Posts tagged ‘GuardianEdge’

« Previous Entries

Full Disk Encryption versus Sleep

July 9, 2011, 4:55 pm

As part of my Symantec Endpoint Encryption (SEE) upgrade, I verified that the new version worked with our main computer models.   During that testing, I looked at how boot/shutdown times changed, and verified that the system could still reboot and enter/exist sleep and hibernate correctly.  The only problem that came out of that testing was when standby was used, the user no longer had to do a preboot authentication before logging into Windows.  Previously GuardianEdge Hard Disk  (GEHD) Encryption provided full disk encryption on a cold boot and on returning from standby or hibernate.    Further testing found GEHD 9.5.3 also had this problem, I just didn’t know it.  

Since the cold boot was announced, it has been best practice to not allow computers using Full Disk Encryption (FDE) to enter sleep.  The encryption key typically remains in memory while the computer is in sleep mode and is thus susceptible to the attack.  

As a side note, hibernate is also dangerous if your FDE product doesn’t encrypt the hibernate file.   SEE should not have this issue.

Personally I refrain from using hibernate or sleep.   In my experience, it is unreliable.  So I’m not the most sympathetic person here.    There is always a tradeoff between security and usability.   If sleep is insecure and you fail to disable sleep then you only have the appearance of security.   You’ve checked the encryption box without actually protecting the data.

Management’s first response to this documented need to disable sleep is to ask for a report comparing sleep versus quarantine shutdown times.    In my experience, getting off XP is the first step toward having decent shutdown times.   The second step is reloading the system once it has the crud.    The effect of creeping crud will be more noticeable now that we are on three-year leases. 

For more information on protection against cold boot attacks with Symantec Endpoint Protection see their knowledgebase.

Tags: , ,
Category: FDE  |  2 Comments

Symantec EndPoint Encryption Installer

April 15, 2011, 5:51 pm

Symantec Endpoint Encryption (SEE) 8.0.1 is my first upgrade since Symantec purchased GuardianEdge.  It is a newer version inspite of being a lower number than GuardianEdge 9.5.x.    I guess it is really too soon to expect big changes.   I was hoping they would address some of the installer annoyances.

With SEE, you install a management server, then create the client install packages.   These are MSI packages.

Separate 32 bit and 64 bit Installer Files
I don’t do MSI package generation myself, but the software I’ve seen allows you to put both 32 bit and 64 into one installation file.   I would think this would make things a lot easier.   The main drawback would be the size of the install file.    I end up putting both 32 and 64 bit files into one installation package and call the appropriate one based on the CPU architecture.   So it doesn’t save me space and instead requires extra scripting work.   Is there some technical limitation I’m not aware of?

Upgrades
Upgrading versions of Symantec Endpoint Encryption (or GuardianEdge Hard Disk Encryption) requires using special switches.   When performing an upgrade, I need to use the command line MSIEXEC /i “\.msi REINSTALL=”ALL” REINSTALLMODE=”vomus”.   This upgrades the client by reinstalling all features of the product.

On the other hand, a regular install of Symantec Endpoint Encrytption, where it was not installed previously, uses more familiar switches (/qb).   In previous upgrades I’ve found that if I try to use the reinstall/reinstallmode switches on a fresh install it will not work.   I then have to script the install to use different command line options based on installation status in addition to 32 bit versions 64 bit.

To make matters worse,  some computers in my environment have Removable Storage Encryption and others don’t.   My install script is getting too complicated.

Full Control
When creating the installation package, you must save the client installation package to a local or network volume with Full control permissions set.  The SEE instructions say “This ensures the success of the upgrade package, as it will retain the Windows permissions of the location to which it is saved.”    Again, I don’t create MSI packages often.   Adobe Reader and Symantec Endpoint Encryption both create packages where a setup.exe calls the MSI.   However in neither case am I advised to change permissions on a folder.

I think I actually have seen issues that support has blamed on not creating the package in a directory with Full Control.    But I’m not sure what the actual problem is.

The old Files
In the past, when I’ve upgraded using the switches provided, I found I needed to have all the old install file available.   While people are generally on one version, I found it better to leave every version I’ve ever used in the install directory.   That can take up a lot of room.

I’m really lost as to the cause of this issue.   Shouldn’t MSI files be cached locally so even if it did need the original installation files it should have them, not require me to have them.   I am going to try one more time and removing the old install files from my SEE8.0.1 package and see if I still have issues.   Perhaps that was a problem only with older versions of the product.

Doesn’t Symantec own a MSI packaging company?   Hopefully some in-house expertise can cross divisions of the company to create a better product.

Tags: , ,
Category: FDE  |  7 Comments

Migrating FDE Vendors

January 12, 2011, 7:49 am

I was asked recently via email how to pragmatically uninstall GuardianEdge.   I’d been thinking about something similar, that is how do you migrate endpoint security vendors including Full Disk Encryption.

To a certain extent this problem doesn’t affect very many people.   Is Full Disk Encryption installed at many companies outside the Federal Government and Government Contractors?  I imagine its starting to make more inroads via the encryption safe harbor and regulatory requirements.  

I’ve had Full Disk Encryption deployed for over 3 years.   With many security products that is an eternity.   Features change.  Companies get bought and sold.   What if I decide to switch from yellow (Symantec) to red (McAfee).   Does Sophos have a color?  

As far as uninstalling GuardianEdge specifically, I’m pretty sure the manual says you need to decrypt before you uninstall.   Therefore, I would need to deploy a decrypt policy via Group Policy, then after sufficient time has occurred for decryption, uninstall GuardianEdge and replace it with my new favorite Full Disk Encryption.   The problem with this scenario is 1) The computer is left unencrypted for a period of time 2) this period of time is unspecified 3) The end-user will experience the joyful performance hit of decrypting and encrypting the hard drive.    Not Good!

Another possibility is to introduce the new encryption products as computers are replaced.   This has the benefit of not interrupting the user.   The downside is the helpdesk would have to keep track of two different one-time password programs to allow users to access computers with a forgotten password.   Management is twice as hard.   I’d have to maintain two different systems.   With a three-year lease cycle on computers it would be quite a while before all computers are on the new system.

We’re about to do a rip and replace migration to Windows 7.   This would be an ideal time when you’re already doing a system refresh.   You don’t have to worry about the decrypt/uninstall.   You just back up data, drop the Win7 Ghost load, restore data, encrypt.   It is a rare opportunity.

I don’t like these options.   Readers, have any of you migrated Full Disk Encryption products?   Do you see any alternatives I”m missing?   Comments welcomed below.   First time commenters will be held in the moderation queue.   All comments must clear the spam filter.

Tags: , ,
Category: FDE  |  6 Comments

GuardianEdge Removable Storage Encryption

October 23, 2010, 5:21 pm

The encryption of mobile devices has been recommended to management for a while now.   After it came up again in a recent HIPPA audit, money became available in FY11.

As an administrator of GuardianEdge Hard Disk encryption (GEHD), it was natural to consider them for encrypting USB devices. 

GuardianEdge Removable Storage Encryption requires the GuardianEdge Framework.   Existing GEHD installs will need to be upgraded.   Just as the version of Framework and Hard Disk Encryption must match, so the Removable Storage Encryption version must be a supported version.

The software MSI is created in the GuardianEdge Manager with an initial configuration.   As with GEHD configuration changes are done through group policy.  Removable Storage Encryption has the following configuration options

Access Rights:
- Do not allow access to files on removable storage devices
- Allow read-only access to files on removable storage devices
- Allow read-write access to files on removable storage devices

Encryption
- Encrypt all files written to or access on removable storage devices
- Encrypt new files written to removable storage devices
- Encrypt to CD/DVD only
- Do no encrypt files on removable storage devices

Exemptions are allowed for multimedia files so you don’t automatically encrypt your mp3s.

In our case we had been looking to initially make the encryption an available tool for users rather than mandatory.   Yes, it is a lot less secure.   It’s also easier to implement.   This product doesn’t have any way to do that.  

When files are encrypted to a USB Drive, depending on which options the administrator has enabled, users can use passwords or certificates to encrypt files.   The password uses the password policy configured in the GuardianEdge Framework.    A recipient of that USB without GuardianEdge software would use the Access utility which is saved to the USB automatically.   They can make changes to the files and save them in an encrypted format back to the external device.    The access utility is for Mac and Windows only.  

The administrator can create groups  so that user within that group do not have to have a password or certificate to access the files.   This would seem to require a new group policy for each access group.   This quickly looks like groups would only be used when you don’t care about insider attacks and prefer to preserve usability internally.

The administrator can also create a recovery certificate so that all files encrypted to removable storage are recoverable in case of lost or forgotten credentials.   This is similar to the EFS recovery certificate.   GuardianEdge provides some weak instructions for those with a Microsoft CA, for others the only advice is “create a certificate with the “Key Encipherment” usage.   If you created all users in the same group, then this recovery “master” certificate is redundant.

For times when you want to mail encrypted files and don’t care about changes needing to be returned securely you can create a self-extracting executable.    This is also protected by password or certificate.  

When you have both Hard Disk Encryption and Removable Storage Encryption installed, a systray icon is visible.   This icon allows access to the User console and the encrypted CD/DVD burner.   Both of these items are available on the start menu.   I fail to see my this systray icon is required and cannot be removed.

I’m at an early stage of this deployment.   Any time you’re making it harder for users to do something they aren’t going to be happy.   Unfortunately there are times when the systems need to be locked down and access removed.   When regulations dictate the protection of data, we need to protect data both in transit and as it is stored on disk.

Tags:
Category: General  |  Comment

GuardianEdge Windows 7 Looking Back

July 30, 2010, 6:13 am

Like a lot of companies we are trying to go to Windows 7 sooner rather than later. We skipped Vista and XP is starting to seem a bit old. One of the things holding us back is GuardianEdge’s Full Disk Encryption product. Here’s our timeline.

In October 2009 I asked GuardianEdge about Windows 7 support and Windows 7 64 bit support. They said both would available in version 9.5 due out in December 2009.

When GuardianEdge Hard Disk Encryption 9.5 was released (January or February), I found that there was no support for preboot authentication. Without preboot authentication, I think the encryption is pretty worthless. Support tells me 9.5.1 will include preboot authentication and be available in April 2010.

9.5.1 is released and I find it doesn’t work on my Toshiba Portege with windows 7 32 bit installed. I decide this may be a one-off. I’m the only one using the Toshiba so I try it out on a few Dell E6500 computers with Windows XP and Windows 7. This failed miserably. It turns out this was a known issue with Dell E6500 and GuardianEdge was working on a patch.

GEHD 9.5.1 patch 1 came out. While it fixed the assorted problems with the E6500, I now see in the release notes:

There are known issues with GuardianEdge Hard Disk on various configurations of the following Dell computer models
■ Dell E4310
■ Dell E6410
■ Dell E6510
■ Dell E5410, and
■ Dell E5510

Unfortunately the E6410 and the E6510 are two of the three systems listed on our standard configuration page. The third E4300, I suspect would really be the E4310.

GuardianEdge says this will be fixed in September 2010.

I wouldn’t this be surprised if this led to looking at other solutions and revisiting Bitlocker. I wrote about Bitlocker in March. These pretzels are making me thirsty.

Tags: , , , ,
Category: FDE  |  3 Comments

GuardianEdge 9.5.1 Patch 1

June 16, 2010, 1:47 am

GuardianEdge 9.5.1 patch 1 was released to address the Dell issues that I previously wrote about.

Support provided client installer packages so I could quickly see if this also fixed the issue I had with the Toshiba (sadly it did not).   Not sure if I’m going to get a chance to verify this patch resolves the Dell issue this week.   It is good news that this patch is out so quickly.   We need GEHD  9.5.1 working for our Windows 7 testing to progress.

<update>
I’ve tested with one Dell and Windows 7 32 bit.   patch 1 solved the original problem in that the computer now successfully boots when it has been shut down.   However when it is restarted it comes up with 5 dots on the screen after GuardianEdge authentication and goes no further.

Tags: , ,
Category: FDE  |  4 Comments

GuardianEdge 9.51 issues with some Dell

June 7, 2010, 3:29 pm

I’ve been doing more testing with GuardianEdge 9.5.1 since my last post on the subject.   A Dell E6500 with Windows 7 64 bit wouldn’t get to the GuardianEdge pre-boot authentication screen.  I attributed that to issues specific to Windows 7 64 bit and possibly a OEM drive partition.   So I went ahead and tried to upgrade a Windows XP computer from GEHD 8.7 to 9.5.1.   It had the same issues.  I called support and apparently I didn’t get a memo they tried to send out to everyone who downloaded 9.5.1.

Since its release, we have confirmed reports of error conditions when the Hard Disk client v9.5.1 is installed or upgraded on a specific set of machines. 

The following machines are affected:

•     Dell E series ( excluding E6400 )
•     Dell M Series ( excluding M6500 )
•     Dell D830
•     Dell XT
•     Dell XT2

GuardianEdge is committed to releasing a software update that will address these machine-specific issues in the next few weeks and will inform you as soon as the update is available. We strongly recommend that you do not deploy the Hard Disk client v9.5.1 to these machines until this update is released.

Once again, things that could have been brought to my attention yesterday. 

 

 

Tags: ,
Category: FDE  |  6 Comments

GuardianEdge 9.5.1, Windows 7 and Me

May 18, 2010, 7:51 pm

Long time readers, and anyone who has ever Googled “Guardian Edge” recall my intense dissatisfaction with GuardianEdge 8.7 and Vista on my Toshiba Laptop. Everything old is new again.
GuardianEdge released 9.5.1 last month so we finally have support for Hard Disk Encryption with preboot authentication on Windows 7. The short version of the story is I’ll be finding out how good my Windows Backup is. I installed GuardianEdge Hard Disk 9.5.1 on my Toshiba Portege M780 and started encrypting. I shut the computer down, went home and the computer wont boot. When I hit the power button, I can get to the preboot authentication screen. The system fan is going full blast. It doesn’t do that normally. And 5 seconds later the computer turns itself off.
I called support and their advice is to use the GuardianEdge Access utility to recover my data and reinstall. Hope that backup worked. Not what I was planning to do tonight.
What am I supposed to do now. This gives me zero confidence to deploy this to others. While there are plenty of other dominos that need to fall in our Windows 7 project, getting a GE package for Windows 7 is an important one.
The recover /a option was grayed out. No problems were detected with the GEHD volume files. So I decrypted the drive and uninstalled GEHD. I was then able to use the computer. I have a lot of doubt right now about the ability of GEHD to encrypt Vista and Windows 7

Tags: ,
Category: FDE  |  5 Comments

Symantec buys PGP and GuardianEdge

April 29, 2010, 12:08 pm

I’ve been waiting for Symantec to buy GuardianEdge ever since they started selling a rebranded GuardianEdge encryption product. It seems every other endpoint security company bought a dancing partner over the past year or two and Symantec was merely renting.
When Symantec bought MessageLabs, I was very concerned. I like MessageLabs and was afraid of what Symantec would do to it. When Symantec bought IMLogic, I felt the technical support and the product vision totally went in the crapper. Fortunately MessageLabs had a strong position to prevent that from happening to them as well.
Regular readers of my blog will know I’ve had a lot of issues with GuardianEdge support over the years. At this point I don’t know if GuardianEdge support will be internalized by Symantec or remain as a separate team. Either way it can only get better.
I’m wondering what it means that they bought both PGP and GuardianEdge. It seems kind of redundant. PGP adds secure email. But I’m not sure what else. Not sure if PGP already has the mobile encryption that GuardianEdge currently licenses from TrustDigital.
I would expect that by the time of our next renewal encryption will be an option for a Symantec Endpoint Suite and our overall dollar spent will go down. I expect this purchase to be a good thing.

Tags: , , , , ,
Category: FDE  |  Comment

GuardianEdge Announces Hardware Based Encryption Support

December 12, 2009, 2:21 pm

GuardianEdge put out a press release this week announcing Encrypted Drive Manager. This software will allow you to managed hardware encrypted hard drives as well as drives encrypted with GuardianEdge Hard Disk all from one platform. This will be released in Q2 2010. When I was evaluating GuardianEdge in 2007 they talked about these features so its nice to see it finally (soon to be) making it to market.
Hardware based encryption may finally be ready to ignite. The Trusted Computing Group has been working on standards so its not such a mishmash. Performing the encryption on hardware keeps the encryption keys out of memory so it isn’t vulnerable to cold boot attacks. There isn’t a CPU performance penalty as there can be with software encryption. Wiping a drive is as simple as removing the encryption key.
The main problem has been manageability. You need to be able to corporately manage accounts on the hardware encrypted drive just as you do with the software encryption. It has to be enterprise ready. Its necessary to be able to manage both software and hardware based Full Disk Encryption and GuardianEdge is going to allow for that.
I anticipate a time when the drives we order in our standard systems will all be hardware FDE capable and managed by GuardianEdge.

Tags: ,
Category: FDE  |  Comment
« Previous Entries