for USB et FireWire mass storage)
– Users Enrollment (USB key assignment)
– Rights/Access management in the network, based on a specific USB key status (trust, enrolled, …)
13
Application Control
This module permits to limit (allow, modify and deny) the applications (processus) run on the workstation:
– Application execution
– Rename or Modify the application
– Network Access (Client mode « Sock-Connect » and Server mode « Sock-Bind »)
– File access (files, local and/or share directories)
– Registry Access (Read, Write or Delete actions)
– « Copy/Paste » Protection (include Screenshots)
– Kernel components (allowed or denied drivers)
– Fichier extensions (using specific and dedicated applications)
– Trusted Applications to run legitimate applications, which can be blocked by the HIPS Protection (keylogger,
memory overflow, network, file …)
14
Wireless Security
This module permit to control wireless connections, using several settings :
– Allow or Deny the WiFi connections
– Possibility to allow or deny specific Access Points (by SSID and/or @Mac)
– Allow or Deny the WiFi AdHoc connections
– Possibility to allow or deny specific authentication methods/modes :
� Open (without password, as « Hot Spot » networks)
� WEP (weak password)
� WPA
� WPA2
� Other methods (unknown in the list)
StormShield provides a fonction called « Hot Spot », generally used for the laptops. If the StormShield current policy blocks him, the user can enable a temporary web access (Internet Access), to enable his VPN tunnel.
3 customizable options:
� Duration
� Consecutives accesses
� Allowed ports and protocols
15
Compliance
This module permits to apply StormShield security policies to be sure that the workstation respects the
rules (compliance) of the company
According to the results, we can :
– Isolate the Workstation (quarantine)
– Apply a remediation process (example: update the local antivirus solution)
– Apply other and spefific StormShield security policies (example: deny application executions)
– …
This compliance is realized, through StormShield customizable scripts (tests and batchs), to test :
– The Agent connection status
– The existence or the content of a specific file or a registry key
– The existence or the status of a specific process or service
– Network information (subnet, mask, IP address, DNS, Gateway …)
– AD information (domain, group, user)
– Antivirus software (updates, scan)
– ….
Note: StormShield provides the ability to use and execute your own scripts (vbs for example), in order to
enforce the controls and the workstation security.
16
Encryption
StormShield includes a « Full Disk Encryption » fonctionality
– Encryption partitions : System Partition or All Partitions (FAT, FAT32, NTFS)
– Algorithm : AES 128, 192, 256 bits
– Preboot auhtentication with password
– Complexity password configuration
– Data Recovery in connected and disconnected modes
– Authorization of automatic restart when system is updating
– Single Sign-On (to memorize windows logon credentials)
– « Guess » account (generic account) for self-service workstation
– Secure File erasure (Shredding)
– Swap erasing
17
Antivirus
StormShield provides an Antivirus/Antispyware Solution :
« Avira Professional Edition » (German solution)
� This edition includes :
– On-Demand Scanner (full or partial)
– RealTime Protection (local and share drives)
– Web, Mail and Instant Messaging
– Quarantine management
� Protection against:
– Adware, Spyware, Hoaxes, Back-Door, Phishing …
– Spy and Fraudulent softwares ...
� The StormShield Server works as an Antivirus Server. So it permits to :
– Deploy directly antivirus updates to the agents
– Deploy different antivirus policies to the agents
– Lock (by password) the settings to avoid that the users change them
18
ARCHITECTURE AND ENVIRONMENT
StormShield is composed of (at least) :
– 1 StormShield Server (primary)
– 1 SQL Server
– 1 Administration Console
– 1 Agent (on a workstation)
19
StormShield Server
� Central Point of the Architecture
� 2 kinds : Primary and Secondary (each is able to support several thousands agents) which can be
installed on physical or virtual machines (OS required: Windows Server)
� Primary Server:
– Receives the strategies through the administration console
– Distributes (synchronizes) the security policies to the agents
– Retrieves the logs and alertes from the agents, then stores them to the SQL server
� Serveur Secondaire:
– Same fonctions than the primary server
– Permits to support more agents and enables the clustering mode (Actives/Active and Active/Passive modes)
– Maintains his own agents list (up-to-date)
� The StormShield requires to define at least 1 environment (1 global license) and 1 primary serveur
20
StormShield Databases
� StormShield uses 4 specific databases for:
– Configuration : Store the environment (policies, configurations, scripts …)
– Logs and Alertes : Store the logs sent by servers and agents
– Identification : Store agent information (version, latest applied policy, OS …)
– Recovery : Store information for Encryption module
� Compatible with Microsoft SQL Server (Express, Standard, Enterprise / 2005, 2008, 2008R2, 2012)
� StormShield is packaged by default with SQL Server Express 2005
� Possibility to install the databases on another and dedicated SQL Server (recommended in
production environments)
21
StormShield Administration Console
� Tool to manage completely the solution:
– Create and modify the security policies, strategies, configurations, scripts …
– Modify the options of primary and secondary servers
– Analyse the logs
– Add user accounts with specific privileges (delegation)
– Reporting
– …
� Centralized console
� Multi-instances and multi-users console
� Compatible with all windows versions using Net Framework 2.0
22
Agent StormShield
� 4 Levels Protection : Application / System / Network/ Physical (Encryption)
� 3 different Editions:
– « Professional » Edition (first 5 modules) from XP SP3 to SEVEN SP1
– « Secure » Edition (first 5 modules + encryption) from XP SP3 to SEVEN SP1
– « Server-Side » Edition (first 5 modules) from 2003 SP1 (x86) to 2008R2 SP1
The « Encryption » module is not available with the « Server-Side » Edition
The « Antivirus » module can be installed on all editions
� Secured connections with StormShield Servers (SSL v3), using certificate (X509) :
– Retrieve security policies
– Send logs about the user activity
� 1 installed agent equals to 1 user license
23
Communications & Flows
24
Prerequisites – StormShield Server
PREREQUISITES STORMSHIELD SERVER
OS
Windows Server 2003 SP2 (32 & 64 bytes)
Windows Server 2003 R2 (32 & 64 bytes)
Windows Server 2008 (32 & 64 bytes)
Windows Server 2008 R2 (64 bytes)
CPU Dual-Core 2 GHz
RAM 2 GB
HARD DRIVE SPACEWith Antivirus : 1 GB
Without Antivirus : 1,5 GB
NETWORK
CONFIGURATION
Static IP Address
Open Ports (IN) :
TCP 80 (customizable) : Agent � Server (MSI file + Antivirus updates)
TCP 443 (customizable) : Agent � Server (Certificate)
TCP 7080 : Agent � Server (Antivirus)
TCP 16003 : Server � Server (Cluster)
TCP 16004 : Agent � Server (Logs)
TCP 16005 : Agent � Server (Push)
TCP 16006 : Agent � Server (Pull)
TCP 16007 : Console � Server (Synchronization)
Open Ports (OUT) :
TCP 80 : Server � Avira Server(s) (Antivirus updates)
TCP 1433 (customizable) : Server � SQL Server (Databases Access)
UDP 1434 (customizable) : Server StormShield � SQL Server (Databases Access)
TCP 16003 : StormShield � StormShield (Cluster)
TCP 16006 : StormShield � Agent (Pull)
ANTIVIRUS EXCEPTION
Arkoon recommends to add an exception (for stormshield server directory) in your antivirus policy :
« C:\Program Files\SkyRecon\StormShield Server\* » (32 bytes)
« C:\Program Files (x86)\SkyRecon\StormShield Server\* » (64 bytes)
25
Prerequisites – SQL Server for StormShield Databases
PREREQUISITES SQL SERVER FOR STORMSHIELD DATABASES
OS
All Windows versions which support SQL Server 2005
All Windows versions which support SQL Server 2008
All Windows versions which support SQL Server 2008 R2
All Windows versions which support SQL Server 2012
SQL VERSION
Express, Standard, Enterprise Editions :
SQL Server 2005 (32 & 64 bytes)
SQL Server 2008 (32 & 64 bytes)
SQL Server 2008 R2 (32 & 64 bytes)
SQL Server 2012 (32 & 64 bytes)
CPU Dual-Core 2 GHz
RAM 2 GB
HARD DRIVE SPACE
Configuration Database : 10 MB
Log Database : 30 MB / An /agent
Agent Information Database : 1 MB / Agent
Encryption Database : 1 MB /Agent
NETWORK
CONFIGURATION
Static IP Address
Open Ports (IN) :
TCP 1433 (customizable) : Console � SQL Server (Databases Access)
TCP 1433 (customizable) : Server � SQL Server (Databases Access)
UDP 1434 (customizable) : Console � SQL Server (Databases Access)
UDP 1434 (customizable) : Server � SQL Server (Databases Access)
26
Prerequisites –StormShield Administration Console
PREREQUISITES STORMSHIELD ADMINISTRATION CONSOLE
OS
Windows XP (32 & 64 bytes)
Windows Vista (32 & 64 bytes)
Windows Seven (32 & 64 bytes)
Windows Server 2003 SP2 (32 & 64 bytes)
Windows Server 2003 R2 (32 & 64 bytes)
Windows Server 2008 (32 & 64 bytes)
Windows Server 2008 R2 (64 bytes)
CPU Mono-Core 2 GHz
RAM 512 MB
HARD DRIVE SPACE 50 MB
SOFTWAREFramework .Net 2.0
Microsoft Visual C++ 2008 Redistributable
NETWORK
CONFIGURATION
Open Ports (OUT) :
TCP 1433 (customizable) : Console � Server SQL (Databases Access)
UDP 1434 (customizable) : Console � Server SQL (Databases Access)
TCP 16007 : Console � Server (Synchronization)
27
Prerequisites –StormShield Agent
PREREQUISITES STORMSHIELD AGENT
OS
Windows XP SP3 (32 bytes)
Windows Vista SP2 (32 bytes)
Windows Seven (32 & 64 bytes)
Windows Server 2003 SP1 (32 bytes)
Windows Server 2003 R2 SP1 (32 bytes)
Windows Server 2008 (32 & 64 bytes)
Windows Server 2008 R2 (64 bytes)
CPU Mono-Core 2 GHz
RAM 512 MB
HARD DRIVE SPACEWith Antivirus : 25 MB
Without Antivirus : 350 MB
NETWORK
CONFIGURATION
Open Ports (IN) :
TCP 16006 : Server � Agent / Agent � Agent (token)
Open Ports (OUT) :
TCP 80 (customizable) : Agent � Server (MSI file + Antivirus updates)
TCP 443 (customizable) : Agent � Server (Certificate)
TCP 7080 : Agent � Server (Antivirus)
TCP 16004: Agent � Server (Logs)
TCP 16005 : Agent � Server (Push)
TCP 16006 : Agent � Server (Pull) / Agent � Agent (token)
ANTIVIRUS EXCEPTION
Arkoon recommends to add an exception (for stormshield agent directory) in your antivirus policy :
« C:\Program Files\SkyRecon\StormShield Agent\* » (32 bytes)
« C:\Program Files (x86)\SkyRecon\StormShield Agent\* » (64 bytes)