logo

sysctl ab

impex

impex usb protection

last updated: 2017-10-13

IMPEX was developed to handle movable media used in sensitive environments. It can be viewed as a technical security control, as it allows for checking devices and files for malicious code, but more importantly it is also a strong policy enforcement tool. Import and export of information can be controlled based on rules that implement the information handling policies of the organization. Information handling policies can be broad like ”Allow any USB drives to be imported after they were scanned” to more specific policies like ”Only known USB models can be imported from and the destination device can only be a USB drive with serial numbers starting with 123483*”


grid

IMPEX can be used in a number of scenarios where critical systems, legacy systems or IT components not under your own control is part of the environment. Those environments contain equipment that often lack antivirus for various reasons. IMPEX is an important defense line to prevent malicious code from ever reaching these systems.



Servers that is not covered by ordinary IT management procedures, such as SCADA servers, telephony servers, servers for physical access control, video servers for CCTV, medical devices, embedded devices, physical and virtual appliances and more are too often unprotected critical assets. For those servers and services, IMPEX can be used as an perimeter protection.


control city

For price information, demonstrations, evaluations or additional product information, contact us for more details or requesting a demo!

impex station impex station mounted on the wall impex stations ready for launch

IMPEX Documents, manuals and guides

Download the IMPEX Station step-by-step usage guide (pdf)

Download the Impex Control Center (ICC) Manual (pdf)

Examples of installations, systems and use cases that need IMPEX protection include

  • Third party field personnel who need temporary access to install software updates on these computers, systems and appliances and thus bring files into the environment
  • Service personnel that need to extract datadumps, backups, copies of the current configuration out from the environment
  • Operational personnel that need to get operational data, data series, statistics, etc out from the environment
  • Export of data or information from a high security organization that require that all data transfers is checked to comply with data handling controls to avoid information leakage.

Multiple layers and mechanisms of protections for best results

A unique feature of the IMPEX is that it uses multiple antivirus products to scan files and devices. A large number of scanners can be used, as a layered defense. If one antivirus is not updated with signatures to fetch the latest threats a combination of multiple products will reduce the risk of not detecting known threats. An equally unique feature of IMPEX is that it can be configured to archive all files that it analyses for rescanning purposes. Continously and systematically checking previously imported files is something that unfortunately is needed today, since some threats will just be known after a period of time.


Based on Linux and using SELinux

IMPEX is based on Linux and then hardened further. SELinux is used to control and lock down processes. The services running AV and handling the USB drives run in confined namespaces controlled by the Linux kernel. These namespaces remove access to the rest of the filesystem, confines access to process lists and remove all network interfaces completely.


city usb

IMPEX also uses black and whitelisting technology to control which devices are used, for example black listing certain drives that come with pre-installed executables when purchased.


Audit trails, statistics and reports

A key feature of IMPEX is its ability to create audit trails of the actions. The product allows for detailed reports on who imported or exported what file at what IMPEX station at what time and what security controls where performed on that time. An import or export action will generate audit tracks that gets saved into databases as well as beeing used for a receipt. An electronic or paper receipt can be a critical part of a process to verify that the checking has been performed and all work that is performed is compliant with the process.


Detailed statistics as well as overview or detailed reports are available in the solution.


IMPEX was initially developed as a response to multiple Nordic customer requirements with real life problems that needed a solution, custom made. This has led to a practical, easy to use scanning solution with audit trails.


Management server

The server component for managing a fleet of IMPEX stations is called ICC, or the Impex Control Center. See screenshots below for some basic information about the functionality. For more details, download the ICC manual.

List of stations

station cards

Scan information uploaded from the stations

scans

Files in a scan

files

Configuration for stations

confs

Configure USB black and whitelists

blacklists

Configure Contact lists for optional autocompletion on clients

contacts