Check Point Whitepaper. Check Point Abra: A Virtual Secure Workspace Technical Whitepaper

Similar documents
The Evolution of IPS. Intrusion Prevention (Protection) Systems aren't what they used to be

CHECK POINT. Software Blade Architecture. Secure. Flexible. Simple.

CHECK POINT. Software Blade Architecture

Endpoint Security Considerations for Achieving PCI Compliance

Leverage IPS to Make Patch Tuesday Just Another Day

How to Get NAC Up-and-Running in One Hour. For Check Point Firewall or Endpoint Security Administrators

How to Implement an Integrated GRC Architecture

Check Point Software Blade Architecture. Achieving the right balance between security protection and investment

Check Point Software Blade Architecture. Achieving the right balance between security protection and investment

USB Drives: Friend or Foe? New User Trends and Exploits in USB Requires Security Controls to Protect Endpoints and the Networked Enterprise

CHECK POINT TOTAL SECURITY APPLIANCES. Flexible Deployment. Centralized Management.

The Power-1 Performance Architecture: Delivering Application-layer Security at Data Center Performance Levels

Solving the Performance Hurdle for Integrated IPS

Check Point Whitepaper. Enterprise IPv6 Transition Technical Whitepaper

Check Point Endpoint Security. Single agent for endpoint security delivering total protection and simplified management

Check Point Corporate Logo Usage Guidelines

Check Point Endpoint Security Full Disk Encryption. Detailed product overview for Windows and Linux

Best Practices for Deploying Intrusion Prevention Systems. A better approach to securing networks

Check Point. Software Blade Architecture

Unified Threat Management from Check Point. The security you need. The simplicity you want

Preventing Data Leaks on USB Ports. Check Point Endpoint Security Media Encryption simply regulates access and data for any plug-and-play peripherals

A Getting Started Guide: What Every Small Business Needs To Know About Internet Security

Check Point UserAuthority Guide. Version NGX R61

Check Point QoS. Administration Guide Version NGX R65

Firewall and SmartDefense. Administration Guide Version NGX R65

A Practical Guide to Web Application Security

Pointsec PC. Quick Start Guide

Integrity Advanced Server Gateway Integration Guide

Configuring Check Point Firewall-1 to support Avaya Contact Center Solutions - Issue 1.1

The Seven Key Factors for Internet Security TCO

Introduction to Endpoint Security

LICENSE GUIDE. Software Blades products. Number of Strings. SKU Prefix Name Description Additive

User Guide for Zone Labs Security Software

The Attacker s Target: The Small Business

User Guide for ZoneAlarm security software

Zone Labs Integrity Smarter Enterprise Security

SECURITY APPLIANCES

Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

Check Point Appliances Models

Check Point Positions

Antivirus. Quick Start Guide. Antivirus

Endpoint Security VPN for Mac

PURE Security. Revolutionising the way you think about IT Security. Protected infrastructure and data. Unified security architecture

Remote Access VPN Solutions

How To Set Up Checkpoint Vpn For A Home Office Worker

Best Practices for Secure Remote Access. Aventail Technical White Paper

Clean VPN Approach to Secure Remote Access for the SMB

Cert Pro 4/17/01 2:05 AM Page 1 T HE C HECK P OINT. Certified Professional Program SECURE.

SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION

Clean VPN Approach to Secure Remote Access

Check Point ZoneAlarm

Remote Access Clients for Windows

Securing the Small Business Network. Keeping up with the changing threat landscape

MaaS360 Mobile Service

Endpoint Security VPN for Mac

THE GENERATION GAP IN COMPUTER SECURITY:

Ensuring the security of your mobile business intelligence

Deploying Firewalls Throughout Your Organization

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Enterprise Data Protection

Why Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs

EXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS

Does your Citrix or Terminal Server environment have an Achilles heel?

The Key to Secure Online Financial Transactions

R75. Installation and Upgrade Guide

SonicWALL Aventail SSL VPNs Working Together With SonicWALL End Point Security Solutions for Granular End Point Control

Secure Remote Access Give users in office remote access anytime, anywhere

PROFESSIONAL SECURITY SYSTEMS

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Keystroke Encryption Technology Explained

Proven LANDesk Solutions

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Spyware Doctor Enterprise Technical Data Sheet

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

Transcription:

Check Point Whitepaper Check Point Abra: A Virtual Secure Workspace Technical Whitepaper

Contents An Increasingly Mobile World 3 Threats and Dangers of a Mobile Workforce 3 Abra Provides the Solution 4 Introduction to Abra Technology 6 Applications of Abra Technology (Use Cases) 7 At Work 7 At Home 8 On-the-go 8 Summary 8 2

Workforce Challenges Over the past several years, enterprises have experienced a significant increase in workforce mobility. Today, employees routinely connect to their offices from home PCs via VPN, use wireless hotspots in airports, and receive work emails on smartphone devices. This mobility has led to unprecedented productivity for enterprises, as employees are able to remain continuously connected anytime, anywhere. An increasing number of companies have formally embraced telecommuting as a viable alternative for their workforce. Some employees work from home a few days each week, while others work remotely on a full-time basis. According to World at Work, 42 percent of U.S. employers allowed staff to work remotely in 2008 up from 30 percent the previous year. These employees typically log in from either a company-owned laptop, or from their home computer, via a direct VPN connection. BY THE NUMBERS: n 42% US employers allow telecommuting n 34 Million telecommute at least 1 day a month n 43% rise in telecommuters (In Millions) 35 30 25 20 1 15 10 2 3 5 2001 2002 2003 2004 2005 2006 2007 2008 1 2 3 Total telecomuters at least 1 day per month (millions) Contract telecommuter at least 1 day per month (millions) Employee telecommuter at least 1 day per month (millions) Figure 1. Telecommuter Trendline. Source: Telework Trendlines 2009, WorldatWork. Companies are also facing challenges in providing controlled and protected access to contractors and partners. According to Ponemon Institute, over 44% of all cases in this year s data breach study involved third-party mistakes. Providing instant access to the office network for employees who travel has also become a critical requirement for many enterprises. The availability of broadband access, coupled with the efficiency of modern communications, has accelerated the speed at which business is conducted and fueled expectations of continuous access to workplace resources. FACT: Growing mobile workforce increases security risks 3

Threats and Dangers of a Mobile Workforce While providing employees, contractors and partners with instant remote and secure access to the corporate network provides tremendous advantage in terms of productivity and efficiency, it also introduces significant security risks to the enterprise. Laptops containing sensitive company or customer data can be lost or stolen; passwords, login credentials, and sensitive files can be left behind on un-trusted devices at the end of a session, making them readily available to subsequent users. Additionally, employees remotely logging in could be using an un-trusted machine, or a machine with malicious software and open a direct port into the enterprise s network, making it vulnerable to an array of security threats. DATA LOSS IS A REAL THREAT: n Un-trusted and unmanaged PCs n Malicious software n Keyloggers Exploits Network Spoofing Hardware Theft Screen Grabbing Sensitive Files Attacker s Targets Login Credentials Malware Keylogging Figure 2. Attacker targets sensitive data using a variety of methods. For these reasons, mobile users on the go require additional layers of security protection that simply cannot be provided through traditional endpoint solutions. Abra Provides the Solution Abra is a hardware-encrypted flash drive with embedded security software. Abra encrypts data on the flash drive, and provides secure remote access with special policy enforcement, as well as a secure virtual workspace for working with documents and applications. All sensitive user information is encrypted on the flash drive, so user credentials, information contained in documents, and other sensitive data remain protected even if Abra is lost. When Abra is inserted into the USB port of any PC, the user will be presented with a new Windows desktop, which contains the user s shortcuts and documents. Abra uses the software installed on the host PC to run applications such as Microsoft Word and Microsoft Excel, but the user s documents will remain secure in the Abra environment a separate secure workspace that runs parallel to the host environment. Abra opens a secure channel to the applications stored on the host, which enables it to use the applications, but with data neither transferred to, nor available on, the host PC. ABRA IS A THREE-IN-ONE SOLUTION: n Secure virtualization n Secure connection n Portable, plug-and-play 4

Employees routinely utilize a wide range of un-trusted computers including home computers or computers in hotel and airport business centers. There is no guarantee that these systems possess the latest antivirus software with newly updated signatures, or that they are free from malicious software this puts company at a significant risk from security threats. Therefore, Abra creates a virtual Secure Workspace a special environment that provides direct access to the company network in a segregated, secure environment. None of the host system s processes can gain access, nor are any traces left behind on the host system after the session is over. Figure 3. Abra controls which applications can run and which cannot. For an additional layer of security, the enterprise can employ security policies, to determine what applications are allowed to run on Abra, and how secured files should be handled. Administrators can also configure additional settings that would restrict users from printing or accessing the host PC. ABRA FEATURES: n Plug-and-Play Operation n Secure Virtual Workspace n Standard Windows User Environment n Integrated VPN Connectivity n Always-on Hardware and Software Encryption n File Transfer Control n Application Control n User Authentication n Central Management PC folders are not accessible from Abra* Abra folders are not accessible from the PC* All files and folders are hardware and software encrypted Printing from Abra is blocked* * These options can be configured by administrators Figure 4. Security through segregation. Switching environments between Abra and Host PC No residue is left on the RAM SECURITY THROUGH ACCESS CONTROL: n Granularly restrict access to host PC n Printing from Abra can be blocked 5

Abra Technology Once the Abra flash drive is inserted into a PC or laptop, a special program launches and is granted access to the flash drive firmware, where sensitive information is stored. The user is then presented with a login screen, where he or she will be required to enter credentials. Abra supports minimum password strength enforcement, as well as certificates and tokens for multi-factor remote access authentication. A virtual keyboard is included, and can be used at login to prevent password theft by keyloggers. Upon successful login, a new explorer.exe instance is started in the Abra Secure Virtual Workspace. All subsequent processes will be started as child processes of this new explorer, thereby allowing Abra to control applications in the secure workspace. The Microsoft Windows dynamic-link library (NTDLL) acts as a barrier between the user environment and the system kernel. SECURE VIRTUAL WORKSPACE: n Leverages host operating system no separate license needed n Leverages permitted applications on host PC n Encrypted storage Abra performs a special sort of hooking on this border, intercepting the secure application s code execution before it reaches the NTDLL. The enterprise can enforce specific security policies such as forbidding the copying of files from Abra to the host PC, or vice-versa. All file and registry input/output (I/O) calls for the secure application running inside Abra are redirected to the flash drive. In other words, applications running on the Abra desktop (including the new explorer) operate in a virtual file system and registry. The virtual files and all registry data are written to the flash drive instantly, where they are immediately encrypted. Application Layer Application (Word, Browser) Ordinary Application Secured Layer Secure Workspace Hooks NT Layer Abra Encrypted Storage NTDLL.DLL Real Registry and File System SECURE ARCHITECTURE: Segregating user workspace from the host PC inherently protects sensitive user data Figure 5. Abra architecture. 6

When the application requests file creation inside Abra, the CreateFile Win32 API function is called. Abra intercepts the API and the file is actually created within the flash drive file system. Alternatively, file creation inside Abra can be denied by policy, if desired. This special hooking does not require Abra to install a driver component, which dramatically reduces the potential for conflicts between Abra and the software applications on unmanaged computers. In this architecture, the memory spaces of applications under Abra and those of ordinary applications on the host PC are not separated avoiding memory conflicts. In addition to NTDLL, several other Microsoft Windows dynamic-link libraries are hooked in the same manner, to provide additional security. PROTECTION MECHANISMS: n Virtual keyboard for login to battle keyloggers n Control over applications and programs Applications of Abra Technology (Use Cases) With Abra, enterprises can provide employees, contractors and partners with a consistent, controlled, encrypted and secure virtual workspace that is independent of the host computer. Security administrators have the ability to enforce mandatory access control on all files stored in a hardware-encrypted, password-protected partition, to enable compliance with privacy regulations. At Work Abra is portable, so users can take it wherever they go. The entire working environment including security settings, bookmarks, documents, shortcuts, and VPN connectivity will remain consistent on every PC. Abra can be used to provide easy access to partners and guests, or to grant temporary access to contractors who utilize their own computer. In either case, the contractors or guests don't have to install anything on their computer eliminating the need to purchase additional assets, and significantly reducing support costs. Figure 6. Easy access for contractors and guests. FACT: One solution, many use cases 7

At home The growing number of emails with the subject line Working From Home Today makes system administrators nervous. There is a negative correlation between the number of employees working outside the firewall and the control the enterprise has over its information. Increases in the number of employees working from home are met with a corresponding increase in the potential for a security breach. A simple "snow day" can keep workers at home for a few days. A worldwide pandemic which nearly occurred during the recent H1N1 Flu outbreak, may force people to stay home for weeks at a time. As a result, convenient and secure remote connectivity tools will be required to maintain productivity without sacrificing security. USE CASES: n Mobile workers n Partners, contractors or guest access n Disaster planning Figure 7. Abra provides the ability to work from home in case of natural disaster. On-the-go Employees such as sales professionals who work on the road and from home can carry the pocket-sized Abra to use on any PC, rather than hauling a laptop from place to place. Alternatively, they can supplement their laptop with Abra for an unparalleled blend of consistency and security. Figure 8. Abra provides a workspace on the go. Summary Abra provides convenient and secure access to the corporate workspace, while preventing data loss and blocking malicious activity from remote systems all at a significantly reduced cost versus traditional endpoints. IDEAL SOLUTION: Abra puts your office in your pocket 8

About Check Point Software Technologies Ltd. Check Point Software Technologies Ltd. (www.checkpoint.com), worldwide leader in securing the Internet, is the only vendor to deliver Total Security for networks, data and endpoints, unified under a single management framework. Check Point provides customers uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. Check Point first pioneered the industry with FireWall-1 and its patented Stateful Inspection technology. Today, Check Point continues to innovate with the development of the software blade architecture. The dynamic software blade architecture delivers secure, flexible and simple solutions that can be fully customized to meet the exact security needs of any organization or environment. Check Point customers include tens of thousands of businesses and organizations of all sizes including all Fortune 100 companies. Check Point award-winning ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft. CHECK POINT OFFICES Worldwide Headquarters 5 Ha Solelim Street Tel Aviv 67897, Israel Tel: 972-3-753 4555 Fax: 972-3-624-1100 email: info@checkpoint.com U.S. Headquarters 800 Bridge Parkway Redwood City, CA 94065 Tel: 800-429-4391 ; 650-628-2000 Fax: 650-654-4233 URL: http://www.checkpoint.com Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Endpoint Security On Demand, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Full Disk Encryption, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, Smart-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartView Tracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, VSX-1, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending applications. April 16, 2010

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information