Highlights
A unique solution
Important features
IMPEX can be used on-premise without any need for cloud services or other internet dependencies. A station can be completely offline or connected to a local ICC server for central management and unattended updates.
The support of different types of external devices is always growing with support for new technologies and older legacy devices.
IMPEX is built with many functions used by end-users who need to scan devices and files. Administrative functions exist in the background to give manager and system owners the possibility to do follow-ups and visualize the usage of devices and files in the organization.
The possibility to integrate with SIEM solutions will give SOC personnel more visibility into movable devices used in isolated environments. LDAP or Active Directory integrations can enforce central accounts and password policies.
The ICC server provides audit trails, statistics and central configuration possibilities.
- Updates from local update server
- Scanning Engine Signatures from local update server
- No cloud or CDN access needed
- SIEM integration
- Active Directory integration
- LDAP integration
- SOAR integration
- USB mass storage
- CD-ROM Drives
- DVD Drives
- Floppy Drives
- Enhanced statistics and administration pages
- Station offline notifications
- Physical and digital receipts
- Physical receipts
- Digital receipts
- Additional languages supported
- Support for shredding devices
- Support for formatting devices
- Device filters
- File filters
- Custom pattern matching
- FAT12, FAT16, FAT32
- EXT2, EXT3, EXT4
- ISO9660, UDF
- MSDOS, VFAT
- BTRFS
- EXFAT
- NTFS
- XFS
Usability
User-friendly from the core and on
Designed for everyone
By using an intuitive user interface we remove the need for training before using the IMPEX USB. The interface uses a modern design with a touch interface and removes the need of a keyboard or mouse.
IMPEX USB has support for 14 different languages with the possibility to add even more languages.
For traceability the scan result can also be printed on a physical receipt that can be used together with for example work orders. The receipt can also be configured to be sent via email to the user.
When a user inserts a device, all files are viewed, including hidden files before an operation is started. The steps to start an operation is done by selecting prefered action on the touchscreen. When the selected operation has been started will a progress view show all the details in the progress. A receipt view will show the result from the operation.
- Intuitive and easy-to-use user interface
- Modern touch interface
- Several modes - scan only, scan and transfer, format or shred device
- Real time progress with information updates at every step
- Possible to have a printer for physical receipt
- Possibility to transfer many files and very large files
- Scan reports can be sent by email
- Arabic
- English
- Estonian
- Finnish
- French
- German
- Latvian
- Lithuanian
- Norwegian
- Polish
- Spanish
- Swedish
Security
Hardened and no side-loading of data
IMPEX USB
IMPEX USB is the kiosk used by users to scan devices or to scan and transfer files to a trusted device. IMPEX USB can be connected to the ICC server and work as a standalone solution without network connection.
All available technologies are used to harden the station, this is done by using minimal installations and by disabling functions not needed. This basic hardening is following CIS-standard together with internal knowledge for even stronger hardening by using SELinux, seccomp etc. The user interface and exposed USB-ports(IMPEX USB) are locked down to disallow everything besides the possibility to scan files in a restricted environment.
Software updates are automatically done. All software is digitally signed.
IMPEX USB will log every action and it is possible to view all operations on the ICC with all included metadata. Source code audit is done both internally and by customers.
IMPEX Data Lock
IMPEX Data Lock is a network based solution to scan files in data communications. IMPEX Data Lock can be connected to the ICC server
Software updates are automatically done. All software is digitally signed.
IMPEX Data Lock will log every action and it is possible to view all operations on the ICC with all included metadata. Source code audit is done both internally and by customers.
- Operating system based on a minimal and restricted installation
- Locked down kiosk interface
- No usage of an external database in the back-end which simplifies the solution and minimizes attack surface
- No sideloading or mashup of data, or program code
- Source code available for assessment and review for customers
- Massive logging on activities in the appliance
- Unattended system updates to implement an evergreen solution
- Digitally signed software from sysctl
- Automatic patching and update mechanism of operating system
- System and software packages
- Automatic updates of signature files
- Scan laptop, server and workstations hard drives with USB adaptors
- Supporting USB 1.1, USB 2, USB 3 and USB 4 devices
- SATA and other interface can be used with USB adaptors
ICC
The ICC (IMPEX control center) is the heart of the evergreen solution and is used for distribution of updates and configuration of the station's behavior.
The server uses the same type of hardening and software handling as the Station together with traceability.
The ICC server has one HTTPS service exposed on the network compared to the station which does not listen on any port. The webservice is API-based with all hardening techniques applied and follows OWASP recommendations as well as Hardenize and SSLLabs.
By removing unused cipher suites enforcing TLS with HSTS together with web security technologies like CSRF-protection and Content Security Policies makes the attack surface more limited compared to default installations.
The application itself runs under a limited user together with strict input validation. The source code used is continuously analyzed to look for potential vulnerabilities.
- Unattended system upgrades to implement an evergreen solution
- Automatic patching and update mechanism of operating system
- Automatic patching and update mechanism of software packages
- Automatic synchronization of signature files
- Digitally signed program packages from sysctl
- HSTS (HTTP Strict Transport Security) to force use of always encrypted HTTPS traffic
- Built with CSP (Content Security Policy) in mind
- Web part is designed and implemented with support for CSRF (Cross Source Reference Forging) protection
- Web part is designed and implemented with several layers of input data validation
- Massive logging on activities in the appliance
- No sideloading or mashup of data, or program code
- Source code available for assessment and review for customers
- Hardened operating system based on a minimal and restricted installation
- Hardened web server installation
- Hardening TLS configuration
Files
The core function is to scan files in a sandboxed environment for malicious content together with information gathering of metadata.
File filters can be created based on checksums to handle false positives or to actually allow transfer of files even if they are malicious.
If any file is detected as malicious it can be uploaded to the quarantine area in the ICC server. From the server is it possible to download quarantined files for further analyses.
- Files are virus scanned with multiple antivirus scanners
- Files are controlled with file filter engine
- Files are scanned with Yara engine
- Support for custom Yara rules
- Filter files by checksums
- MD5 checksum is calculated for every file
- SHA1 checksum is calculated for every file
- SHA256 checksum is calculated for every file
- Timestamps are preserved
Identity
Authentication and authorization to the ICC server is either done with local accounts or by using an external identity solution like Active Directory.
Stations with NFC support can use physical tokens or mobile phones to authenticate users before they are allowed to use the Station.
- Stations use their own API key to communicate with the ICC
- Control of password complexity
- Integration with Active Directory
- Integration with LDAP
Configurations
The ICC server can control the stations. Configuration cards for the stations will set the different stations behavior.
The ICC server will also get the results from the Stations which is accessible in the graphical application and from the API
The station can be forced to only allow Transfer mode which requires scans to have a source and destination device. This can ensure that only trusted devices is used in higher trusted systems
- Collect metadata
- Offline monitoring
- Quarantine
- Receiving logs
- Malware alerts
- Pause signature or software updates
- Require Identification
- Send scan reports
- Toggle Scan, Transer, Format and Shred options
- Physical receipt
- Engine selections
- Timezone configuration
Technical
Mature technology and standards
Standards and documentation
The ICC is using a well documented API to allow integrations with other products and is by itself using standard technologies to integrate with other products.
Stations use top of the art technology to isolate the kiosk solution which removes the possibility to access the underlying system.
By following all the best practices regarding hardening and well trusted software the risk for any potential vulnerability is minimized. If a software bug exists anywhere in the solution the next layer of defense protects the system.
- Apache HTTP server
- Go language
- Linux operating system
- Perl language
- Python language
- TLS to secure communication
- HTTP protocol used in communication
- SMTP for notifications
- NTP for correct time
- Syslog for traceability
- USB source devices are mounted read only
- Only mass storage USB devices are allowed
- Seccomp-bpf
- IPTables rules
- SElinux policy enforcing all processes
- Discretionary Access Control
- Well documented API
- Design with CIS in mined
- Following OWASP recommendations
- Following SSLlabs recommendations
- Following Hardenize recommendations
- Secure Software Development Life Cycle