Secure and control laptopS - Enabling road warriors without sacrificing compliance
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Technology Blueprint Secure and Control Laptops Enabling road warriors without sacrificing compliance
LEVEL 1 2 3 4 5
SECURITY CONNECTED Enabling road warriors without sacrificing compliance
REFERENCE ARCHITECTURE
LEVEL 1 2 3 4 5 The Situation
Remote devices carry confidential data on the front line, far from the defenses
layered into the corporate network. Laptops can be more vulnerable to evolving
Security Connected attacks and susceptible to loss, theft, and deliberate or accidental misuse. For these
The Security Connected reasons, administrators must ensure laptops have protection equal to or greater than
framework from McAfee enables endpoint systems on the internal network. Yet there is usually less control of and
integration of multiple products,
services, and partnerships for visibility into laptops due to their mobile nature.
SECURITY CONNECTED
centralized, efficient, and
REFERENCE ARCHITECTURE
effective risk mitigation. Built Driving Concerns
LEVEL
on more than two1decades 4
2 3 of 5
Laptops are treasure troves of intellectual property and sensitive information. Data loss is at least as much
proven security practices, the
a concern as malware infections, if not more. The cost of a lost or stolen laptop for organizations can
Security Connected approach
helps organizations of all average $49,000, a cost that can increase with loss of customer confidence after required data breach
sizes and segments—across all disclosures.1 While encryption can mitigate the risk of data lost with a misplaced or stolen device, user
geographies—improve security activities, malware, and hacking of these devices can result in data loss during normal usage.
postures, optimize security
for greater cost effectiveness, Compared to stationary endpoints, laptops are at greater risk of compromise and therefore require
and align security strategically specific attention. Specifically, many laptops are more vulnerable to attack because of outdated patches
SECURITY
with businessCONNECTED
initiatives. The and security software. Most security management software does not lend itself well to managing road
Security Connected
REFERENCE Reference
ARCHITECTURE warriors’ laptops. Typically, administrators open additional ports for their clients to connect individually or
Architecture provides a
LEVEL path from
concrete 1 ideas
2 3to 4 5 enforce different or possibly more lenient policies simply because the systems are remote. Administrative
implementation. Use it to visibility and control are often sacrificed.
adapt the Security Connected
concepts to your unique risks, In addition to the complexities of network administration and standard desktop management, securing
infrastructure, and business laptops brings its own unique set of challenges.
objectives. McAfee is relentlessly
focused on finding new ways to • Visibility and control. Your reporting is only as good as the last time the user connected. When a
keep our customers safe. mobile user is off the VPN, your visibility ends. And so does the ability to install software, force updates,
and deploy and enforce updated policies.
• Stopping malware. Laptops must be able to update DAT files and policies independently, regardless
of their location. But even with updating, one cannot rely 100 percent on signatures due to the
exponential growth in malware and new threats breaking daily. IT professionals seek technologies that
proactively block evolving threats, without reliance on signatures or software updates that laptops
might miss while on the road.
• Data loss. Laptops operating off the corporate network must still adhere to policies for data usage,
both to maintain compliance and to protect intellectual property. Administrators must be able to
prevent leakage of sensitive data, whether intentionally or unintentionally, yet not interfere with
normal business operations.
• Data protection. Administrators must secure laptop data so that if the device is stolen or lost,
sensitive material is not compromised. Encryption can provide “safe harbor” so that public disclosure is
not required.
• Unsafe surfing. Where are users surfing when they are not behind the corporate web gateway?
Are they visiting risky or other undesirable websites? The challenge is how to enforce the corporate
“Appropriate Use” policy when users are off the network.
• Administrative overhead and delegation. Managing multiple aspects of laptop security often
involves multiple management servers from multiple security vendors, which increases cost and
administrative overhead. The helpdesk must be able to address mobile users’ needs remotely without
making inadvertent changes to security policies.
2 Securing and Controlling LaptopsSolution Description
Decision Elements
Long gone are the days when laptop security was synonymous with anti-virus. Each of the following These factors could influence
components serves specific critical functions essential to an effective defense against security breaches your architecture:
and data loss: • What specific issues are you
currently worried about when
• Visibility and control. A management console should provide secure communication with laptops
your laptop users are on the
across any Internet connection, whether or not a VPN is present. With that secure communication road? Do you have compliance
comes the ability to force updates, deploy new or updated protection, and modify security policies as issues you need to resolve, or
required. Flexibility for laptop-specific reporting and policies is essential. governance requirements to
document appropriate use on
• Stopping malware. Traditional AV and anti-malware solutions must be supplemented by cloud-
all company-owned devices?
based technology to counter breaking threats. An effective kernel-level host IPS solution must also
be deployed locally to block previously unknown malware and prevent exploitation of system and
• Would you be able to place a
server in the DMZ to facilitate
application vulnerabilities. The IPS solution should utilize cloud intelligence to block connections to client-server communication
external IP addresses known to present a risk. when laptops are off the
• Data loss. The solution must facilitate the creation of policies to prevent loss of confidential data network?
through mail, printing, storage devices, and other avenues. Policies dictating approved use of • If a laptop with sensitive data
removable storage devices must work in concert with data loss prevention policies. In addition, a were stolen today, how quickly
staged implementation is required in order to avoid business disruption. Begin with a discovery phase would you be required to
assess the damage and make a
to locate sensitive data. This should be followed by a policy testing phase (non-invasive audit with public disclosure?
proposed policies), then tuning based on those results, and, finally, ongoing policy enforcement.
• Would you implement cloud-
• Data protection. The highest level of military-grade encryption must be used to prevent data based lookup to provide
compromise in the event of theft or loss. A sub-standard encryption solution may not prevent access to greater protection if it meant
the data if the hard disk is cabled as a secondary drive on another system. To demonstrate safe harbor no impact to your business?
and avoid public disclosure in the event of loss or theft, an audit trail detailing the device’s encryption • Do you currently have data
status is essential. However, no tuning should be required in relation to disk encryption; either your loss prevention tools on your
data is secured or it’s not. roaming laptops? Do you
need to integrate additional
• Unsafe surfing. To enforce safe surfing effectively, the solution must take both risk and content into controls to increase their
account. The ideal solution would not use cloud intelligence simply to block categories of URLs, but effectiveness?
also use the ubiquitous nature of the cloud to help prevent access to legitimate sites that have been • Do you need to enforce fine-
newly compromised to host malware. As well, it must support equal policy enforcement capabilities grained policies for which
when clients are off the network. This consistent enforcement can help prevent users from reaching users can utilize removable
such sites simply because they are not behind a corporate web gateway solution. Where access is storage devices and which
devices they can use?
required, administrators must be able to allow access to any blocked sites and have the client system
receive policy updates quickly.
• Would role-based access be
required, for instance to allow
• Administrative overhead and delegation. The most cost effective and efficient system would your helpdesk to troubleshoot
provide a single management console for all required solutions and incorporate granular role-based or provide overrides for
access to minimize potential misconfigurations. To allow the helpdesk to provide mobile users with remote users?
immediate help, such as granting temporary overrides or resetting encryption passwords, helpdesk
members should be provisioned with privileges, but only those specific rights needed to accomplish
their tasks.
Securing and Controlling Laptops 3Technologies Used in the McAfee Solution
The McAfee® solution for managing laptops includes a set of endpoint modules that enhance security for
the system and its data. The policies are enforced even when a user leaves the corporate network and
is working without a VPN. Adaptive policies can implement stronger rules when users are in potentially
unsafe settings, varying host data loss prevention (DLP) or firewall rules, for example.
Another important component of the McAfee solution is the underlying cloud-based McAfee Global
Threat IntelligenceTM (GTI) found in McAfee products. Many of the McAfee solutions listed below benefit
from real-time lookups to augment signature-based technology. McAfee VirusScan® performs a GTI
lookup to check the reputation of suspicious files, providing identification and cleaning of malicious
files, even if a signature is not yet available. McAfee SiteAdvisor® Enterprise relies on web reputation
and categorization to prevent access to malicious or compromised websites, thus preventing malware
from reaching the system in the first place by blocking it at the source. The IP or network connection
reputation option within the firewall of Host IPS blocks suspicious traffic identified against a database
of hundreds of millions of network connections. These ongoing feeds help ensure strong, updated
protection when the laptop leaves the relatively safe corporate network. These GTI lookups are essential
to countering the onslaught of new threats and malicious sites surfacing daily.
These modules are deployed and maintained through our centralized security management and
compliance platform, McAfee ePolicy Orchestrator® (McAfee ePOTM). To enable consistent policy and
software updates during remote and non-VPN use of laptops, client systems periodically poll an “Agent
Handler” in the DMZ providing ongoing visibility and control regardless of connection type. For example,
instead of waiting to establish a VPN or docking at a corporate location, a road warrior sitting in a hotel
on the other side of the world will automatically receive any new policies or update instructions at boot
or at the next client communication. Customizable laptop reports and notifications help administrators
understand and manage risk status on laptops. For instance, a notification of triggered IP Reputation
events might indicate possible bot or Trojan activity that merits system investigation.
Laptop
Agent Handler
• McAfee VirusScan Enterprise
• McAfee Host IPS
• McAfee SiteAdvisor with Web
Filtering for Endpoint
• McAfee Host DLP
• McAfee Endpoint Encryption
McAfee ePO
SQL Database Server
The single McAfee management agent on each laptop works with the Agent Handler to allow control of laptop security
even without a VPN connection.
4 Securing and Controlling LaptopsThe components described below work in concert to provide cohesive security for laptops managed
through a single console:
McAfee VirusScan® Enterprise
The scanning engine at the heart of all McAfee anti-malware products blocks viruses, Trojans, worms,
and other malicious code, applying signatures and behavioral rules. It also leverages McAfee Global
Threat Intelligence (GTI) to counter breaking threats. If a file is deemed suspicious in a heuristic analysis,
McAfee VirusScan performs a real-time lookup of the file’s reputation and takes appropriate action,
enabling you to prevent infection by previously unknown malware. Using the Agent Handler described
above, signatures are updated automatically whether or not the laptop is on a VPN. For extra confidence,
McAfee publishes a process that helps you verify that your laptops can communicate properly with the
McAfee GTI servers.2
McAfee Host IPS
Signature and anomaly based intrusion prevention on the laptop blocks behavior of previously
unknown malware by preventing exploitation of system vulnerabilities and unexpected behavior
such as modification of Windows executables. The stateful firewall of Host IPS provides dynamic IP
lookup through McAfee GTI to block access to sites with poor or risky reputations without requiring
a connection to your corporate network or VPN. “Connection Awareness” provides the option to
apply a more stringent firewall rule set when the laptop is off the network. While docked at the office,
“Connection Isolation” prevents inadvertent bridging of your internal network to the coffee shop or
hotspot across the street.
McAfee SiteAdvisor with Web Filtering for Endpoint
McAfee SiteAdvisor enforces corporate safe surfing policies by blocking access to compromised websites
or sites hosting malware and exploits, whether a system is on or off the network. With the addition of
McAfee Web Filtering for Endpoint, category based URL filtering enforces your corporate web browsing
policies. Policies are enforced when laptops are surfing without a VPN connection. No local updates are
required, as systems perform a real-time lookup to check the reputation and content of websites with the
McAfee Global Threat Intelligence database. This regular communication ensures risky sites are blocked
based on the most current information possible. If desired, McAfee SiteAdvisor Enterprise can stand down
from its enforcement if it detects that your organization enforces policies through its web gateway.
McAfee Host Data Loss Prevention (DLP)
Managed by McAfee ePO, Host DLP automates discovery of sensitive material and enforces policies
against data loss through common vectors including removable storage, print, mail, and web posting. If
a policy is blocking a necessary one-time business activity (perhaps an executive needs to print a file at a
customer site), an option allows timed policy overrides via internal helpdesk request. The policy can be
deactivated for 30 minutes, for example, to allow the executive to print the file. After that interval, the
policy will automatically reactivate to bring the system back into compliance.
McAfee Endpoint Encryption
Full disk encryption prevents exposure of sensitive data on laptops by applying transparent, military-
grade encryption. For strong access control, the authentication policy can enforce two- and three-factor,
pre-boot authentication. Should a laptop be lost or stolen, audit trails can demonstrate the presence
of active encryption, which can allow your company to avoid the cost and embarrassment of disclosing
the loss. Helpdesk recovery options aid remote users experiencing login issues, such as lost passwords
or authentication keys. The password self-recovery option allows users to reset their own passwords,
reducing dependency on support when employees are on the road and eliminating frequent and costly
helpdesk calls.
Securing and Controlling Laptops 5McAfee Global Threat Intelligence (GTI)
McAfee endpoint and network products benefit from millions of sensors gathering and correlating
real-world threat information across all threat vectors, including file, web, message, and network. These
ongoing risk assessments provide real-time data on dangerous sites, IP addresses, and emerging threats
via queries to the cloud—whether the laptop is on the network or in a coffee shop, with VPN or without.
McAfee ePolicy Orchestrator
The unifying force across these solutions is the McAfee ePO server and its management agent, which is
installed on each laptop. The laptop polls the McAfee ePO server, or an Agent Handler, at intervals you
specify. Laptops automatically retrieve any revised policies, updated signatures, and product patches.
At the same time, the agent sends the latest laptop status and events to the central ePO database.
Administrators can apply fine-grained policies and enforce them reliably, documenting status with simple,
separate laptop-only reports of system status and events at any time.
Role-based access within McAfee ePO enables fine-grained administrative accounts, which can be
customized for any role, including helpdesk functions.
McAfee ePO can deploy, manage, and report on all the technologies mentioned above, plus many
others, reducing the cost of managing a broad and complete range of security functions. In addition,
laptop security details can be rolled up with other required endpoint dashboards and reports, as well
as network security, risk and compliance solutions, and third-party solutions from the McAfee Security
Innovation Alliance. Companies already using McAfee ePO or McAfee Endpoint Security face only
minimal infrastructure changes.
Impact of the Solution
This McAfee architecture enables a consistent, efficient management environment across fixed and
mobile endpoints. IT can increase visibility into and control over laptops, reducing risk and enforcing
compliance reliably.
By providing a secondary source of communication and management via the Agent Handler, IT can keep
laptops in compliance with current policies and report more quickly on client events that occur when the
laptop is off the network.
To protect road warrior systems, McAfee includes specific security tools that work even without a
direct connection to the enterprise network. By applying different rules based on network connection,
enterprises can mitigate the elevated risks of inappropriate or risky web usage, data loss from malware,
and loss or theft of the device that go hand in hand with laptop usage. Because laptop loss is so
common, our technologies can enforce military-grade encryption to protect sensitive data. We also work
through the cloud to block risky content and sites based on reputation, protecting employees that use
corporate laptops for private surfing and protecting companies from policy violations.
McAfee security systems work together to lower operational costs, reduce the likelihood and cost of
malware cleanup or data loss (and associated disclosures), and significantly enhance each enterprise’s
security and compliance posture.
6 Securing and Controlling LaptopsQ&A
How do remote clients communicate to the McAfee ePO server through an Agent Handler?
Roaming laptops use Transport Layer Security (TLS) to connect to the Agent Handler via its fully qualified
domain name, as if the Handler were the McAfee ePO server itself. The Agent Handler reports client
data directly to the McAfee ePO SQL database. The clients also retrieve any new instructions (policy
changes, deployment tasks, etc.) and enforce them locally. See the McAfee ePolicy Orchestrator Agent
Handler White Paper for additional details.3
How does McAfee Host IPS query the McAfee Global Threat Intelligence database?
The endpoint running Host IPS performs a DNS query to the cloud-based McAfee GTI system and a
response is returned immediately. The firewall portion of Host IPS performs any IP Reputation blocking
based on the response from McAfee GTI.
Is McAfee Global Threat Intelligence limited to IP Reputation on the host?
No. McAfee GTI includes several different operations, connecting threat intelligence from Internet
sensors as well as McAfee installations worldwide. IP Reputation is one GTI function used in this
solution, as well as the McAfee Web Gateway and Network Security Platform. Another part of
McAfee GTI, File Reputation, performs similar checks on suspicious files and can often block malware
infections before a traditional signature (DAT) is available. File Reputation GTI is used in the McAfee
VirusScan part of this solution, as well as many other McAfee products such as McAfee Network
Security Platform, McAfee Security for Microsoft Exchange, and McAfee Security for Microsoft
SharePoint. Message Reputation is included in the McAfee Email Gateway, McAfee Firewall Enterprise,
and McAfee Security for Microsoft Exchange.
Does McAfee GTI store any information related to our organization?
No. The GTI system only stores information related to destination IPs, malware, and vulnerability data,
and their associated status in terms of risk.
How does McAfee SiteAdvisor with Web Filtering for Endpoint work when the road warrior
is travelling?
The McAfee SiteAdvisor products query the McAfee cloud-based database directly, receiving a response
in milliseconds. McAfee SiteAdvisor uses a system that rates websites based on their risk level, while
Web Filtering for Endpoint is more concerned about the content of the site relative to URL categorization
and appropriate use policies. Both systems enforce policies whether or not the user is on a corporate
network or has an active VPN.
Securing and Controlling Laptops 7Additional Resources
www.mcafee.com/virusscan-enterprise
www.mcafee.com/hips-server
www.mcafee.com/siteadvisor
www.mcafee.com/hostdlp
www.mcafee.com/encryption
www.mcafee.com/gti
www.mcafee.com/epo
McAfee Corporate Knowledgebase
www.mcafee.com/kb
McAfee ePO Agent Handler White Paper
www.mcafee.com/agent-handler-wp
How to enable McAfee Global Threat Intelligence in your McAfee product
www.mcafee.com/enable-gti
For more information about the Security Connected Reference Architecture, visit:
www.mcafee.com/securityconnected
About the Author
Thomas Fox, Sales Engineering Manager in our Texas office, has specialized in endpoint protection as
a McAfee SE for several years. He has written technical papers on optimizing and customizing McAfee
ePolicy Orchestrator and co-authored endpoint evaluation guides. Prior to joining McAfee he worked
in email operations for a large financial institution. Thomas obtained his BA in History from the
University of Texas at Dallas, is conversant in Spanish, and has nearly completed his acquisition of the
works of Mozart.
1
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Cost%20of%20a%20Lost%20Laptop%20White%20Paper%20Final%203.pdf
2
https://kc.mcafee.com/corporate/index?page=content&id=KB53734
3
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22508/en_US/ePO_4.5_Agent_Hander_
White_Paper.pdf
The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information
contained herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability
of the information to any specific situation or circumstance.
McAfee, McAfee Data Loss Prevention, McAfee Endpoint Encryption, McAfee ePolicy Orchestrator, McAfee ePO, McAfee Global Threat
Intelligence, McAfee Host IPS, McAfee SiteAdvisor Enterprise, McAfee VirusScan Enterprise, VirusScan, and the McAfee logo are registered
2821 Mission College Boulevard trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed
Santa Clara, CA 95054 as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change
888 847 8766 without notice, and are provided without warranty of any kind, express or implied. Copyright © 2011 McAfee, Inc.
www.mcafee.com 36903bp_laptops-L3_1011You can also read
