SmartCenter for Pointsec - MI Overview

(1)

Chapter

1

SmartCenter for Pointsec - MI

Overview

SmartCenter for Pointsec - MI is a management and administration framework so-lution for the Check Point Endpoint Security product line that integrates with Mi-crosoft Active Directory. MI enables Check Point Endpoint Security -Full Disk Encryption platforms (or MI Clients) to use a Device Agent based client/server ap-proach for deployment, configuration, management, administration, and monitor-ing.

This chapter provides an overview of SmartCenter for Pointsec - MI as the admin-istrative piece for Full Disk Encryption, and also discusses the “design philosophy” of the MI framework. In addition, the use of SmartCenter for Pointsec - MI is com-pared to the Administrative mode of a Full Disk Encryption installation, resolving which solution is best applicable in a given environment.

Objectives:

Identify the Management Philosophy of SmartCenter for Pointsec - MI Compare and Contrast Active Directory OU management structure vs SmartCenter for Pointsec - MI OU management structure

Identify the server and client side components of the MI framework

Define the virtual and physical architecture of SmartCenter for Pointsec - MI Execute a “compact” installation of SmartCenter for Pointsec - MI

(2)

Chapter 1: SmartCenter for Pointsec - MI Overview Key Terms: Framework Organizational Unit Active Directory Management Console MI database Directory Scanner Connection Point Device Agent

(3)

Administering Full-Disk Encryption Chapter 1: SmartCenter for Pointsec - MI Overview

Administering Full-Disk Encryption

Essentially and highly simplistically, administering Full-Disk encryption is a simple management process:

1. Configure the program. 2. Deploy the installation.

3. Verify that the installation has been successfully completed.

But realistically this is not the case.

Configuration poses numerous questions such as:

Do I integrate user’s disk encryption password with their network access password, or keep them separate?

If I’m using some a type of dynamic access for the network, can I use this with disk encryption?

Some deployment considerations are:

Do certain departments need different levels of encryption? Should one department uses dynamic token access, while the other uses traditional passwords?

In addition, verification may or may not occur, depending on the type of software used. If the disk encryption software is not fully compatible with whatever enterprise management software is available, the administrator may be reduced to manually verifying each user’s system installation.

Check Point Full Disk Encryption (FDE), previously called

Pointsec PC Enterprise Workplace edition. provides answers to these

questions, as it is managed & deployed using an “Administrative Installation” of the product. This superuser configuration gives an administrator in a small-to-medium business environment the ability to work entirely within the Check Point FDE installation and perform all job-related tasks. Configuration settings can be set and/or adjusted,

(4)

Chapter 1: SmartCenter for Pointsec - MI Overview What SmartCenter for Pointsec -MI offers

profiles can be created and/or updated, and profile and binary updates can be issued. Drive access can be configured to use the same password (or authentication scheme) as used by Network Access. Encryption can be configured depending on specific service levels for different

departments. Additionally, logging and verification of installation can be configured to be written back to a shared server.

If no integration with a user & resource management structure is required, this is a suitable management solution. However, as a business increases in size, such a type of installation is typically planned using some variant of LDAP or more often Microsoft Active Directory. In this case, a solution is a necessity instead of a luxury. Security critical

functions such as managing the CheckPoint Full Disk Encryption installation in the “superuser” mode may be cumbersome.

Therefore, if LDAP or Active Directory is being implemented,

SmartCenter for Pointsec - MI is the most effective solution, offering

scalability, integration with user and resource management and centralization.

What SmartCenter for Pointsec -MI offers

SmartCenter for Pointsec - MI is the management and administration

solution for the Check Point Endpoint Security product line that integrates with Microsoft Active Directory. MI uses a client-server based model for deployment, configuration, monitoring, management and administration of various pieces of the Check Point Endpoint Security suite.

Central management

Leveraging the pre-existing organizational hierarchy structure of Active Directory, MI is a centralized management solution. A single

administrator (or team of administrators) can deploy, upgrade and remove the Full Disk Encryption product from a single management console application. The MI Management Console (MIMC) also allows for full monitoring of the organization’s security using centralized logging and system status reporting.

(5)

What SmartCenter for Pointsec -MI offers Chapter 1: SmartCenter for Pointsec - MI Overview

Modular Framework solution

Figure 1-1: The MI Framework - Server Side Components

MI is described as a modular framework solution. Since a framework could be described as a structure that supports other components internally or externally, MI fits this description in that it can support multiple security products within its management scheme.

As the above graphic shows, multiple pieces make up each component of the framework. While some of these pieces are specific to Microsoft’s productline (ASP.NET, IIS, Active Directory) they still comprise critical elements of the framework.

For example, the Full Disk Encryption software module is installed into the SmartCenter MI framework at the Connection Point, and the Administrator then configures the security profile for Full Disk

Encryption in the MI Management Console, which then saves it to

the MI Database. In the database, the Directory Scanner (DS) has reproduced the Active Directory structure to allow for the Full Disk Encryption configuration to propagate to all levels within an

(6)

accordingly, the administrator can then deploy Full Disk Encryption and the relevant profile(s) to all parts of an organization. In addition to the Full Disk Encryption software, different software modules are

supported, including Check Point Media Encryption and Check Point Mobile Encryption. The modular aspect of these pieces is illustrated in the following graphic:

Figure 1-2: Modular Framework Solution - Client Side

As in the framework of a house where additional structures can be added, MI is a scalable solution, capable of growing as an enterprise grows, based in part on MI’s integration with Microsoft Active Directory. This is illustrated, in the following graphic using the Directory Scanner component:

(7)

What SmartCenter for Pointsec -MI offers Chapter 1: SmartCenter for Pointsec - MI Overview

Figure 1-3: Scalability - Directory Scanner Example

As the AD structure of checkpoint.com expands out into the subdomains of research.checkpoint.com, accounting.checkpoint.com and sales.checkpoint.com, each of these is still initially scanned by the same directory scanner. As the load grows too great for a single directory scanner, additional Directory Scanners are added to write information back to the MI Database. Eventually, the MI Database itself is partitioned into separate sections for each of the subdomains.

Integration with Active Directory

As previously mentioned, SmartCenter MI extends existing enterprise investments by integrating with Active Directory. This allows MI to leverage the management structure provided by Active Directory’s existing configuration in a given enterprise environment. This gives SmartCenter MI a low installation threshold since a critical part of the

(8)

configuration of SmartCenter MI’s management structure is based on existing Active Directory structures.

It should be noted, though that although SmartCenter for Pointsec - MI uses Active Directory’s structure and “philosophy”, it does not interact directly with the Active Directory. Instead, SmartCenter - MI replicates the necessary information into the MI Database. As such there are no objects created in the Active Directory installation, and no need for schema extensions.

Microsoft Active Directory - A Quick Overview

Active Directory is a database technology created by Microsoft that is primarily used as a management tool for organizational structures in Windows environments. Using Active Directory, administrators assign policies, deploy software, and apply critical updates to an organization. Active Directory uses the concept of objects and containers in a hierarchical organizational structure. Each tier of the hierarchy is made up of containers, which contain objects, or a container may contain other containers and objects.

The container in this structure is the aforementioned Organizational Unit (OU). OUs are tiers in the hierarchy and contain objects, which can be defined in three categories:

resources - commonly defined as things like printers, user pc’s, and

servers.

services - any service that may be used within the company network;

E-mail, chat, file server access.

users - user accounts and their network access.

Much like DNS domains, AD hierarchies are nested within each other, stemming from a root or “enterprise” level. Hence, the OU checkpoint.com will have sub OUs of research.checkpoint.com, accounting.checkpoint.com and

sales.checkpoint.com. Each of these are distinct containers at their own

level, but they are all connected to the container for checkpoint.com. This extends down to the specific device object level, so a printer in

(9)

What SmartCenter for Pointsec -MI offers Chapter 1: SmartCenter for Pointsec - MI Overview research.checkpoint.com could have an active directory designation of north_office_hp.research.checkpoint.com

The Microsoft Management Console

Like most server-side applications in Windows, Active Directory is managed via the Active Directory snap-in for the Microsoft

Management Console. This allows administrators to be able to access the objects in an OU directly. The following screenshot shows the

Active Directory Users and Computers snap-in:

Figure 1-4: The Microsoft Management Console (MMC) - Active Directory Users and Computers

From here, an administrator can view the entire contents of an OU, related to the user accounts and computers of the OU.

(10)

Chapter 1: SmartCenter for Pointsec - MI Overview The SmartCenter MI Management Structure

The SmartCenter MI Management Structure

SmartCenter MI recreates and then uses the existing Active Directory structure by recreating the levels and specific elements of an

organization’s AD Organizational Units (OUs). As in Active Directory, SmartCenter MI defines an OU as an object used to distinguish different departments, sites, teams and devices in an

organization. Using these units, Pointsec security modules are installed, modified, managed or removed.

Building on the advantages Active Directory’s organizational hierarchy brings to resource management, SmartCenter MI’s OU structure makes propagation of installation, configuration and updates to protected resources easy. Settings that are configured for a top-level OU will normally be inherited by the sub-OUs of the primary OU.

For example, if you want all members of the OU checkpoint.com to use smartcards for login into Full Disk Encryption, making the

configuration change in the research.checkpoint.com and

accouting.checkpoint.com OUs will propagate down to the sub OUs dallas.research.checkpoint.com, tokyo.research.checkpoint.com and

(11)

The SmartCenter MI Management Structure Chapter 1: SmartCenter for Pointsec - MI Overview

Figure 1-5: OU Propagation

Conversely, for instances where a sub-OU needs different settings than the parent OU; configuration settings made specifically at that sub-OU level normally override the settings configured on the higher level. (This can be modified if specific settings are needed throughout an OU and it’s sub-OUs).

Check Point recommends configuring settings on the OU level rather than for specific devices in SmartCenter for Pointsec - MI modules.

(12)

Chapter 1: SmartCenter for Pointsec - MI Overview The SmartCenter MI Management Structure

Figure 1-6: Installation via OU structures.

When creating an installation package for a module in order to install a security product on end-users’ devices, the settings for the module are collected from the selected OU. In the above graphic, the specific device in research.checkpoint.com required settings only for that module, and as such, the administrator made configurations directly to the object for that device.

However, all systems in accounting.checkpoint.com required the same security configuration. The administrator was able to create and deploy a configuration profile that was suitable for all machines by creating this at the OU level.

(13)

MI Components Chapter 1: SmartCenter for Pointsec - MI Overview

MI Components

Figure 1-7: SmartCenter for Pointsec - Component Interaction

As mentioned earlier, SmartCenter for Pointsec - MI is considered a framework, or more succinctly, a Management Infrastructure (hence the initials MI). It is comprised of several different components, i.e. distinct programs that perform singular or multiple tasks contributing to the overall function. The above graphic illustrates these components and their interaction.

To describe the process flow illustrated in the above graphic, consider the following:

The Device Agent (DA) is installed on the client, allowing

communications with the MI Connection Point (CP), and thereby the rest of the framework. This facilitates sending user & polling

(14)

Chapter 1: SmartCenter for Pointsec - MI Overview

MI Database (MIDB), as well as providing a channel for the

framework to deliver software modules (such as Full Disk Encryption) to the client.

The software modules are stored at the Connection Point, so that the

Device Agent can download them to the clients. The Connection Point also acts as an encrypted relay (using the Keyboxes) between the MI Database (MIDB) and the Device Agent for AD structure related

information.

The MI Database could be viewed as the “center” of the framework. As illustrated above, the Directory Scanner (DS) pulls the relevant information regarding the Active Directory structure on the Domain Controller and populates the MI Database with this information. Subsequently, the Directory Scanner also polls AD to send any updates and/or changes to the MI Database.

The MI Management Console (MIMC) connects directly to the MI Database as well. It centralizes all administrative functions in the MI Framework. From here, the administrator can add software modules to the connection point, add additional connection points and download locations, and view and modify software module properties and OU object and container information.

(15)

Server Side Components Chapter 1: SmartCenter for Pointsec - MI Overview

Server Side Components

The server-side components comprise the backbone of SmartCenter for Pointsec - MI. The following list gives a brief overview of each one, which are then discussed in greater detail in subsequent sections:

MI Management Console (MIMC) - the main interface for the MI

Administrator. All administrative work can be done via the MIMC.

MI database (MIDB) - The SQL database store where MI recreates

the Active Directory structure and uses this for its management functions.

Active Directory (AD) - The organizational hierarchy database

created by Microsoft. Stores all user, computer and resource information in an organization.

Directory Scanner (DS) - This devices scans AD and then

reproduces the necessary components in MI.

Connection Point (CP) - Provides and access point for Device

Agents and the User Collector on PCs.

Keyboxes - Encrypts communications between the Connection

(16)

Chapter 1: SmartCenter for Pointsec - MI Overview Server Side Components

The MI Management Console (MIMC)

Figure 1-8: The MI Management Console

As mentioned earlier, the MIMC is the primary location where the SmartCenter for Pointsec - MI administrator will do their work. The MIMC can be installed on any server or workstation with connectivity to the MIDB. It provides a visual display of the directory services that the Directory Scanner can scan, and uses the enterprise’s Organizational Unit layout for configuration, deployment, monitoring, and

management. A subsequent chapter covers the MIMC in detail, outlining the areas of the MIMC and the tasks that are performed in each of the areas.

(17)

Server Side Components Chapter 1: SmartCenter for Pointsec - MI Overview

The following table lists the system requirements for the workstation running the MIMC:

Item Requirement

Operating System Microsoft Windows Vista Enterprise Edition Microsoft Windows XP Professional SP 2 or higher Microsoft Windows 2000 Server – minimum service pack 4

Microsoft Windows Server 2003 (all variants) Disk Space (initial) 15 MB

Memory (initial) 128 MB

Network Connectivity TCP/IP networking

Stored Procedure Call access to MIDB Terminal Server MIMC can be used over Terminal Services.

Only one instance at the same time can run if the logged in Windows user has permission view/list running pro-cesses in the system. If the user does not have this per-mission, several instances can be run.Hence several users can use the MIMC on one Terminal Server.

Application Microsoft .NET 2.0 Table 1-9: MIMC System Requirements

(18)

Chapter 1: SmartCenter for Pointsec - MI Overview Server Side Components

The MI Database (MIDB)

Figure 1-10: The MI Database (MIDB)

The MI Database (MIDB) is the storage location for all configuration and user data within SmartCenter for Pointsec - MI. It runs on a SQL server installation, and mirrors the Active Directory components that MI uses to create its management structure.

All communications with the MIDB via the MIMC and the Connection Point are encrypted using the keyboxes (discussed later). All sensitive information in these communications such as user account information are encrypted. However, the information from Active Directory (OUs, containers, objects) are not encrypted, but are accessed only using stored procedures.

(19)

The following table lists the system requirements for the MI Database:

Active Directory

While AD is a core component of SmartCenter for MI, it is only used as a “reference point” for the management structure and object

information that is used by MI. As has already been discussed, SmartCenter for Pointsec - MI mirrors the AD structure into it’s own database. The organizational hierarchy created when the Domains are configured through which computers and users are associated with what domains (and subdomains) are all imported into MI, creating in essence a second AD used only by SmartCenter MI.

For the system requirements and configuration information on Active Directory, refer to the documentation that came with your Domain Server Software.

Operating System Microsoft Windows 2000 Server (Standard, Enterprise, and Web Edition) – minimum Service Pack 4

Microsoft Windows Server 2003 (all variants)

Databases Microsoft SQL Server 2000 (Standard and Enterprise) minimum Service Pack 2 (Service Pack 3 for Microsoft Windows Server 2003)

or

Microsoft SQL Server 2005 (Standard and Enterprise)

Disk Space (initial) 35 MB available

Memory 256 MB

Stored Procedure Call access from other SmartCenter for Pointsec components

(20)

Directory Scanner

Figure 1-12: Active Directory Scanner

The Directory Scanner is the service by which SmartCenter MI initially mirrors the AD structures and objects into the MI database. To achieve this, the Directory Scanner only uses read permissions to the Active Directory database, ensuring that no modifications are made by the scanner to AD. After the mirroring has been performed and the MIDB has the structure reproduced in it’s database, the Directory Scanner then regularly polls AD using the USN Number mechanism for incremental checks of the AD database against the MI mirrored database. Once it has made the check, the Directory Scanner then makes any updates or changes that need to be added to the MIDB.

Working with the Directory Scanner is discussed in further detail in a later chapter.

(21)

The following table lists the system requirements for the Directory Scanner:

Operating System Microsoft Windows 2000 Server (Standard, Enter-prise, and Web Edition) – minimum Service Pack 4 Microsoft Windows Server 2003 (all variants) Directory Services Microsoft Windows 2000 AD, Microsoft Windows

Server

2003 AD, 2003 R2 AD, and 2008 AD Disk Space (initial) 15 MB

Stored Procedure Call access to MIDB

Access to Directory Service host system (LDAP) Table 1-13: MI Directory Scanner System Requirements

(22)

Connection Point

Figure 1-14: Connection Point

The Connection Point is the “frontline” component between the server side pieces of MI and the client side pieces. A service that works with IIS on a server, this component handles passing the information collected by the Device Agent and User Collector on to the MI Database via an encrypted connection. It also provides the download point for Device Agents to pull installation binaries of various software and security modules from when these are being deployed to the end-user machines. These binaries can be installed via UNC share, HTTP Download, or (in some cases) via group policy updates in Active Directory.

(23)

The following table lists the system requirements for the Connection Point:

Keyboxes

The keybox is used to authenticate to and create the keys for the encrypted connections between the MIDB and the MIMC and Connection Point. The keybox uses AES256/RSA1024 encryption where the seed is generated from a unique fingerprint created during installation. All authentication is done to the keyboxes using dynamic tokens, and is required at each startup whether it is manual or automatic.

Operating System _{Microsoft Windows 2000 Server (Standard, Enterprise, and} Web Edition) – minimum Service Pack 4

Microsoft Windows Server 2003 (all variants) Web Servers _{Microsoft Internet Information Server (IIS)}

IIS 5.0 (MS Windows 2000) IIS 6.0 (MS Windows Server 2003) Disk Space (initial) 15 MB

Network Connectivity _{TCP/IP networking}

Stored Procedure Call access to MIDB

HTTP and HTTPS access from MI enabled clients SSL Certificate – Optional

Application Microsoft .NET 2.0

(24)

Chapter 1: SmartCenter for Pointsec - MI Overview Client Side Components

Client Side Components

In addition to the components running on the server side, there are several components that run on the client side.

Device Agent - A client-side service that provides polling

information to MI and also is used for deployment and installation. A later chapter discusses the device agent and it’s GUI in greater detail.

User Collector - An optional component that is used to collect user

logon data to help populate the MI Database. A later chapter discusses the User Collector in greater detail.

Client Side Software Module - Software Modules fall into two

general categories; the device agents (such as the Device Agent service and the USer Collector) and the security modules that are installed on to workstations and laptops such as Check Point Endpoint Security - Full Disk Encryption.

(25)

Physical Architecture Chapter 1: SmartCenter for Pointsec - MI Overview

Physical Architecture

Figure 1-16: Distribution of SmartCenter for Pointsec - MI Physical Components

Ideally, the best installation of the SmartCenter for Pointsec - MI components would be for each individual component to be installed on a separate system, so that resources would not be overtaxed on those devices. However, as this is not always possible, there are methods for combining SmartCenter MI components on physical hardware.

The following is a recommendation for the minimum host architecture for SmartCenter for Pointsec - MI components:

Microsoft Active Directory Domain Controller

SmartCenter for Pointsec MI Server with the following SmartCenter for Pointsec - MI components:

1 MI Database (MIDB) on Microsoft SQL Server 2 Connection Point servers (CPs) on Microsoft Internet Information Server (IIS)

2 SmartCenter for Pointsec_-Management Consoles (MIMC) (installed with CPs)

(26)

Chapter 1: SmartCenter for Pointsec - MI Overview Physical Architecture

Directory Scanner (DS) is recommended for AD environments, but optional for VDS environments

.

The following table outlines which components can be installed with other components in the same host environment.

NO = Not Supported or definitely not supported combination

NR = Not Recommended. While it is possible to install components on hosts that are not recommended, operational impact on the host systems is possible, and non-Pointsec MI related disaster recovery operations may be impacted.

OK = OK, Supportable Combination

Host System MI Component AD Host DS Host MIDB Host CP Host MIMC Host Client PC Active Directory (AD) - NR NR NR NR NO Directory Scanner (DS) NR - OK OK OK NO MI Database (MIDB) NR OK - OK OK NO Connection Point (CP) NR OK OK - OK NO MI Management Console (MIMC) NR OK OK OK - OK MI Security Modules NO NO NO NO NR OK

(27)

Remote Help Chapter 1: SmartCenter for Pointsec - MI Overview

Remote Help

Figure 1-17: MI Web Remote Help

MI now adds a web based Remote Help interface – MI

webRemoteHelp. This web based tool allows authentication to the MI Framework to execute Remote Help operations to MI Clients. These operations include enabling a one-time login for a user locked out of their account, and providing assistance for a remote password change. MI webRemoteHelp allows implementation of a Self-Service Remote Help operations, so that users can use and interface enabled on an intranet site to change their password, or update get a one time access password when locked out. It should be noted, however, that this is not the same product as webRH or SmartCenter for Pointsec – webRH and is not compatible with these.

(28)