Geoff,
Thanks for the email.
The TecSec solution has been 20+ years in the making and works on most
platforms. As such, it has abstracted toolsets that address your concerns
below and apply those benefits to the entire enterprise and each of the various
systems in play. Further the solution has an API and a set of agents, clients
and other mechanisms to properly support most COTS and other internally
developed applications that are seen in most larger production environments
around the world.
The 3Com NIC's address the traffic on the network, but they don't necessarily
allow for enterprise key management per user, per system, per application, per
dataset, per file, and even more granularly on per object basis that allows for
protection all the way up until each object is pushed to the processor with
various appropriate credential sets.
3Com solutions are great for up to a certain point in traditional OSI
communications, but they don't necessarily bridge the gap between the other
applications and drivers that you mentioned below.
As for the built-in tools from XP/2003 or the like, they are getting better,
but it is truly a relative response, since they had a very long way to come
from and since those tools donât necessarily work between various systems
that are often found within larger networks and enterprises.
Hope this helps,
Bob
-----Original Message-----
From: gjgowey@tmo.blackberry.net [mailto:gjgowey@tmo.blackberry.net]
Sent: Thursday, September 27, 2007 6:14 PM
To: Rob Thompson; listbounce@securityfocus.com; Bob Beringer
Cc: Lafosse, Ricardo; security-basics@securityfocus.com; Bob Beringer
Subject: Re: Full Disk Laptop Encryption
I'm curious about the data-in-motion criteria. If the environment is all
xp/2003 with ad then there are settings that can be applied via group policy to
force all traffic via file smb/cifs to be encrypted. SQL traffic can also be
encrypted via the driver, but I don't know offhandedly if it can be forced from
the server side. Outlook connected to exchange server also has traffic
encryption settings. That said I really don't know how "well" MS does with
their encryption implementation in these applications (and pptp is still the
bain of VPN connection methods for its insecurity). If you want to go
completely transparent for encrypting data-in-motion 3Com has a whole line of
network cards with onboard encryption as well as a policy management server.
I've never used them, but I've looked at them on their website many a time.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message-----
From: "Rob Thompson" <my.security.lists@gmail.com>
Date: Thu, 27 Sep 2007 14:08:15
To:"Bob Beringer" <bob.beringer@usa.net>
Cc:"Lafosse, Ricardo" <rlafosse@sfwmd.gov>,security-basics@securityfocus.com,
"Bob Beringer" <bob@eor.us>
Subject: Re: Full Disk Laptop Encryption
On 9/27/07, Bob Beringer <bob.beringer@usa.net> wrote:
Rob,
Thanks for the email, a couple of the issues with PointSec right the last
time that I checked is that they didn't offer digital signature support, MAC
agents, and don't support encryption for Data-in-Motion. There were other
deficiencies that came up during our bake-off, but these are a few to get you
started... Don't get me wrong PointSec has a pretty decent offering and a
lot of folks like them, but I try to talk about things on list from a
technical perspective first.
Didn't get you wrong. Just was curious as PointSec is a product that
I'm content with. So if there is a user that is having issues with
it, I would like to find out - as this may be a learning experience
for me for the future.
Let's see here... Digital Signatures, I'm looking through the help
file for the latest release that I'm getting ready to start testing to
upgrade to... I do not see any reference to that, so I am under the
assumption that that is still not offered. And I know that it is not
currently available with the version that I am using.
MAC agents, I do not know what you are referring to with this. I
would make a guess, but I am seeing a few too many possibilities...
;p
Data-in-Motion - are you talking about data after it has physically
left your hard drive. Ie. e-mail, thumbdrives, network traffic,
etc... If that's the case, that is definately one of the problems
that we are running into with this software, that is a feature that
upper management is looking for. Personally, I figure once you have
gotten down to this point with data security by utilizing FDE, you're
about as protected as you should need to be. I would try to avoid
this (if I'm in the right direction) cost by instead training
employees on data security and also hiring employees that I do not
have to question their loyalties or ethics. Though I know that this
is easier said than done...
An older public bake-off document was released via the link below and it
might provide value to the group.
http://www.networkcomputing.com/showArticle.jhtml?articleID=193500189
Thank you. I'll take a peak at it.
My team developed a really cool integrated solution with several of the
whole-disk encryption solutions for multi-factor authentication and remote
access for some of our government clients and really had to dig into the
weeds to find out which solutions played better with others, so my thoughts
below are tied closely to what works well in an enterprise, what the goals of
the organization might be and what type of integration that each environment
needs.
Two last notes, PGP now has a universal server and they have a MAC client
with enterprise key management for the MAC's. Lastly, TECSEC has a very
flexible and powerful solution for encrypting objects and other data in
motion as well protecting as Data at Rest. (mind you in this case that
flexible also might mean more initial set up time and effort...)
More setup time and effort is a small price to pay when you have a
more efficient and properly configured solution deployed. It is well
worth the time, IMO.
I will have to check into this TECSEC. My curiosity is piqued. Thank
you for the tip.
I hope that this information helps :-)
Very much so. Thank you kindly for your response. Very well written,
by the way. :)
v/r
Bob
+12404756858
-----Original Message-----
From: Rob Thompson [mailto:my.security.lists@gmail.com]
Sent: Thursday, September 27, 2007 1:50 PM
To: Bob Beringer
Cc: Lafosse, Ricardo; security-basics@securityfocus.com
Subject: Re: Full Disk Laptop Encryption
On 9/27/07, Bob Beringer <bob@eor.us> wrote:
Ricardo,
Pointsec has some limitations, other solutions that are worth looking into
are:
Which would be? I'm not trying to be confrontational, I am simply curious.
I have personally used WinMagic, PointSec and PGP. I am not familiar
with the TecSec, though I am curious as to what limitations you would
be referring to in regards to PointSec.
IMO I would use either PointSec or SecureDoc, by WinMagic. I would
stay away from PGP's product like the plague.
They are both extremely thorough. Pointsec with it's current release
is much faster, and has quite a few handy features, like disabling
removeable media until authentication, etc... I haven't used
SecureDoc since it's been Linux compliant, so I can't speak on it's
newer revisions...
<snip>
--
Rob
--
Rob
