A manual for understanding and using the Impex Control Center. SYSCTL AB - version 1.5

Transcription

1 A manual for understanding and using the Impex Control Center SYSCTL AB - version 1.5

2 CONTENTS Contents Introduction 4 History Components Network Setup Time Overview page 5 Navigation menu 5 Stations 6 Station Card Scans 9 Files 10 Configurations 11 Anonymous Mode Upload Files Upload File Meta UDEV Rules Enabled Print Receipt Allow Format Only Allow Scan Only Contact List Completion Malware Alerts ICC Server Repo Server Device Black & Whitelists Advanced settings Release Branch Left USB Port Right USB Port Black & Whitelists 15 Contacts 17 2

3 CONTENTS Server Settings 18 SMTP Settings fields SMTP Server Host SMTP Server Port SMTP Server Username SMTP Server Password Require TLS Last Error Logs Known issues Work flows 19 Registering a new IMPEX Station Enabling the Scan Only feature Enabling the Format Only feature Create a USB device black & whitelist ruleset Configure on Malware Alerts Configuring the SMTP Server Settings Configure Alerts Troubleshooting

4 INTRODUCTION Introduction The Impex Control Center (from here on ICC) is the server appliance for controlling one or more IMPEX Stations, also called USB Laundry stations. This manual will go through the functionality of the ICC explaining how to use it. First all the navigation links in the menu will be presented and then comes chapters for describing common work flows. History In the beginning the IMPEX stations all had the same configuration and fetched their updates from the same server. When customers started deploying IMPEX stations inside of their infrastructure with different configurations it quickly became apparent that each customer needed their own server with their own settings. The feature road map of the IMPEX product also contains parts where sensitive customer information might need to be stored on the server. Components The ICC server contains a web application, a web server, a database, several scripts and cronjobs. It runs tightly integrated with the operating system which for now is Linux 1. All components are packaged using the RPM packaging system with signed packages. The operating system packages, IMPEX software packages and all anti virus signature updates are synchronized with an upstream repository server which in the common case is updates.sysctl.se. These updates are then provided to the IMPEX stations connected via the installed ICC server. Network Setup The main update server is hosted by SYSCTL. All customer ICC-servers need to fetch their updates from it. Usually this is done through the company proxy using proxy authentication. The ICC-server will verify the certificate of remote server and then fetch any available updates. This is done over TLS (HTTPS) and done several times per day. The IMPEX Stations in turn, connect to their configured ICC-server and fetch their updates from it. This is also done over TLS and they also verify the ICC-servers certificate before establishing the connection. To summarize, only port 443 using TCP need to be open between the network components and only in one direction. If the malware alert function is to be used the ICC server also needs to be able to connect to a SMTP server specified by the customer. Time All time is fetched via the ICC-server as well which in turn fetches it from the main repository server. This is also done over the TLS connection. 1 CentOS 7.x Linux 64-bit 4

5 NAVIGATION MENU Overview page After logging in the first thing shown is a collection of graphs aggregating information on the last 1000 scans. Overview charts One can see the different USB vendors used, how many stations have been used, a time line and a grand total of files and malware scanned and found. It should be noted that these graphs are a view on the last 1000 scans only. This is not a hard limit but more for practical reasons to speed up loading of the page since the graphs are rendered client side. Navigation menu The grey top part will always be there for navigation and roughly group the available functionality of the Impex Control Center. 5

6 STATIONS Stations The stations page contains all registered and approved stations. Each station is represented as a card. For a station to appear here it needs to have been approved by an administrator. When a new IMPEX Station is installed and connected to the network it will first register with its configured ICCserver. It will then wait for an administrator to log into the ICC-server and click the Approve button. This process is explained in more detail in the work flow chapter Registering a new IMPEX Station. 6

7 STATIONS Station Card Station card The cards contains some information that can be set by the administrator helping the administrator to identify and locate the station and some information which is automatically generated. Description, this field is editable and is by default empty Location, this field is editable and by default empty Created, this field is read-only and is the time when station registered itself with the ICC-server The Last seen field shows when the station was seen by the ICC-server the last time. This field is also used for displaying the green Online button or red Offline" button in the upper right corner of the card Station-ID, read-only field, this is the ID the ICC-server assigned the station Machine-ID, read-only field, this field is unique per IMPEX Station installation and can also be seen on the System Information page on the IMPEX Station Config, editable drop-down list of available configurations, this shows which Configuration this station is using. Click on it to see the configuration directly Current Task, editable field showing what the station s ICC-connection state is in. This is a legacy field that might go away in later releases. It should only be used to set how often the station should contact the ICC-server and look for configuration updates To edit a Station, click Edit station. To go ahead and see the virus scans that has been done at this IMPEX Station, click See scans. It takes you to the Scans page but filters it on the station ID. 7

8 STATIONS Edit station / flipped card When clicking Edit station, the card flips around and the fields that one can edit are shown. As noted already, the Current Task should be set to one of the Fetch config every XX options since the other options will be removed in a future release. Fetching the config more often leads to a bit more network traffic and CPU load on the server but this should only become an issue if there are thousands of stations checking for config updates. 8

9 SCANS Scans Scans for a station When an IMPEX Station is used for scan and transfer or just scan the result is uploaded to the server 2. The Scans page by default shows all scans from all stations but if one clicked the See Scans button on a Station card it gets filtered showing only the scans for that station. Each row is a scan and contains an overview of the scan: which station, files, malware and when. To see more information, expand the row by clicking it. Then you will also see Total size, this is the combined size of all files that were scanned Execution time, the total time for the impex process after clicking Confirm until the receipt view is shown USB source serial, this is the serial number of the USB device used as source USB source vendor, this is the vendor of the USB device used as source USB source model, this is the model of the USB device used as source In the case of a Scan Only event the USB target fields are empty, otherwise they contain the serial id, vendor and model information for the target USB device. This source and target USB device information are useful when writing USB device black and whitelists. Machine ID, this is the id of the IMPEX station doing the scan. Click on it to get to the station card UUID of scan, an unique number for this scan which is used internally and later by the IMPEX Archive Server to keep track of scans across stations and software upgrades Identification, in the case that anonymous mode is not turned on, this fields will contain the identification field s value entered when doing the scan To see the actual files belonging to this scan event, click See Files. 2 There is a way to turn this off, see the chapter about the Configuration page 9

10 FILES Files Files scanned This page lists all the latest files scanned. If one came here through clicking on See Files on the Scans-page they are automatically filtered on the Scan ID. Using the buttons on top one can sort on anti virus to see the files containing malware first. Each row is a file and by clicking on it it expands and lists more details: Size, size of the file in bytes Scan report ID, the scan id this belongs to, this is the internal scan id unique to this ICC. Click on it to get to the Scan event File ID, each file meta information that gets uploaded to the ICC-server gets its own ID Malware name, if any malware was found this field contains all the names for the malware found AV, the Anti Virus engine that detected malware, this can also be a list of AVs in case it was found by several AV-engines MD5, SHA1, SHA256, different algorithm checksums for this file If you are looking for a specific known file, use the Filter current view at the top of the page. Note that this only filters client side. 10

11 CONFIGURATIONS Configurations Configuration cards This is where the control is in the IMPEX Control Center. Each card is a configuration group setting that can then be selected for a station by editing its Station card config-setting. The idea is that one has a configuration setting for example for the internal ICS/SCADA environment and then another for the IMPEX stations in the office areas. That is, two configurations but many more stations. In the configuration you specify which AV engines you want active, which options should be activated in the IMPEX Station, hardware level USB port mapping, repository for software updates, which ICC server to report to and last but not least, which, if any USB device black and whitelist should be used. To start editing a configuration, flip the card by clicking Edit Config. 11

12 CONFIGURATIONS Editing a configuration First off in the configuration card is the Anti Virus Engine listing. To expand it, click the + sign. Anonymous Mode If this check-box is ticked, the IMPEX Station will no longer ask for the identification of the person scanning USB devices Upload Files If all files should be archived on the server side this should be enabled. It will then upload all files to the IMPEX Archive Server 3 and do re-scans on them periodically. Care should be taken that the bandwidth and storage is sufficient before enabling this. Upload File Meta This uploads the Scan and Files meta information that are listed below the Scans and Files menus which is needed for any statistics or follow-up. There are use-cases when files names and checksums should be kept private and then this can be turned off for that IMPEX Station Configuration. UDEV Rules Enabled To make sure nothing else than USB Storage Devices can be attached to the IMPEX Station there are Linux UDEV rules which can be activated, making it impossible to connect a keyboard or, more importantly, do any kind of rubber-duck 4 attack. If you change this variable you need to reboot the station for it to take effect. 3 The IAS is at the time of writing this manual not ready for external customers 4 A rubber-duck is a USB device which changes its mode of operation and turn itself into a keyboard, a network device and so on 12

13 CONFIGURATIONS Print Receipt If this is enabled and a receipt printer is attached, a scan will result in printed receipt containing a summary of the scan together with its unique scan number Allow Format Only Enable this if it should be allowed to use the IMPEX Station to format a USB device with the FAT32 file system. When enabled, a new button will appear on the IMPEX Station when a single USB drive is inserted. No receipt or report to the ICC is done when an USB Drive is formatted. Allow Scan Only In some cases there might not be a need for an insider/outsider drive in which case this option can be enabled. When enabled a new button appears on the IMPEX Station when a single USB drive is inserted. Single scan results are also reported to the ICC (if the Upload File Meta is enabled) and a receipt is printed if a printer is attached and enabled. Contact List Completion If anonymous mode is not enabled there is a step on the IMPEX Stations called Identification where the user needs to enter an identity using the on-screen keyboard. If this option is enabled and a Contact List has been created using the Contact List Page the user will be presented with a matching list of identities when starting to enter an identity using the on-screen keyboard. Malware Alerts Enter a comma separated list of addresses that should get an alert if a malware was found in a scan. This will use the SMTP settings entered under the Server Settings menu. When set, s like below will be sent. Malware alert 13

14 CONFIGURATIONS ICC Server In case an IMPEX Station is moved or for some other reason should point to another ICC Server, this is where this is changed. Repo Server In some cases the ICC Server and the Repository Server can be different servers and in those cases it can be changed here. The repository server is where the IMPEX Stations and the ICC Server is fetching its software updates and AV Signatures. Device Black & Whitelists This is a drop-down list of the available USB Device Black & Whitelist sets. By default all USB storage devices are allowed so if nothing is chosen, nothing is blocked. When a change has been made, Save Config must be clicked for this to be saved to the server side. Press Close if there is no need for saving or if you want to discard your changes. The settings gets picked up by the IMPEX stations the next time they poll which is configurable per station. See the station setting Current Task. Advanced settings On the configuration card there is also a Show advanced settings submenu which when it gets expanded has additional settings which normally should not be changed. Release Branch The IMPEX Software is released on two branches, release and stable. The release branch contains stable operating system updates and stable IMPEX software. The difference towards the stable branch is that the stable branch is also tested by SYSCTL on the hardware that has been shipped to customers. This can sometimes lag behind several months depending on external factors. Left USB Port This is a regular expression matching which port should be considered the left port. This option will probably be abstracted away on the future but it is there in case a Linux Kernel update changes the probing order again and all ports needs to be remapped across an entire fleet of IMPEX Stations or only on certain hardware. Right USB Port This is a regular expression matching which port should be considered the right port. See the Left USB Port description for more information. 14

15 BLACK & WHITELISTS Black & Whitelists On the configuration card one can attach a USB Device Black & Whitelist rule Set. These are created on this page. BW Rule Sets A Set is a grouping of rules where the implicit first rule is to allow all USB storage devices. The create a new set, click the button Create a new rule set up on the left side, give it a name and then save it. To get to the rules page click See Rules. Rules 15

16 BLACK & WHITELISTS On the Rules page one can then create black or whitelists matching on USB serial ID, USB vendor and USB model name. Each field can contain wild cards and an empty field is the same as a wild card. One can choose to apply a rule for the left, right or both sides. One can also say it should apply to source or target side which only means something after an action has been chosen, like for example Format device in which case the target rules apply. It should be noted that the Black & Whitelist feature is only for USB storage devices, not for files. And example rule set: A flipped rule set The USB firewall rules and rulesets gets fetched by the IMPEX station each time it polls its configuration. 16

17 CONTACTS Contacts The Identification step on the IMPEX Station is when a user uses the on-screen keyboard to enter an address or a work-order item number. In the case that Contact list completion has been enabled for a station the list on this page is used for completion on the stations. Contacts list There is nothing special about the contact entry, it can contain any string, it does not have to be an . Each row on this page can be expanded by clicking on it and then either updated or deleted. To create a new contact, click Create Contact above the contact list. The contact list is fetched by the IMPEX stations each time they poll their configuration if the configuration card has the contact list completion checkbox checked. 17

18 SERVER SETTINGS Server Settings The server settings page contains a separate card for each ICC server setting that can be changed. For the moment only the SMTP settings are exposed. In future versions there will be more cards, for example log retention, reports and rescan setting cards. SMTP Settings fields SMTP Server Host This hostname needs to be resolvable by the ICC server but it can also be an IP address SMTP Server Port The port of the SMTP server, for example 25 SMTP Server Username If the SMTP server requires authentication, enter its username here SMTP Server Password If the SMTP server requires authentication, enter its password here Require TLS If the server requires TLS, mark this checkbox Last Error Logs Any errors that occur during mail sending using this SMTP server will be shown here Known issues When editing the card and entering an for sending a test the last error log will not be updated. Reload the page to see the result. 18

19 WORK FLOWS Work flows A compilation of recommended work flows when using the ICC together with IMPEX Stations Registering a new IMPEX Station When a new IMPEX Station is connected it will register with the ICC but it is not enough for it to become active. Contacts list An administrator needs to look at the registration and approve or delete it. A station card is created only if an admin approves the registration. This is also an appropriate time to edit the title, location and description of the IMPEX Station to make it easier to identify. The title is automatically created from the hostname of the IMPEX Station and its IP address which in most cases is bit too long but serves its purpose of initial identification. New approved station card To approve it, login as user admin and click the Approve button on the top right corner after reviewing the station registration details. Enabling the Scan Only feature By default one need to use two USB drives with the IMPEX Station. The concept being that one should use an internal easily recognisable USB drive as the target and then the external dirty USB drive as the source. But it is 19

20 WORK FLOWS also possible to use only one side of the IMPEX Station if it is enabled on the ICC for that station s configuration. This setting is called Allow Scan Only on the configuration card. Step by step on how to enable it for a station: Look at the Station s Card that you want to change and identify which Config it is using Station card config Click on the Configurations page link in the top menu Station card config Locate the Configuration card that matches the Config name on the Station Card in the first step 20

21 WORK FLOWS Configuration card Click Edit Config and make sure the check-box Allow Scan Only is checked. Click the Save Config button The Scan Only feature will now be active the next time the station fetches its config which depends on how often it is set to fetch its config. View on station with Scan Only enabled Enabling the Format Only feature It is possible to use the IMPEX Station to format USB drives, using any side of it. For this option to appear when a single USB drive is inserted, it needs to be enabled on the ICC for that station s configuration. This setting is called Allow Format Only on the configuration card. 21

22 WORK FLOWS Step by step on how to enable it for a station: Look at the Station s Card that you want to change and identify which Config it is using Station card config Click on the Configurations page link in the top menu Station card config Locate the Configuration card that matches the Config name on the Station Card in the first step 22

23 WORK FLOWS Configuration card Click Edit Config and make sure the check-box Allow Format Only is checked. Click the Save Config button The Format Only feature will now be active the next time the station fetches its config which depends on how often it is set to fetch its config. View on station with Format Only enabled 23

24 WORK FLOWS Create a USB device black & whitelist ruleset In this work flow we have a scenario where external USB devices are not allowed on the corporate network. Only a certain vendor and model is allowed and one is only allowed to bring files into the site, no exporting of files. The implicit rule is to allow all drives which means it makes sense to start with a block all rule and then add white list rules for what is allowed. Thus we want to: Start with one block all rule Then add one allow any as a source drive rule since the external drives can be of any brand Then add one allow only a certain model and vendor as the target drive rule To group these rules we first need to create a rule set. Black & Whitelist menu Create a set. Black & Whitelist menu After naming the set, save it. Now we are ready to create rules for the set. Click the See rules to get to the rules page. 24

25 WORK FLOWS See and create rules See and create rules Click the create rule. Lots of fields to fill in and no room for errors, lets see what the model and vendor we want to allow is called by looking at an existing Scan done with one of the USB devices we want to allow. 25

26 WORK FLOWS See and create rules Go to an existing Scan and take note on the vendor and model, in this case General and UDisk. Now go back to the rules page by clicking the Black & Whitelist menu and then See rules on a ruleset. Create the first block all blacklist rule. Block all rule Then create the rule to allow all drives to be used a source device. 26

27 WORK FLOWS Allow all as source Now create the rule for allowing only the company drive to be the destination, target, drive. Allow target Fill in the model and vendor with the information that we took note on from the Scan page earlier. Now all rules have been created that we need for building our set. Overview of all rules Go back to the set (clicking the Black & Whitelist menu and then Edit Set ). Now choose the rules in the right order from the drop down box and click the + button for each rule. Start with the Block All rule, then the External Drives rule and finally the Company Drives rule. 27

28 WORK FLOWS Add rule to set The final rule set then looks like following (do not forget to click Update Set ): Final rule set To activate this ruleset for a configuration go to the configuration page, choose our configuration card, click Edit Config and select our rule set in the Device Black & Whitelist drop down box. We called it USB Policy A. 28

29 WORK FLOWS Click Save Config to enable it and wait for the next time the station fetches its config for it to be active out on the scanning stations. When a user is trying to use another target drive than the allowed one the screen will go red with a message saying it got blocked by rule 1 since that is the default block all rule we started with. This user experience will be improved in later versions of the software. 29

30 WORK FLOWS Configure on Malware Alerts To get alerts the ICC server must first be able to send via the company server. Configuring the SMTP Server Settings By default the SMTP settings used are and port 25 which means the ICC server can only deliver locally. To be able to send Malware Alerts and Reports to a company address one needs to update these settings to point to a SMTP server that the ICC server can use to deliver the alerts. First off make sure the company firewalls are allowing the ICC server to connect to the mail server. When that is done it is time to configure the ICC to use it: SMTP settings Choose the Server Settings menu (1) Click Edit Settings (2) 30

31 WORK FLOWS Editing settings Click Save Settings (note that we have added an invalid test ) Error notification We can see the error message in the Last Error Logs text area, in this case the -server reported back that no such address exists Click Edit Settings and enter a correct test address and click Save Config 31

32 WORK FLOWS This time we get a test which means that all is fine with the setup Configure Alerts Now that the server settings are correct, it is time to configure the malware alerts. Choose Configurations in the menu and click Edit Config on the configuration card belonging to the Station or Stations where Malware Alerts should be activated Error notification Fill in a comma separated list of s like in the image Save config 32

33 WORK FLOWS Troubleshooting In case no s are received even though a malware was found in a scan please go to the Server Settings menu and look at Last Error Logs for clues. Error notification Note that the Not Working label will stay on the SMTP Settings Card until an was succesfully sent. This menas even if an incorrect config was fixed it will say Not working until a test message is sent or a malware alert was sent. 33