How to integrate with OPSWAT GEARS cookie API



Similar documents
Sophistication of attacks will keep improving, especially APT and zero-day exploits

LBSEC.

How to set up Pulse Secure Host Checker SSL VPN with OPSWAT Gears Client

CIDR Range Subnet Mask /

Use Host Information in Policy Enforcement

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Release Notes for Websense Web Endpoint (32- and 64-bit OS)

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

Abila Grant Management. System Requirements

1. Determine Your Current Software Version

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

RingCentral for Desk. User Guide

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Grant Management. System Requirements

White Paper BMC Remedy Action Request System Security

Effective End-to-End Cloud Security

Web Based Application Tool (WBAT) For SMS Implementation!

Complete Patch Management

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Reading an sent with Voltage Secur . Using the Voltage Secur Zero Download Messenger (ZDM)

Implementation Guide. Version 10

Check list for web developers

Securing the Service Desk in the Cloud

Nessus Cloud User Registration

Uila SaaS Installation Guide

New Student Orientation Information Technology Packet

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Installation and Administration Guide

Architecture, Implementations, Integrations, and Technical Overview

Zed E-Commerce and WebCRM 7.5. Release Notes 11/29/2011

Clearing Browser Cache/History

Feature List for Kaspersky Password Manager

This presentation covers virtual application shared services supplied with IBM Workload Deployer version 3.1.

RingCentral for Salesforce. User Guide

EHR OAuth 2.0 Security

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Using SAML for Single Sign-On in the SOA Software Platform

New Online Banking Guide for FIRST time Login

Discovery Education Integration for Higher Ed. Administrator Guide. Version 1.0 for Blackboard Learn 9.1 SP10+

RingCentral for Desk. Admin Guide

BMC s Security Strategy for ITSM in the SaaS Environment

How To Secure Your Data Center From Hackers

Send and receive encrypted s

Charter Business Desktop Security Administrator's Guide

Request Manager Installation and Configuration Guide

Endpoint Security VPN for Windows 32-bit/64-bit

McAfee Network Security Platform 8.2

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Invincea Advanced Endpoint Protection

BEST PRACTICES WHITE PAPER. BMC BladeLogic Client Automation and Intel Core vpro Processors

PI Cloud Connect. Frequently Asked Questions

Mac OS X User Manual Version 2.0

Accessing the Online Meeting Room (Blackboard Collaborate)

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

Workday Mobile Security FAQ

Secure Remote Access Give users in office remote access anytime, anywhere

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Web24 Supported Software

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

Frequently Asked Questions Ag Banking Online

Pulse Secure Desktop Client

Virtual Data Centre. User Guide

USER GUIDE: MaaS360 Services

Reference Guide for WebCDM Application 2013 CEICData. All rights reserved.

ForeScout MDM Enterprise

The UC Learning Center: Disabling Pop-Up Blockers

Content Protection in Silverlight. Microsoft Corporation

Certified Secure Computer User

2X Cloud Portal v10.5

Xerox DocuShare Security Features. Security White Paper

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

DIGITAL FORENSIC INVESTIGATION OF CLOUD STORAGE SERVICES

How To Sync Google Drive On A Mac Computer With A Gmail Account On A Gcd (For A Student) On A Pc Or Mac Or Mac (For An Older Person) On An Ipad Or Ipad (For Older People) On

Installation Guide. (You can get these files from

Sophos SafeGuard Native Device Encryption for Mac quick startup guide. Product version: 7

Google Identity Services for work

Remote Access End User Reference Guide for SHC Portal Access

WHITE PAPER. Domo Advanced Architecture

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Mac OS X. Staff members using NEIU issued laptops and computers on Active Directory can access NEIU resources that are available on the wired network.

Learn More Cloud Extender Requirements Cheat Sheet

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

User-ID Best Practices

Instructions for Configuring Your Browser Settings and Online Security FAQ s. ios8 Settings for iphone and ipad app

Installing CaseMap Server User Guide

bbc Overview Adobe Flash Media Rights Management Server September 2008 Version 1.5

Sophos Mobile Control SaaS startup guide. Product version: 6

SERENA SOFTWARE Serena Service Manager Security

SECURITY DOCUMENT. BetterTranslationTechnology

Casper Suite. Security Overview

Cisco Identity Services Engine

An Oracle White Paper Dec Oracle Access Management OAuth Service

Transcription:

How to integrate with OPSWAT GEARS cookie API About This Guide...2 Change Log... 3 Background... 4 Cookie Format...5 Cookie: Policy_State... 6 Cookie: License_Key... 6 Cookie: Device_ID... 6 Future enhancements... 6 Notes... 7 Supported browsers... 7 Supported GEARS clients... 7 Figure 1 Typical Sequence Diagram... 8 Figure 2 Schematic without SaaS to GEARS Cloud integration... 9 Figure 3 Schematic with SaaS to GEARS Cloud integration... 9 1

About This Guide GEARS is a platform for network security management for IT and security professionals that provides visibility over all types of endpoint applications from antivirus to hard disk encryption and public file sharing, as well as the ability to enforce compliance and detect threats. More information on GEARS may be found at http://www.opswatgears.com. GEARS can be leveraged by SaaS products to control access to a service according to the compliance status of the endpoint attempting to connect. This guide specifically illustrates how to establish GEARS policy checks for any SaaS product. 2014 OPSWAT, Inc. All rights reserved. OPSWAT, GEARS and the OPSWAT logo are trademarks of OPSWAT, Inc. All other trademarks, trade names, service marks, service names and images mentioned and/or used herein belong to their respective owners. 2

Change Log Date Revision Author Comment Dec 18 th 2014 1.0 Adam Winn First release 3

Background OPSWAT GEARS service runs on an endpoint and periodically checks the compliance status of the device against a security baseline (policy) configured and hosted in GEARS cloud. This compliance information for the endpoint is stored locally and also available from the GEARS cloud. Traditionally the information was available in the local system s registry, or via COM API, or in the cloud via RESTful API. This document describes a new method for retrieving device compliance information, via a cookie stored on the local endpoint. The cookie is generated by the GEARS service and injected into all supported local browsers. This injection happens every time the GEARS service performs a compliance check on the endpoint. The interval of this compliance check is an account-level configuration available in the GEARS cloud and ranges from 5 minutes to 60 minutes. When the cookie is injected, it is given an expiration date equal to the next scheduled compliance check. The cookie injection is automatic and will happen as long as the GEARS client is running. 4

Cookie Format Whenever a cookie injection is scheduled, actually three separate cookies are injected. This allows for either secure or insecure integration types. Format of the three cookies: Cookie Name: Device_ID License_Key Policy_State Content: {Unique device ID} {GEARS account license key} 0 or 1 Host: gears.opswat.com Path: / Send For: Any connection type Expires: {Next scheduled compliance check time} Type: Persistent 5

Cookie: Policy_State The Policy_State cookie provides the most basic compliance information possible. The content of this cookie is 1 when the device is compliant and 0 when the device is noncompliant. The drawbacks to checking this value without any further checks: 1) Any sufficiently knowledgeable user can manipulate this value 2) It is only known that the endpoint is compliant with some GEARS account s security policy, not any particular GEARS account Cookie: License_Key The License_Key cookie provides the account identifier (as a license key) to which the GEARS client is associated. Because each GEARS account can have a different security baseline (policy), it is important that the endpoint compliance state (Policy_State) is considered in conjunction with the expected license key. Using this cookie requires that the web service has preexisting knowledge of the expected license key. Cookie: Device_ID The Device_ID cookie is provided so the web service can access the richest and most secure information directly from the GEARS cloud. GEARS cloud has RESTful API methods, documented at https://gears.opswat.com/developers. Calling these REST API methods to get device information requires either a MAC address or a Device_ID. Since most web services (without the use of Java) cannot query the device s MAC address, the Device_ID is made available in this cookie. The REST APIs are secured with OAUTH 2.0. A client_key and client_secret for calling the REST APIs can be obtained by registering at https://gears.opswat.com/developers/app/register. This registration is tied to each GEARS account. While more complicated to implement, the Device_ID integration is much more secure than simply using the Policy_State and/or License_Key cookies because it is not as vulnerable to manipulation on the endpoint. Future enhancements An enhanced solution that would encrypt the contents of the cookie is being explored and may be released in the future. This would require pre-sharing a decryption key with the web service that needs to read the cookie. This would be advantageous for integrations that do not (or cannot) call the GEARS cloud REST APIs. 6

Notes 1) Because the cookies are injected on an interval, the presence (and expiration status) of a cookie can be used as a reliable indicator of the presence and running state of GEARS on the endpoint. 2) Cookie injection is automatic as long as GEARS is running on the endpoint. It is not configurable. 3) The cookie is injected into all detected and supported browsers on the endpoint. Even if one fails, the remaining browsers will still be tried. 4) This cookie injection has little to no impact on system resources (CPU, memory, disk IO, etc.) Supported browsers As of December 18 th, 2014, the cookie API is supported on: Windows 7, 8, 8.1: Internet Explorer, Firefox, Chrome* OSX: Safari, Firefox, Chrome * On Windows, the cookie injection will not succeed in Chrome while Chrome is running. The other Windows browsers do not have this limitation. A possible enhancement has been identified and is being researched. It would involve using HTML5 local storage instead of a traditional cookie. Supported GEARS clients As of December 18 th, 2014, the cookie API is supported and implemented in: GEARS for Windows: Persistent (managed) version GEARS for Windows: On demand (guest) version, no UAC* GEARS for Windows: On demand (guest) version, with UAC GEARS for Mac: Persistent (managed) version GEARS for Mac: On demand (guest) version * GEARS for Windows, On Demand version is available with and without UAC. When using the non-uac version as a user without local administrator rights, the cookie injection will not work with Internet Explorer 7

Figure 1 Typical Sequence Diagram 8

Figure 2 Schematic without SaaS to GEARS Cloud integration Figure 3 Schematic with SaaS to GEARS Cloud integration For more information, or if you have any questions about the steps above, please log into the OPSWAT Portal at https://myportal.opswat.com and submit a ticket to request assistance from our support team. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information