Thursday April 27, 2006
OpenSolaris: Fine Grained Control of removable mass storage devices I've had an idea about removable media that I think Tamarack based on some products I saw at InfoSec expo this week.
There were companies selling addon products for windows that let you control exactly which bits of physical USB/Firewire media are allowed to be mounted by certain users. This was all Windows software. The buisness problem is basically that some users should be able to use USB/Firewire removable media but most should not. It also addresses the accountability issues, ie only company supplied media should be used not Joe Bloggs iPod.
I think this would actually be very easy to fit into Tamarack so that we can have this control for local devices and devices on Sun Ray DTUs.
How I envisage this working is that there would be a device registration node some where on the network. It would "bless" a given USB/Firewire device as being allowed to be used by a certain user (or group of users) on a certain host (or group of hosts) This would update a repository that would be made available online to all clients in the network (say in LDAP). We also need an offline version of this repository for laptops (the assumption here is that the laptop user does NOT have full administrative access to the host - which is reasonable for coroprate deployments).
When Tamarack notices a mass-stroage device getting attached it would check the database (online or offline) to determine if the given device can be mounted by the requesting user.
For Trusted Extensions we probably also want the policy to include the MAC label the device is valid for.
I expect the policy would be based on a selection from: user/host/netgroup/group/label/deviceid.
This all assumes that for all USB devices there is a unique identifier that we can log that stays the same even after we reformat them. If that isn't the case this needs some more thought but should still be possible (I have some ideas).
Updated 2006-04-28 09:02: Seems the BBC actually pickedup on this and is running a story on it. This is exactly the risk case I'm talking about. We have had customers mention this previously but only at the level of "I want all USB mass storage turned off". Rather than having customers pay for expensive add ons this IMO should be core OS functionality.
Technorati Tags: OpenSolaris ( Apr 27 2006, 06:09:31 PM BST ) Permalink
Comments are closed for this entry.
This is a personal weblog, I do not speak for my employer.
