Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 7073 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Safeguard - Port control policy (Conflict resolution)

ivanwee

Hi All,

Please a take a look at my design/scenario below.

Policy A - Blocks USB storage ports

Policy B - Allows USB storage ports

Policy C - Force File level Encryption to all removable storage devices

Policy A is applied to the default ".Auto Registered" OU as a "catch all". All new PCs/Notebooks when installed with Safeguard is issued Policy A to have port disabled.

Policy B is applied to a group call USB_Allow. The purpose of this group is to allow controlled group of users to have USB.

The thing is we are not using Active Directory synchronization due us having a pretty complex and ever-changing AD OU structure. So this means Computer 1 when installed with Safeguard will get Policy A by default

And computer 1 is supposed to be allowed USB usage. So it gets assigned to Group B and C.

So how do i resolve the fact that Policy A blocks, while Policy B allows? Using the priority? (Works?) Or just setting Policy B to be a no overrride?

:18773


This thread was automatically locked due to age.
  • 0

    Hi ivanwee,

    Are you looking to allow the use of authorised USB devices only and automaitcally encrypt them? If so...

    1. Create a Whitelist of authorised USB sticks.  - use Port Auditor or manually populate the list

    2. Create a Configuration Policy with a restrict setting, pointing to the above list of allowed devices

    3. Create your encryption policy

    NB: For step 3 you can choose to encrypt all removeable media, or just point to the same whitelist as above. The latter being more flexible, as with the right settings you can authorise USB devices etc, but only encrypt certain ones.

    This way you'll avoid messy override policies.

    Regards,

    John

    P.S. I'm awating confirmation from Sophos technical support at the moment, but it would seem that there may be an issue with hybrid / briding control in CP 5.60.192 and 5.60.1.7. In that it isn't working, but a patch is only crazily scheduled for 5.60.192 (the older version!)

    Just thought I'd let you know that, as I can see you're beginning to use SGN, as per your other post/s, and not sure if you plan to use hybrid / briding control?

    :18867
  • 0

    Thanks!

    Encrypting just the whitelisted removable media sounds good (cos all other removable media are blocked anyway). But how do i do this? But should i create a distinct removable storage whitelist or just a removable storage whitelist?

    Erm actually i have not idea what hybrid/briding control means? I suppose its hybrid networking devices control?

    :18887
  • 0

    Hi ivanwee,

    Each storage device etc (E.g. USB stick) has a vendor code, model code and a distinct code. For example:

    USB\Vid_1307&Pid_0165\1004160613f43c

    Device= USB

    Vendor  = Vid_1307

    Model = Pid_0165

    Distinct  = 1004160613f43c

    A 'Distinct storage devices' whitelist will allow individually allowed storage devices. (checking the whole string).

    A 'Storage Device Models' whitelist will allow storage devices with matching vendors and model codes that are in the list (which have been already added)

    Your choice will depend on your requirements and company security policy etc, something I can't comment on. Also bear in mind that individually authorising storage devices will cause more administration overhead, but at the same time is more secure, as you're not authorising at vendor level.

    Something else to consider is that the chips in USB devices change based on cost, supply and demand etc. - So if you go down the route of authorising based on models, they may not be the same model, even if they are ordered in batch and made by Kingston for example

    Hope this helps,

    Regards,

    John

    Hybrid / bridging is the ability to block WiFi and Wired etc being connected at the same time. Thus building a "bridge" between the network connections...

    :18891
Unfiltered HTML