Highlights

An unique solution

Important features

IMPEX can be used on-premise without any need for cloud services or other internet dependencies. A station can be completely offline or connected to a local ICC server for central management and unattended updates.

The support of different types of external devices is always growing with support for new technologies and older legacy devices.

IMPEX is built with many functions used by end-users who need to scan devices and files. Administrative functions exists in the background to give manager and system owners the possibility do follow-ups and visualize the usage of devices and files in the organization.

The possibility to integrate with SIEM solutions will give SOC personel more visibility into movable devices used in isolated environments. LDAP or Active Directory integrations can enforce central accounts and password policies.

The ICC server provides audit trails, statistics and central configuration possibilities.

On-premise software

  • Updates from local update server
  • Scanning Engine Signatures from local update server
  • No cloud or CDN access needed

Integrations

  • SIEM integration
  • Active Directory integration
  • LDAP integration

Device support

  • USB mass storage
  • CD-ROM Drive
  • DVD Drives
  • Floppy Drives

Traceability

  • Enhanced statistics and administration pages
  • Station offline notifications
  • Physical and digital receipts

Functions

  • Physical receipts
  • Digital receipts
  • Additional languages supported
  • Support for shredding devices
  • Support for formatting devices
  • Device filters
  • File filters
  • Custom pattern matching

Filesystem support

  • FAT12, FAT16, FAT32
  • EXT2, EXT3, EXT4
  • ISO9660, UDF
  • MSDOS, VFAT
  • BTRFS
  • EXFAT
  • NTFS
  • XFS

Usability

User-friendly from the core and on

Designed for everyone

By using an intuitive user interface we remove the need for training before using the Station. The interface uses a modern design with a touch interface and removes the need of a keyboard or mouse.

The station has support for 14 different languages with the possibility to add even more languages.

For traceability the scan result can also be printed on a physical receipt that can be used together with for example work orders. The receipt can also be configured to be sent via email to the user.

Simplicity

  • Intuitive and easy-to-use user interface
  • Modern touch interface
  • Several modes - scan only, scan and transfer, format or shred device
  • Real time progress with information updates at every step

Feedback

  • Possible to have a printer for physical receipt
  • Possibility to transfer many files and very large files
  • Scan reports can be sent by email

Multiple languages(14)

  • Arabic
  • English
  • Estonian
  • Finnish
  • French
  • German
  • Latvian
  • Lithuanian
  • Norwegian
  • Polish
  • Spanish
  • Swedish

Security

Hardened and no side-loading of data

Station

The station is the kiosk used by users to scan devices or to scan and transfer files to a trusted device. The station can be connected to the ICC server.

All available technologies are used to harden the station, this is done by using minimal installations and by disabling functions not needed. This basic hardening is following CIS-standard togheter with internal knowledge for even stronger hardening by using SELinux, seccomp etc. The user interface and exposed USB-ports are locked down to disallow everything besides the possibility to scan files in a restricted environment.

To avoid problems like unpatched software is automatic updating built-in in the system and all software is digitally signed. Signature files and pattern files is updated several times every day with for the scanning engines.

The station will log every action and it is possible to view all operations on the ICC with all included metadata. Source code audit is done both internally and by customers.

Hardening

  • Operating system based on a minimal and restricted installation
  • Locked down kiosk interface
  • No usage of an external database in the back-end which simplifies the solution and minimizes attack surface

Traceability

  • No sideloading or mashup of data, or program code
  • Source code available for assessment and review for customers
  • Massive logging on activities in the appliance

Software updates

  • Unattended system updates to implement an evergreen solution
  • Digitally signed software from sysctl
  • Automatic patching and update mechanism of operating system
  • System and software packages
  • Automatic updates of signature files

ICC

The ICC (IMPEX control center) is the heart of the evergreen solution and is used for distribution of updates and configuration of the station's behavior.

The server uses the same type of hardening and software handling as the Station together with traceability.

The ICC server has one HTTPS service exposed on the network compared to the station which does not listen on any port. The webservice is API-based with all hardening techniques applied and follows OWASP recommendations as well as Hardenize and SSLLabs.

By removing unused cipher suites enforcing TLS with HSTS together with web security technologies like CSRF-protection and Content Security Policies makes the attack surface more limited compared to default installations.

The application itself runs under a limited user together with strict input validation. The source code used is continuously analyszed to look for potential vulnerabilities.

Software updates

  • Unattended system upgrades to implement an evergreen solution
  • Automatic patching and update mechanism of operating system
  • Automatic patching and update mechanism of software packages
  • Automatic synchronization of signature files
  • Digitally signed program packages from sysctl

Application

  • HSTS (HTTP Strict Transport Security) to force use of always encrypted HTTPS traffic
  • Built with CSP (Content Security Policy) in mind
  • Web part is designed and implemented with support for CSRF (Cross Source Reference Forging) protection
  • Web part is designed and implemented with several layers of input data validation

Traceability

  • Massive logging on activities in the appliance
  • No sideloading or mashup of data, or program code
  • Source code available for assessment and review for customers

Hardening

  • Hardened operating system based on a minimal and restricted installation
  • Hardened web server installation
  • Hardening TLS configuration

Files

The core function is to scan files in a sandboxed environment for malicious content together with information gathering of metadata.

File filters can be created based on checksums to handle false positives or to actually allow transfer of files even if they are malicious.

If any file is detected as malicious it can be uploaded to the quarantine area in the ICC server. From the server is it possible to download quarantinned files for further analyses.

Engines

  • Files are virus scanned with multiple antivirus scanners
  • Files are controlled with file filter engine
  • Files are scanned with Yara engine

Metadata

  • MD5 checksum is calculated for every file
  • SHA1 checksum is calculated for every file
  • SHA256 checksum is calculated for every file
  • Timestamps are preserved

Identity

Authentication and authorization to the ICC server is either done with local accounts or by using an external identity solution like Active Directory.

Stations with NFC support can use physical tokens or mobile phones to authenticate users before they are allowed to use the Station.

Authentication

  • Stations use their own API key to communicate with the ICC
  • Control of password complexity

Centralized accounts

  • Integration with Active Directory
  • Integration with LDAP

Technical

Mature technology and standards

Standards and documentation

The ICC is using a well documented API to allow integrations with other products and is by itself using standard technologies to integrate with other products.

Stations use top of the art technology to isolate the kiosk solution which removes the possibility to access the underlying system.

By following all the best practices regarding hardening and well trusted software the risk for any potential vulnerability is mimimized. If a software bug exists anywhere in the solution the next layer of defense protects the system.

Using mature technologies

  • Apache HTTP server
  • Go language
  • Linux operating system
  • Perl language
  • Python language

Built for Internet standards

  • TLS to secure communication
  • HTTP protocol used in communication
  • SMTP for notifications
  • NTP for correct time
  • Syslog for traceability

Hardening techniques

  • USB source devices are mounted read only
  • Only mass storage USB devices are allowed
  • Seccomp-bpf
  • IPTables rules
  • SElinux policy enforcing all processes
  • Discretionary Access Control

Standards

  • Well documented API
  • Design with CIS in mined
  • Following OWASP recommendations
  • Following SSLlabs recommendations
  • Following Hardenize recommendations
  • Secure Software Development Life Cycle

Interested in Impex?

Contact sysctl