GuardianEdge put out a press release this week announcing Encrypted Drive Manager. This software will allow you to managed hardware encrypted hard drives as well as drives encrypted with GuardianEdge Hard Disk all from one platform. This will be released in Q2 2010. When I was evaluating GuardianEdge in 2007 they talked about these features so its nice to see it finally (soon to be) making it to market.
Hardware based encryption may finally be ready to ignite. The Trusted Computing Group has been working on standards so its not such a mishmash. Performing the encryption on hardware keeps the encryption keys out of memory so it isn’t vulnerable to cold boot attacks. There isn’t a CPU performance penalty as there can be with software encryption. Wiping a drive is as simple as removing the encryption key.
The main problem has been manageability. You need to be able to corporately manage accounts on the hardware encrypted drive just as you do with the software encryption. It has to be enterprise ready. Its necessary to be able to manage both software and hardware based Full Disk Encryption and GuardianEdge is going to allow for that.
I anticipate a time when the drives we order in our standard systems will all be hardware FDE capable and managed by GuardianEdge.
Archive for the ‘FDE’ Category.
GuardianEdge Announces Hardware Based Encryption Support
Guardian Edge 8.7 upgrade saga
Recently I decided to look at upgrading our Guardian Edge Hard Disk Encryption to version 8.7. I was hoping it would resolve some of the flakiness with the version we currently have deployed.
What I found instead was more flakiness and tech support that I’m pretty sure must be sent through the babelfish before it sent to me.
One of the first things I ran into is that when upgrading you need to copy the old installation MSIs into the new installation directory. I sent Guardian Edge support an email and asked them:
- Why are the old files needed?
- Isn’t it normal for a MSI install to keep the installation files cached locally for repair and/or uninstall
- Isn’t it normal if the original install files are needed and they aren’t cached locally to silently check the original install source?
- Isn’t it normally to then prompt the user for the needed files rather than exiting the install with a “file not found” error
- If some clients are on 8.2.4 and others are on 8.5 and I’m upgrading to 8.7 can I just put the 8.5 install files in the directory or do I need to make a separate install package for upgrading from 8.2.4 (since 8.2.4 and 8.5 install files use the same name.
Which one of these questions was answered by support? If you answered not a one, you are correct.
Next I ran into a couple of strange issues. On a few XP computers, the Guardian Edge Framework upgraded to 8.7 but the Guardian Edge Hard Disk did not upgrade.
On my Vista computer, it would not install at all. I opened a ticket about the second case and was told that when creating the MSI install package the destination folder needs to be “full control”. Having read the install/upgrade guide, I had seen that. I asked what is meant by full control. The install directory already had permissions of Administrators:Full Control and System: Full Control. Guardian Edge support then wanted to set up a phone call for followup. I felt I’d asked a rather vanilla question, and decided to review the manuals. I found that the permissions on the folders where the MSI files are created is actually incorporated into the MSI. I’ve never seen anything like that before! I set the destination folder for the MSIs to Everyone:Full Control and recreated the install packages. This time I was able to install Guardian Edge Hard Disk Encryption onto my Vista computer.
At this point I thought everything was ok, in spite of the lack of support I’d received from Guardian Edge. A reasonable explanation was found for my install errors. I’d be able to go forward with a 8.7 upgrade.
Monday morning came and I booted the Vista laptop on which I had installed GE 8.7. Instead of booting I received an error “The EAFS volumes contain errors. Run Recover.”
I booted to a USB drive and ran “recover /a” to repair the Guardian Edge databases. This did not solve the problem so I opened another case with Guardian Edge. First I attempted to call their 866 number. That resulted in a long pause followed by a fast busy signal. Next I opened a case through salesforce.com. I described the error and what I had done thus far and asked if it was ok to use the 8.2.0 Hard Disk Access Utility on a 8.7 client. The response I got was to use the latest version but it didn’t answer what is the latest version or where to get it. I’m following up on that. I’m concerned because last time I asked for this utility they sent it FedEx rather than providing a ISO download.
I was so hoping to write something positive about Guardian Edge this month.
Guardian Edge Hard Disk Encryption 8.7 , SEP 11 and IP6 over IP4
I am planning to upgrade to Guardian Edge Hard Disk Encryption 8.7. Its been over a year since we deployed 8.2.4 and I wanted to get some of the assorted fixes out to our computers.
While reading the release notes, I noticed a known issue with Symantec Endpoint Protection 11.
“Following the installation of GuardianEdge
Hard Disk on the Client Computer, a
Network Threat Protection message may
be displayed, alerting the end user to a
change in the EAFRCliADSI application.”
The solution is to allow IP6 over IPv4.
Personally I am not a big fan of this solution. Until I have a personal firewall that works with IPv6, I think we should default deny it. Until there is a need for IPv6, we should default deny it.
The solution doesn’t adequately explain the problem to me. I don’t use SEP11 to monitor what applications can go out (management overruled me). I’m thinking users would never be alerted if an application changed. Thus their workaround should be unnecessary.
I called support but that only resulted in a guy reading the release note back to me. I guess I’m going to upgrade the server and install 8.7 on my computer and see what happens.
Firewire Attack Against Pointsec
After reading about a firewire memory attack against windows (also effects other operating systems). I figured it wouldn’t take long before someone demonstrated the use of that against full disk encryption. After all, why bother booting to USB, or freezing the RAM if you can just hook up a firewire connection and access the memory.
Today, I saw a Dark Reading article where a group/vendor has penetrated a Pointsec encrypted computer through the use of the firewire technique.
This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator.
It is important to note that pre-boot authentication was not enabled on this computer. If it had been the attack would not have succeeded. I can’t imagine deploying FDE without pre-boot authentication. This article could have described an attack against any FDE vendor not using pre-boot authentication.
I’ve disabled the firewire port on my laptop. I haven’t looked at what it would take to disable the firewire port in an enterprise. Perhaps its time for more spelunking in devcon. Or may google will have an easy answer. I wonder how many “port control” products include firewire.
Guardian Edge Support
At the beginning of the year, Guardian Edge transitioned support to an integrated voice response (IVR) system. Since then it seems impossible to call and speak to a live person.
I don’t generally like to call any support phone number. Most matters should be resolvable by checking the manual, reading the knowledge base, or opening a ticket via email or web form. When I do have to call support its because I really need an answer now, and don’t mind waiting on hold for a bit to get it.
The old Guardian Edge support fit that model perfectly. I could call, and normally get someone right away.
The new Guardian Edge support model is geared toward never speaking to anyone. If you call, a voice response system asks if the number you are calling from is the one associated with your account. Next even though they’ve already identified you by phone number the IVR asks for your support ID number. After that you can leave voice mail describing your case. In each case I’ve had since this change, the support technician replies by email in 4-6 hours. God help you if that answer doesn’t resolve the issue because the case will get lost after that.
We paid for phone support. This doesn’t seem like phone support to me. I have tried to address these concerns with Guardian Edge.. The person heading the project corrected a routing problem with my support ticket. They did not address what I feel is a loss of service.
This sort of thing happens a lot with expanding companies. They have more callers and don’t have the trained bodies to handle the calls. I still find it very disappointing
Guardian Edge Configuration Administration Weakness
Guardian Edge Encryption Anywhere Hard Disk is Full Disk Encryption product that in the words of their website offers a “unique integration with Microsoft Active Directory for Group Policy Object based policy management “.
Some policies can only be set at installation, but other settings can be configured through Group Policy. They provided Group Policy Administrative Templates (ADM files) that are imported into Group Policy and deployed to the users. Guardian Edge recommends that access to these Group Policy snap-ins be restricted (which can be done in group policy). This prevents a local administrator from importing the ADM file into their local group policy and modifying settings themselves.
By opening the ADM files in a text editor, it is apparent what registry keys are modified by each policy. I haven’t tested this out since enabling the Group Policy snap-in restriction, but I am reasonably sure that no Group Policy snap-in restriction will prevent me from directly creating these registry keys. Malicious code, or a user trying to escape perceived encryption slowness could then bypass the normal administration methods and decrypt the hard drive.
Disabling security products is often step 1 for malware when it finds a new computer to infect. Why not decrypt the drive too? That sort of thing wouldn’t help an attacker motivated by money, but there are still plenty motivated by mischief making.
I approached Guardian Edge support to ask them if this was indeed a viable attack. Is it desirable to place an ACL on this registry key? Could an ACL even be placed on the registry keys used by a policy? They responded:
“We totally depend on the Windows/Active Directory Security models. As of today, Microsoft has provided fixes for all the publicly known security holes for those models.”
Do you really want your Full Disk Encryption totally dependent on Windows for security?
The bottom line is that Guardian Edge’s Full Disk Encryption does what its designed for. A stolen computer will be protected by the pre-boot logon as long as the user has shut the machine done.
SANS Session 1.5 Encryption Tools
These are my notes from the vendor panel at the SANS Secure Storage and Encryption Summit.
Guardian Edge
If we haven’t had enough statement of the problem, I like the way they put it.
Data is disappearing out of the organization and you don’t know it.
81 percent of companies report the loss of one or more laptops containing sensitive data in the past 12 months. Would we even know what was on the laptop?
53 % believe that their companies would be unable to determine what sensitive or confidential info resided on a usb memory stick if it were lost.
PGP
- The PGP piece on the blackberry is there by default. You just need to license it. It actually will connect to your PGP Universal server. That sounds kind of neat.
Seagate
Seagate admits that its a hard drive solution only. You need to do something else for your thumb drive, and email, etc.
FIPS 140 in progress for the Seagate (I assume that is FIPS 140-2. I dont think they do 140-1 anymore).
They also have the DoD evaluating for the secure wipe. Seagate just removes the encryption key.
The PGP guy made an analogy to when 3-d graphics cards came out. Something about it not puting software rendering out of business, it works together.
Q- Why would we need this (any of the vendors) when bitlocker comes out.
A – better management tools
- mature product
- OS support, bitlocker is obviously vista only and reportedly the more expensive versions of vista.
- No requirement for TPM. bitlocker is better with TPM.
SANS Section 1.3 Top Mistakes in Deploying Mobile Data Encryption
Again these are my notes from the SANS Secure Storage and Encryption Conference. In Session 1.3 four companies discuss their experiences deploying encryption.
JP Morgan Chase – Guardian Edge EPHD
48k laptops deployed.
They found problems due to standardization issues and multiple support teams.
Key Challenges
- If your goal is to encrypt data on laptops specifically you need to be able to find the laptops and know how many you have.
- multiple support organizations
- New login for users
I didn’t quite understand the login issue. Are their users now faced with a dual login where they authenticate to the encryption software and then again to Active Directory?
Reports! Produce reports showing install rates. Highlight the departments doing good.
Your biggest problem will be the guy who likes to screw around with hacker tools even though its not part of his job.
You need to be able to validate that encryption has occurred and continues to occur.
Backups are crucial.
They found that if you boot to safe mode and run defrag you will kill your master boot record. I wonder what that says about booting to safe mode to fix spyware issues. HMMMM.
People think this will slow down their PC. They wont do it on their own. (I would say that the users who have customers demanding it will do it.).
Q – How do you deal with the engineer/hacker wannabe who thinks they know better
A – Log agent with central aggregator.
Northrop Grumman – also using Guardian Edge
High level buy-in is key
They had lots of pushback initially, but the installs turned out to be not that big of an issue.
You don’t want your customer coming back to you and saying your encryption isn’t good enough. That is why they did full disk AES 256.
They spent a lot of time with legal on export control issues. We all know about the axis of evil countries where you cant send export software. But what about less known laws where bringing an encrypted laptop in can cause problems. They have a list of 20 countries that they cant go with their computer. Corporate Security and the Travel office coordinate so people going to these countries dont have sensitive info and use a vanilla PC without encryption.
Communication is key in the deployment. The initial encryption time can be an issue.
Northwest Mutual - Safeboot, Credent Mobile Guardian
q – how did you verify that the solution is installed
a – They used altiris to look for specific EXEs.
Q – how did you handle multi-user pcs
a- I didn’t quite get this. It sounded like you have to assign each user the rights to logon.
use full disk encryption – you dont want to leave the decision in the user’s hands.
users would reboot on their way out for the day. As a result unattended SMS installs did not work. They had to change user behavior.
FDIC Credent Mobile Guardian
Credent does GINA Chaining
In your project you need to give users the confidence that you aren’t going to disrupt them.
Don’t go for the big bang. Test in small groups and deploy.
Lessons Learned -
-Confirm product’s ability to encrypt data regardless of location type and structure. Fill in the gaps where necessary. ( my comment. it can be a real issue when the project scope is defined one way and people start asking about other features)
- Don’t deploy to many things at once. Everything will get blamed on the encryption.
