Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

SecuLution technique and terminology

It is important to understand how SecuLution works and what terminology is used in this document.

In short:

The Agent is installed on your computer. The moment you start a program, the Agent generates the software's fingerprint (the hash) and sends it to the Appliance, which will return an action for this computer or user. If the hash is not listed in the whitelist, the Appliance will return the action "DENY", and the Agent will prevent the application from starting or the device from being used.


Components

SecuLution consists of three components:

  1. SecuLution Agent
  2. SecuLution Appliance
  3. SecuLution AdminWizard

The SecuLution Agent, from now on referred to as "Agent", is a program that must be installed on all computers that shall be secured. Where installed, the Agent integrates into the Microsoft Windows operating system and assures that only software specifically classified as trustworthy can be executed. The same applies for USB devices. In this document we will use the terminology "Hash" as a representation of a software.

The SecuLution Appliance, from now on referred to as "Appliance", is a security appliance providing the whitelist database. It comes either as hardware or as a virtual machine. The Appliance is based on OpenBSD; however, it has no interface for administrators, it is completely closed and no actions or service can (or have to) be taken on the Appliance.

The SecuLution AdminWizard, from now on referred to as "AdminWizard" is a program used to manage the whitelist, configuration and settings of the Appliance. All administrative work will be done using the AdminWizard.


Technique and terminology

Every time a program is started or a device is connected, the Agent will calculate a hash (an electronic fingerprint of the program or device) and initiate encrypted communication with the Appliance to check if the whitelist includes a policy for this hash. This process will from now on be referred to as "check". The whitelist consists of unique hashes of programs or devices known to be trustworthy. Hashes which are not listed on the whitelist are treated as not trustworthy and therefore cannot be started or used.

For each hash, there's a set of properties and policies, from now on referred to as "rules". Rules can represent a property (like a report of the last date the hash has been checked), a configuration option (like a password) or a policy (allow). A policy will from now on be referred to as "action". The whole whitelist database of hashes and their rules is also referred to as "ruleset".

For each action, there's a range of IP addresses or a Microsoft ActiveDirectory object (from now on referred to as "object") for which the action is valid.


principle_rule
  1. Path, Filename: Static properties of the HASH, for informational purposes, not relevant for whitelist
  2. Hash: The unique HASH, representing a program, device or configuration option
  3. Remark, Usage, Class: Dynamic properties (RULES), <<<<<<< HEAD for informational purposes, some configurable
  4. Trust level: The TRUST LEVEL, value on a scale between 0 (= clearly not trustworthy) to 10 (= clearly goodware)
  5. Action: The ACTION which the Agent should apply to the hash
  6. Valid for: The OBJECT for which the action is valid. In this example the alias "0.0.0.0/0" describes a network that includes all IP addresses and thus is valid for every computer.

Summary:

The agent is installed on your computer. Every time a software is to be started, the agent calculates a cryptographic fingerprint (hash) of the software and sends it to the appliance, which returns an action for this computer or user. If the hash is not listed in the whitelist, the appliance will return the action "DENY" and the agent will prevent the execution of the program or the use of the device.