Epe 50 01 Introduction 290kb

8/12/2019 Epe 50 01 Introduction 290kb

1/32

2007 McAfee, Inc. 2008 McAfee, Inc.

McAfee SafeBoot Securi ty

Introduction to SafeBoot

McAfee World-wide Learning and Development


2/32

2007 McAfee, Inc.

Copyright 2008 McAfee, Inc. All Rights Reserved.

Copyright 2008 McAfee, Inc. All Rights Reserved.The training information provided herein is the property of McAfee, Inc., and is

intended for the sole use of the individual or organization purchasing thetraining. Distribution of the training material outside of the purchasingorganization is strictly prohibited.

All information contained herein is subject to change without notice. McAfee isnot responsible for errors or damages of any kind resulting from use of theinformation contained herein. Every effort has been made to ensure theaccuracy of information presented as factual; however errors may exist.Users are directed to countercheck facts when considering their use in otherapplications. McAfee is not responsible for the content or functionality of anytechnology resource not owned by the company.

The statements, comments, or opinions expressed by users through use ofMcAfees technology resources are those of their respective authors, who aresolely responsible for them, and do not necessarily represent the views of

McAfee, Inc. and/or its affiliates.

2

2/21/2008


3/32

2/21/200

2007 McAfee, Inc.

Objectives At the end of this section, the student will be able to;

Define Encryption Describe common encryption methods Explain what data obfuscation means Explain what a hash is List the products in the SafeBoot v5 Device Security

Family List supported operating systems for SafeBoot v5 Provide a basic description of how SafeBoot works

At the end of this section, the student will be able to;

Define Encryption

Describe common encryption methods

Explain what data obfuscation means

Explain what a hash is

List the products in the SafeBoot v5 Device Security Family

List supported operating systems for SafeBoot v5

Provide a basic description of how SafeBoot works


4/32

2007 McAfee, Inc.

1. Encryption

McAfee SafeBoot Security


5/32

2007 McAfee, Inc.

Common Encryption Methods

Symmetric Encryption (secret, shared-key) Requires a secret key be shared by multiple users Requires many keys for many user pairs

Diffie-Hellman Key Exchange (for secret,shared-Symmetric Keys)

A method where users secretly add part of the shared encryptionkey in order to increase the security of the secret shared key

Asymmetric Encryption also called Public KeyEncryption

Shared-public key used to encrypt data Separate, private keys used for decryption No shared-keys required

Symmetric Encryption (used in SafeBoot for user, machine, hard disk keys etc)Before 1975, all encryption schemes forced the sender and the receiver to have the same secret key.If Bob sends Alice an encrypted message, to read it Alice must first know Bob's key. Before 1975, allencryption schemes linked the encryption and the decryption. If you gave away your encryption key,you gave away your decryption key, because they were the same thing. Further, if you encryptedsomething, you could later decrypt it. So secret-key systems are contradictory - they need secret keys,

but need to share them. This system also requires many keys to be created and stored. If a thousand

users have to share secrets with each other using a secret-key system, they could need half a millionshared keys---since every pair using the system might have to have their own shared secret key.Diffie-Hellman key exchange (for secret, shared-Symmetric Keys) (used to negotiatecommunication keys) [INSTRUCTOR NOTE: You may want to draw this on the whiteboard]First, let us assume that everybody, has a three-liter bucket containing one liter of yellow paint thatrepresents a shared encryption key. If Alice and Bob want to agree on a secret key, each of them addsone liter of their own secret color to their own bucket. Alice might add a shade of purple, while Bobmight add red. Each sends their own mixed bucket to the other. Finally, Alice takes Bob's mixtureand adds one liter of her own secret color, and Bob takes Alice's mixture and adds one liter of hisown secret color. Both buckets should now be the same color, because they both contain one liter ofyellow, one liter of purple and one liter of red. It is the exact color of the doubly contaminatedshared key buckets that is used as the secret key. Alice has no idea what color was added by Bob,and Bob has no idea what color was added by Alice, but they have both achieved the same end, anidentical encryption/decryption key.Asymmetric Encryption Also called Public Key Encryption, does away with the issue ofexchanging Secret Keys (used to validate servers to the client, and in RSA recovery)Public-key cryptography , also known as asymmetric cryptography , is a form of cryptography inwhich a user has a pair of cryptographic keys - a public key and a private key . The private key iskept secret, while the public key may be widely distributed. The keys are related mathematically, butthe private key cannot be practically derived from the public key. A message encrypted with the

public key can be decrypted only with the corresponding private key.Such a seemingly innocuous system has consequences. First, Bob and Alice no longer need either asecure channel or a shared secret key. Second, we now need only as many keys as there are people,rather than a key for each pair of people. A thousand of us would need only a thousand keys, ratherthan half a million. Third, even Alice can't decrypt her own encrypted message to Bob; once sheencrypts a message with the public intended for Bob, not even she can open it. Fourth, Bob and Alicedon't even have to know or trust each other for the system to work.


6/32

2007 McAfee, Inc.

What is Encryption?

Transforming information with algorithms to make

it unreadable to anyone without specialknowledge

In computer data encryption, the specialknowledge usually means a decryption key

Value of data bits are changed via algorithmiccomputation

A Key, or special algorithm, is required toreverse the computation and return the data to

original form

Encryption is the process of transforming information (referred to as plaintext ) using an algorithm(called cipher ) to make it unreadable to anyone except those possessing special knowledge, usuallyreferred to as a key . The result of the process is encrypted information (in cryptography, referred toas ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process,decryption (e.g. software for encryption can typically also perform decryption), to make theencrypted information readable again (i.e. to make it unencrypted).

The data encryption process generally consists of by applying a complex algorithmic computation tothe value of data bits that represent stored information. A Key, or special computational algorithmis required to return the data bits to their original value.


7/32

2007 McAfee, Inc.

Obfuscation and Hashes

Obfuscation to conceal meaning by makinginterpretation difficult

Used to help prevent brute force attacks Hash One-way function that takes input and

produces a hash value output similar tochecksum

Salting the hash by adding known but randomdata before hashing, in order to obfuscate theinformation

Prevents simple hash-reversal decoding ofinformation

Obfuscation is the concealment of meaning in communication , making it confusing and harder tointerpret .

In cryptography , obfuscation refers to encoding the input data before it is sent to a hash function orother encryption scheme. This technique helps to make brute force attacks unfeasible, as it is difficultto determine the correct original data ( cleartext ).

Hashes (used in the application control module)A cryptographic hash algorithm like SHA-1 or MD5 is a sophisticated one-way function that takessome input and produces a hash value as output, like a checksum, but more resistant to collisions.This means that it's incredibly unlikely that you'd find two messages that hash to the same value. Inany case, because a hash is a one-way function, it can be reversed. The risk is someone will go andcalculate the hash for all possible inputs, then they can simply look up a hash and know what theinput was that created it. To get around this we use salt. Salt is a way to season the passwords

before hashing them, making the attacker's precomputed dictionary useless. We add some random(but known) data to the input before hashing it, that way any dictionary which was made before thesalt is redundant for example if we are checking a password, if the user inputs pass1, we can

prefix in with 12345 and store the hash, 12312345324534. The next user we would prefix 54321= if they use the same password their stored hash will be different, so we have defeated a hash tableattack.


8/32

2007 McAfee, Inc.

2. SafeBoot v5 Device Secur ity Family



9/32

2/21/200

2007 McAfee, Inc.

SafeBoot v5 Device Secur ity Family

SafeBoot Device Encryption for PC / LaptopSafeBoot Device Encryption for PDAs

SafeBoot Device Encryption for Tablet PC

SafeBoot Content Encryption for PC

McAfee Safeboot Device Security Family

SafeBoot Device Encryption for PC / Laptop provides full disk, on-the-flyencryption

SafeBoot Device Encryption for PDAs provides device access security and

encryption of onboard data.SafeBoot Device Encryption for Tablet PC provides full disk, on-the-fly encryption

SafeBoot Content Encryption for PC Provides file/folder encryption at the client


10/32

2007 McAfee, Inc.

SafeBoot Device Encryption for PC/Laptop/Tablet

Does not change the way the PC is used

After logon, SafeBoot DE is transparent to end-user Provides policy-based, full-disk encryption / decryption on-the-fly Supports multiple logon token types, including password-only Provides ability to manage specific file versions on SafeBoot

protected machines Windows Single Sign-on feature handles Windows logon

Unlike other security systems, SafeBoot Device Encryption does not prevent access to specific files,or in any way alter the way the PCs and PDAs are used.SafeBoot Device Encryption enhances the security of devices by providing policy-based, dataencryption and a token-based logon procedure using, for example, a Smart Card via a USB,PCMCIA, serial or parallel reader.For end users, SafeBoot allows users to work as usual, including the security and network services.

Apart from the initial Logon, SafeBoot offers completely transparent security.SafeBoot supports many different types of logon token, for example passwords, smart cards, AladdineToken, and others. Before a user can use a non-password token, you must ensure any machine theyare going to use has been suitably prepared.SafeBoot 5 Device Encryption uses central collections of files, called Deploy Sets, to manage whatversions of files are used on remote SafeBoot clients. When an administrator updates a file in thecentral directory, all machines attached to that Deploy Set automatically collect the new version ofthe file from the directory the next time theysynchronize. This mechanism can be used to update SafeBoot clients to future versions, or to manageany file on a SafeBoot protected machine - for instance, updating a virus database, or, a new versionof an application.SafeBoot can ease the logon process for users by doing the Windows logon for them, as well astaking responsibility for screen saver logons and re-logon requests.


11/32

2007 McAfee, Inc.

Benefits of SafeBoot Device Encryption

Enhances mobile device security by providing

full-disk encryption and token-based logonprocedures.

Normal Password protection does not helpagainst data theft Use HDD in another system to get the data Start with bootable media to reset Windows account

Optional File and Media encryption included; Content Encryption

SafeBoot supports all current Microsoft O/S andcommon PDA platforms

SafeBoots product range enhances the security of devices by providing data encryption and a token- based logon procedure using, for example, a Smart Card via a USB, PCMCIA, serial or parallelreader.

Password protection does not protect against data theft; You can place a hard disk into anothersystem to retrieve the data, or start the computer with bootable media to reset the Windows account.Full-disk encryption protects the data even in these circumstances.

SafeBoot also has optional File and Media encryption programs (SafeBoot Content Encryption,SafeBoot).

SafeBoot supports all current Microsoft Operating Systems, and also common PDA platforms:

Microsoft Windows 2000 through SP4

Microsoft Windows XP through SP2

Microsoft Windows 2003

Microsoft Vista 32bit and 64bit (all versions)

Microsoft Pocket Windows 2002 and 2003

Microsoft Windows Mobile 5.0/6.0

Palm OS 3.5 through 5.4

Symbian UIQ


12/32

2007 McAfee, Inc.

SafeBoot Content Encryption

Persistent encryption of files and folders on multiple

media USB memory sticks File servers Removable media

Managed through SafeBoot Management Centre Covers four security needs in one product

Local file and folder encryption File and folder encryption on file servers File and folder encryption on removable media Encryption of e-mail attachments

High user transparency The user must not be disturbed by encryption

Minimum of user interaction

The file remains encrypted regardless of where it is moved. Thus, the file will remain encrypted evenif stored on a USB memory stick, a floppy disk or on a network share - persistent encryption. Thismeans that even if a file is misplaced in another folder, or placed on a floppy disk, the file remainsencrypted and always secure.

With central management using the SafeBoot Administration System, and distribution of encryptionkeys using the secure SafeBoot Server, it is easy to allow sharing of encrypted files within anorganization. By assigning groups of users to encryption keys, the users in the group can exchangeand read encrypted files like any other file, without noticing any difference. Users not assigned to thekey will not be able to read files encrypted with that key.

Covers four security needs in one product

Local file and folder encryption

File and folder encryption on file servers

File and folder encryption on removable media

Encryption of e-mail attachments

High user transparency

The user must not be disturbed by encryption

Minimum of user interaction


13/32

2007 McAfee, Inc.


Supported platforms: Windows NT4 Window 2000 Windows XP Windows Server 2003 Novell File Server (storage only)

True on-the-fly data encryption and decryptionwhen writing to/reading from disk

Source file always encrypted on disk Wide token support

Smart cards, passwords, digital certificates

Own GINA in development for integration with WinLogon

SafeBoot Content Encryption can encrypt files and folders on all FAT formatted drives, all NTFSformatted drives and network drives attached through the MS LANMAN or Novell redirectors. Also,SafeBoot Content Encryption supports encryption of files and folders within a Microsoft TerminalServer environment.

SafeBoot Content Encryption encrypts folders and files transparently and on-the-fly, at the originallocation of the file or folder. Thus the user interaction is very low and the user perceives the workingenvironment as normal.

Whenever a file is written to supported storage media the SafeBoot Content Encryption filterexecutes assigned encryption policies and encrypts the file if applicable. When an application laterreads the file, the encryption filter automatically decrypts the file when it is read into memory.

The source file always remains encrypted on disk.

Wide token support

Smart cards, passwords, digital certificates

Own GINA in development for integration with WinLogon


14/32

2007 McAfee, Inc.


Source file always encrypted on disk only parts

in RAM decrypted No decrypted traces in RAM Encrypted files and folders always visible and no

special formats created Automatic policy enforcement beyond user

control Sharing of encrypted data Persistent encryption Automatic encryption of the system pagefile

Whenever a file is written to supported storage media the SafeBoot Content Encryption filterexecutes assigned encryption policies and encrypts the file if applicable. When an application laterreads the file, the encryption filter automatically decrypts the file when it is read into memory.

The source file always remains encrypted on disk.

When the application closes the file, the memory is wiped and the original file is still encrypted on

disk. No decrypted traces of the file remain in RAM.Encrypted folders and files are always visible to the user. Thus, the user can search for, and willrecognize files and folders as before encryption. A small key hole icon can be optionally attached tothe file or folder icon, marking it as encrypted.

You can create a policy from the SafeBoot Management Centre, and then create an install set from it.When the SafeBoot Content Encryption client then is installed, the user that logs on will be forced toretrieve the proper policy assigned to him/her in the central database.

With central management using the SafeBoot Administration System, and distribution of encryptionkeys using the secure SafeBoot Server, it is easy to allow sharing of encrypted files within anorganization. By assigning groups of users to encryption keys, the users in the group can exchangeand read encrypted files like any other file, without noticing any difference. Users not assigned to thekey will not be able to read files encrypted with that key.

SafeBoot Content Encryption encrypts the Windows' pagefile. This feature is automatic and cannot be configured or disabled. The pagefile is encrypted with a temporary encryption key created at each boot occasion. Thus, the pagefile encryption key is discarded once the computer shuts down, whilethe pagefile still is encrypted.


15/32

2007 McAfee, Inc.


Policy controlled encryption for anyremovable media, e.g. USB memory sticks SD cards and other storage cards

Extensive set of encryption policies inSafeBoot Admin

Support for burning encrypted data onto CDand DVD

Fully integrated with the Windows Explorer Encryption and Decryption of files and folders easily

managed using familiar right-clicks

Policy controlled encryption for any removable media, e.g.

USB memory sticks

SD cards and other storage cards

Extensive set of encryption policies in SafeBoot Admin

Support for burning encrypted data onto CD and DVD

Fully integrated with the Windows Explorer

Encryption and Decryption of files and folders easily managed using familiar right-clicks


16/32

2007 McAfee, Inc.

SafeBoot Device Encryption for PDAs

Access control by PIN or

password Device-lock and optional data

bomb Encryption of internal databases

(contacts, e-mails, etc) No software required on host

PCs Central administration,

deployment and recovery from

the standard SafeBoot database

SafeBoot Device Encryption for PDAsd provides;

Access control by PIN or password

Device-lock and optional data bomb feature

Encryption of internal databases (contacts, e-mails, etc)

FIPS-140 certified AES-256 algorithm

No software required on host PCs (other than PDA synch software)Central administration, deployment and recovery from the standard SafeBoot

database


17/32

2007 McAfee, Inc.

Overview SafeBoot Pocket VDisk for PDAs

Pocket VDisk provides strong

encrypted virtual folders fortransparently securing information

Encryption of data stored onexternal media cards (CF, SD)

Single Sign-On to SafeBoot forPocketPC

Exchange volumes with VDisk onDesktop PCs

FIPS-140 Certified AES-256

encryption and RC5 1024

Pocket VDisk provides strong encrypted virtual folders for transparently securing information

Encryption of data stored on external media cards (CF, SD)

Single Sign-On to SafeBoot for PocketPC

Exchange volumes with VDisk on Desktop PCs

FIPS-140 Certified AES-256 encryption and RC5 1024

Federal Information Processing Standard, publication 140-2

Advanced Encryption Standard block cipher standard adopted by US Govt May2002.

RC5 is a fast block cipher designed to be suitable for both software and hardwareimplementation.


18/321

2007 McAfee, Inc.

3. How SafeBoot DE Works - Overview



19/32

2007 McAfee, Inc.

How SafeBoot Works Full Disk Encryption(SafeBoot DE)

SafeBoot takes control of the Hard Disk from the

O/S SafeBoot driver encrypts all data written to disk SafeBoot driver also decrypts all data read from

disk Hard disk contents are completely encrypted and

unreadable without the appropriate authorization SafeBoot installs mini-O/S on the hard disk

(SafeBoot File System) Once authenticated, SafeBoot encryption driver is

loaded and original O/S is booted.

SafeBoot protects the users PC by simply taking control of the hard disk from the operating system.The SafeBoot driver encrypts every piece of data written to the disk; it also decrypts every piece ofinformation read off the disk.If an unauthorized application broke through the SafeBoot barrier and read the disk directly, it wouldfind only encrypted data, even in the Windows swap file and temporary file areas.SafeBoot installs a mini-operating system on the users hard drive, this is what the user sees whenthey boot the PC. SafeBoot looks and feels like Microsoft Windows, with mouse and keyboardsupport, moveable windows etc. This SafeBoot OS is completely contained and does not need toaccess any other files or programs on the hard disk, and is responsible for allowing the user toauthenticate with a password, for example, or, a token such as a smart card.Once the user has entered the correct authentication information, the SafeBoot operating systemstarts the crypt driver in memory and boots the protected machines original operating system. Fromthis point on the machine will look and behave as if SafeBoot was not installed. The security isinvisible to the user: the only readable data on the hard disk will be the SafeBoot operating system;the encryption key for the hard drive is itself protected with the users authentication key The only

possible way to defeat SafeBoot is to either guess the hard disk encryption key, or to guess the users password.On PDAs such as Pocket Windows and PalmOS, SafeBoot installs applications and drivers to

provide authentication and encryption services. SafeBoot can protect memory cards, internaldatabases (such as e-mail and contact lists), and provides secure, manageable authentication services.


20/32

2/21/200

2007 McAfee, Inc.

SECTOR

1

SECTORS

2 - 62

BIOS

MBR

HDD

APPLSafeBoot DE Installation

SBFS

(MBR)

SBR PreBootAuthenticationto AccessSafeBoot FileSystem & BootWindows

SafeBoot DE Disk Changes

Master Boot Record (MBR) is the first sector on the System

With the SafeBoot Installation the SBR SafeBoot Boot Record overwrites the original MBR

The SafeBoot File System (SBFS) is created between the Sectors 2-62 which includes the orginalMBR

With the Authentication Password or Token SafeBoot can access the SBFS to load the orginal MBR


21/32


22/322

2007 McAfee, Inc.

4. The SafeBoot File System



23/32

2007 McAfee, Inc.

SafeBoot File System

The SafeBoot File System (SBFS) stores data and modulesneeded in pre-boot

Stored in host file on the normal file system (SAFEBOOT.FS) -usually root of C: but can be root of any partition on the boot disk

Sectors that make up the file are detected by the disk driver Host file must not be moved - we make it read

only/system/hidden and lock it using driver (RSVLOCK.SYS) The main driver (SAFEBOOT.SYS) prevents write access to

SafeBoot File System sectors - if file moved, may result in somesectors being marked as bad but SB will still boot

Bootcode in its own file (SAFEBOOT.COD) in same place asSBFS host file

Bootcode file loaded by MBR following sector chain with startsector in MBR

The SafeBoot File System (SBFS) stores all data and modules needed in preboot

Stored in a host file on the normal file system (SAFEBOOT.FS) - usually root of C: but can be rootof any partition on the boot disk

Sectors that make up the file are detected by the disk driver

Host file must not be moved - we make it read only/system/hidden and lock it using driver

(RSVLOCK.SYS)The main driver (SAFEBOOT.SYS) prevents write access to SBFS sectors - if file moved, it mayresult in some sectors being marked as bad but SB will still boot

Bootcode in its own file (SAFEBOOT.COD) in same place as SBFS host file

Bootcode file loaded by MBR following sector chain with start sector in MBR


24/32

2007 McAfee, Inc.


SBFS is standard FAT16 (faster, more reliable, multi-process)

Default size is 10MB but cannot grow dynamically - can be set (priorto install) in defscm.ini if we need to make it bigger (max 32MB, min8MB)

Should be big enough for hundreds or thousands of users (much lessslow down with large numbers of users)

In Windows, it is mounted like a VDisk - OS actually provides theaccess just like any other disk

Normally the SBFS is not visible to users, but system can access it byspecifying a path starting with \\SafeBoot\SBFS

Client can use normal Windows file APIs to access SBFS Modular Based structure not all function are loaded directly

SBFS is standard FAT16 (faster, more reliable, multi-process)

Default size is 10MB but can no longer grow dynamically - can be set (prior to install) in INI file /defscm.ini if we need to make it bigger (max 32MB, min 8MB)

Should be big enough for hundreds or thousands of users (much less slow down with large numbersof users)

In Windows, it is mounted like a VDisk - OS actually provides the access just like any other disk Normally the SBFS is not visible to users, but system can access it by specifying a path starting with\\.\SafeBootfs\

Client can use normal Windows file APIs to access SBFS

Modular Based structure not all function are loaded directly


25/32

2007 McAfee, Inc.


\DataStore - directory used to store the client object database \Disk - directory that stores disk related client data \Disk\OrigMbr.dat - the original MBR \Locale - directory used to store language related things (such as keyboard maps

and language strings) \Locale\Locale.ini - defines the available languages and keyboards \Locale\Osk - Directory containing the data for the on-screen keyboards \Graphics - directory used to store graphical definitions used by the boot code (e.g.

the bitmaps and fonts used to create "themes" for the boot code) \Graphics\Graphics.ini - Defines the graphically layout of the various windows used by the boot

code. \Boot - directory containing information for the boot process \Boot\BootCode.ini - Options used by the boot code environment \SbAlgs - Directory containing the algorithm modules \SbTokens - Directory containing the token modules \SbTokens\Data - Directory containing additional data for tokens

\DataStore - directory used to store the client object database.

\Disk - directory that stores disk related client data

\Disk\OrigMbr.dat - the original MBR.

\Locale - directory used to store language related things (such as keyboard maps and languagestrings).

\Locale\Locale.ini - defines the available languages and keyboards.

\Locale\Osk - Directory containing the data for the on-screen keyboards

\Graphics - directory used to store graphical definitions used by the boot code (e.g. the bitmaps andfonts used to create "themes" for the boot code).

\Graphics\Graphics.ini - Defines the graphically layout of the various windows used by the bootcode.

\Boot - directory containing information for the boot process.

\Boot\BootCode.ini - Options used by the boot code environment.

\SbAlgs - Directory containing the algorithm modules.

\SbTokens - Directory containing the token modules

\SbTokens\Data - Directory containing additional data for tokens


26/322

2007 McAfee, Inc.

5. The SafeBoot Device EncryptionClient Manager



27/32

2007 McAfee, Inc.

The SafeBoot Device Encryption ClientManager Connects to Object Directory, or configuration store at boot

Uploads latest audit and password changes, downloads any centralconfiguration changes End-user only sees SafeBoot Monitor icon in SysTray.

Double-click to lock workstation Right-click to;

Lock Workstation Show Status Synchronize

The SafeBoot Client connects to its Object Directory, or configuration store, which may be on thesame machine, a network drive, or, via a SafeBoot Server. It does this every time the machine boots.Once connected to the directory, the SafeBoot client uploads the latest audit and password changes tothe directory, and if necessary downloads any configuration changes specified centrally.The only user-visible part of SafeBoot is the SafeBoot Monitor icon in the users System Tray. Bydouble-clicking the icon users can lock the workstation. By right-clicking it they can select one ofthree actions.Lock WorkstationLocks the client workstationShow StatusThe configuration process within SafeBoot 5.1 is largely transparent to the user. The only evidenceof SafeBoot working can be found from the status menu available from SafeBoot's tool tray icon. TheStatus window displays any on-going configuration tasks (such as encryption processes) and statusmessages from the last directoryconnection.SynchronizeSafeBoot tries to establish connection with its directory during the boot process. In a situation wherethe directory is unavailable, for example - a notebook user who is connecting via dial-up networking,the user can establish a connection at any time, and select the Synchronize option to connect to aremote directory and collect / upload changes.


28/32

2/21/200

2007 McAfee, Inc.

SafeBoot Client Manager - SynchronizationEvents

SafeBoot Client Manager is a windows service, and can be thought of as an Agent

Always started with Windows start up

Provides Synchronization between client and SafeBoot Server Database to update the client with new policies and files

The SafeBoot client manager Log - SBClientLog.txt is stored on the client under c:\[program

files]\safeboot\SBClientLog.txt


29/32

2007 McAfee, Inc.

SafeBoot Client Manager

Client log is Unicode

Log written to SbClientLog.txt Log max size and purge size controlled by settings in

SCM.INI [Log]\MaxSize = Max size in KB (min 50KB, 0=unlimited)

[Log]\PurgeSize = Amount purge (in KB) when max reached (min10%)

Tracing controlled by setting in SCM.INI [Debug]\Trace = 0 is disabled, 1 is enabled

Trace written to SbCm.Log

Delete log can be disabled

Client log is written in Unicode

Log written to SbClientLog.txt

Log max size and purge size controlled by settings in SCM.INI

[Log]\MaxSize = Max size in KB (min 50KB, 0=unlimited)

[Log]\PurgeSize = Amount purge (in KB) when max reached (min 10%)

Tracing controlled by setting in SCM.INI

[Debug]\Trace = 0 is disabled, 1 is enabled

Trace written to SbCm.Log

Delete log can be disabled


30/32

2007 McAfee, Inc.

SafeBoot Client Boot and Logon Process

Boot screen allows user to select login method

User provides credentials SafeBoot File System launches HD decryptprocess

SafeBoot Client Manager starts and performs login(SSO enabled)

Connect to Object Directory Events are uploaded, config updates

downloaded/applied SafeBoot Tool Tray icon loaded

The Device Encryption boot screen allows the user to select a login method (one of the availabletokens), and then provide authentication credentials such as a user id and password. If the user can

provide the correct details, the SafeBoot boot code starts the transparent hard drive decryption process, loads the original MBR and executes it.

When the operating system starts, the SafeBoot Configuration Manager (SCM) runs and performs alogon to the operating system (if SSO is enabled). It then attempts to contact the Object Directoryusing the Directory Manager - this can be local or remote via a SafeBoot Server and re-validates theuser against any changes that have been made between the last validation. Following this SCMdownloads and applies any configuration updates. This could include new user accounts.

If the Object Directory validation is successful (i.e. no administrator has deleted or disabled the usersaccount) the Windows startup completes, and the SafeBoot icon is loaded into the tool tray to allowthe user to run the screen saver, validate with the server, display status etc.

After a period of inactivity or a power event, SCM activates the screen saver locking the user.


31/32

2007 McAfee, Inc.

SafeBoot Client Audit ing (user events)

User events collected locally and transferred to Object Directory aspart of synchronization

SafeBoot DeviceEncryption auditsuser, machine,and server activityRight-clicking onan object in theSafeBoot ObjectDirectory, selectthe view auditfunction

User events are collected locally and transferred to Object Directory as part ofsynchronization. Until that time the audit is cached internally in the encryptedSafeBoot file system. The last 3000 entries are cached locally; when the limit isreached the oldest 300 entries are culled. The local audit will retain approximately 2years of normal operation before culling begins.

SafeBoot Device Encryption audits user, machine, and server activity. By right-clicking on an object in the SafeBoot Object Directory, you can select the viewaudit function to see information on user events.

Audit trails can be exported to a CDF file by using the Audit menu option, or byright-clicking the trail and selecting Export.


32/32

2007 McAfee, Inc.

End ModuleIntroduct ion to SafeBoot


Epe 50 01 Introduction 290kb

Documents

Transcript of Epe 50 01 Introduction 290kb