PGP Endpoint - FAQ
|Article:TECH149231|||||Created: 2008-12-04|||||Updated: 2011-03-18|||||Article URL http://www.symantec.com/docs/TECH149231|
This article details some of the most frequently asked questions for PGP Endpoint.
What is PGP Endpoint and why is it important? PGP Endpoint is data protection and encryption software for endpoint devices. PGP Endpoint prevents data loss from removable storage and portable device connections.
What business problem does PGP Endpoint solve?
PGP Endpoint provides built-in security that detects, authorizes, and secures removable storage devices and media (such as USB drives, CDs, and DVDs). It enforces centrally defined device usage policy and stops data losses from network and peripheral connections (such as Bluetooth, WiFi, and FireWire). PGP Endpoint helps enterprises with their compliance and to monitor data exchanged between the endpoint, devices, and the network.
How does PGP Endpoint work? What is the end-user experience?
As a comprehensive endpoint data loss prevention solution, PGP Endpoint provides three ways to secure data:
- Permits safe and authorized removable storage use, without changing the user experience or reducing productivity.
- Automatically detects devices without disrupting the user.
- Reduces setup time and speeds enterprise protection without requiring user intervention.
- Allows data to be shared across the enterprise, including by users without PGP® software; access to data is enforced by policy.
How does PGP Endpoint fit into the PGP Encryption Platform?
PGP Endpoint is an extension of the PGP Encryption Platform. The PGP Encryption Platform provides an enterprise encryption framework for shared user management, policy, and provisioning that is automated across multiple, integrated encryption applications. Together with PGP Whole Disk Encryption, PGP Endpoint provides the enterprise with a complete endpoint data loss prevention solution.
What operating systems are supported?
For a detailed list of operating systems and other technical specifications, please refer to the following article.
What is client hardening, and why is it important?
PGP Endpoint client is a hardened client. Client hardening prevents unauthorized un-installation or tampering of the client software; only an administrator can remove a hardened client. This prevents unauthorized users from removing protections that are in place.
What is a whitelist approach? Why is it important?
A whitelist is a list of accepted items or persons in a set. This list is inclusionary, confirming that the item being analyzed is acceptable. It is the opposite of a blacklist which confirms that items are not acceptable. By using a whitelist approach, enterprises can literally turn their backs on the volumes of unwanted applications, malware, and unauthorized devices and instead focus on what is authorized and approved.
What is the White List Driver (WLD) in PGP Endpoint?
The PGP Endpoint WLD controls a number of known device classes. It controls all read/write classes but there might exist devices that do not fit into those classes and can still be used to harm the organization. WLD closes the gap as it allows an organization to define what devices are authorized: all other devices will be simply ignored and unusable.
What is a kernel level driver and why does PGP Endpoint install this?
A kernel level driver runs at the operating system kernel level. It is difficult for user mode software to penetrate and bypass kernel level drivers. Kernel level drivers also improve performance when compared to user level drivers. PGP Endpoint installs a kernel level driver to intercept device access and binary execution requests at the kernel.
Can PGP Endpoint protect plug-and-play devices?
Yes, PGP Endpoint is able to detect Plug and Play devices, even when they are added on the fly or require a reboot (like some removable devices connected to the parallel port). These devices are subject to the same access controls set for fixed devices of the same type.
Does PGP Endpoint protect USB, Firewire, and PCMCIA (cardbus) devices?
Since USB, FireWire, and PCMCIA are bus types, and not true ports, devices attached using these bus systems are recognized based on their device type, not on how they are connected. For example, an external CD-ROM drive attached to a PC per USB will be recognized as device type CD-ROM, and will therefore be controlled using the same mechanism and settings as an internal CD-ROM drive. Also, since most MP3 based devices (like iPod) behave to the OS as removable drives, you may have the choice to ban them from your network blocking them as a generic removable, or as an iPod specifically.
How does CD / DVD encryption work?
Using the PGP Endpoint Administration Server, an administrator can grant access and specify encryption options for removable media, including CDs and DVDs. Users can then leverage Windows Explorer or use the Secure Volume Browser interface (included with the PGP Endpoint client) to access / share / decrypt / encrypt removable media. For more information, please refer to the PGP Endpoint user documentation.
Does PGP Endpoint store keys in an encrypted format?
Yes. PGP Endpoint stores all keys in an encrypted format.
Does PGP Endpoint use the Microsoft Windows domain SAM (Security Account Manager) or is another database required?
The SAM (Security Account Manager) is a component of Windows NT/2000/XP/2003 that stores and manages the user account database. This database contains information for all user and group accounts. SAM also provides user validation services, which are used by the Local Security Authority. PGP Endpoint uses the SAM but stores a copy of selected parts of users, groups, and computer accounts in the PGP Endpoint database. The PGP Endpoint database also holds the relationships between users/groups/machines and specific permissions. Storing this information in a database rather than accessing the SAM each time that user/group/computer information is required offers several advantages: Besides offering far better performance than direct SAM accesses, it also reduces the load on the Domain Controllers and minimizes network traffic. For a list of supported databases, please refer to the PGP Endpoint Technical Specifications.
Does PGP Endpoint write to the Windows event log?
PGP Endpoint provides an option that allows you to log attempts to use a device to the Windows Event Log, which can be used by several third party programs to group and manage events on a more centralized basis.
What languages does PGP Endpoint support?
PGP Endpoint and PGP WDE together support English, German, and Japanese. PGP Endpoint deployments alone support more languages. Please refer to the technical specifications for more information.
Does PGP Endpoint Application Control need regular updates for known viruses?
PGP Endpoint Application Control does not need any update, as it ignores all unknown files; a new virus will simply be treated as yet another unknown file. You focus on which files you want your users to run. Everything and anything else will be denied execution
What kinds of threats does PGP Endpoint Application Control prevent?
- Binary Executable Viruses (known and unknown)
- Trojan Horses
- Illegal Software
- Hacking and cracking tools
- Malware and Spyware
- Peripherals Drivers (Windows embedded drivers or 3rd party drivers)
- Parts of the OS if wanted (Messenger, Internet Explorer plugins, FTP, etc)
I just want USB device protection. Why do I need PGP Endpoint if PGP Whole Disk Encryption provides USB encryption?
With PGP Whole Disk Encryption, an administrator can protect USB devices with a policy that specifies read only, or forced encryption. PGP Endpoint provides administrators a granular control of removable device (not just USB) usage. For example, an administrator can specify users, permissions, make and model of devices, and much more in a removable device policy.
How does PGP Endpoint work with PGP Whole Disk Encryption?
PGP Whole Disk Encryption used in conjunction with PGP Endpoint allows an administrator to set flexible, granular device policies. For example, an administrator can specify a policy disallowing all mp3 players with a USB interface while at the same time permitting usage of certain USB devices. An administrator also has the ability to specify multiple encryption options: PGP Whole Disk Encryption for removable devices, or PGP Endpoint removable device encryption. The latter option allows users to share an encrypted USB with a user not running any PGP client software. With PGP Endpoint and PGP Whole Disk Encryption installed, when a removable device is used, the PGP Endpoint client will query the PGP Whole Disk Encryption client and enforce policy accordingly.
What version of PGP Whole Disk Encryption is compatible with PGP Endpoint?
PGP Endpoint is compatible with PGP Desktop version 9.7 and higher.
Does PGP Endpoint interfere with other systems or application software?
No. Both PGP Endpoint and PGP Whole Disk Encryption operate transparently and do not interfere with the operating system or other application software.
Does PGP Endpoint integrate with LDAP directories?
Yes. PGP Endpoint is compatible with Microsoft Active Directory and Novell eDirectory.
Does PGP Endpoint work with systems management tools?
Yes. PGP Endpoint is compatible with system management tools such as Microsoft SMS that support Microsoft MSI installers.
How much administration does PGP Endpoint require?
There is no one-size-fits-all. The administration depends on the complexity of the policies set, how dynamic the client environment is, etc. Once up and running in a relatively stable environment, it requires only monitoring.
Does PGP Endpoint require PGP Universal Server?
When using PGP Endpoint alone, PGP Universal Server is not required. PGP Endpoint clients will continue to have the ability to be centrally managed by a PGP Endpoint Administration Server.
However, when PGP Endpoint and PGP Whole Disk Encryption are used together, the full advantage of PGP Whole Disk Encryption is achieved with a centralized policy managed by PGP Universal Server.
Article URL http://www.symantec.com/docs/TECH149231