Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2984 Views 7 Replies Latest reply: Jan 17, 2011 3:56 PM by alistg RSS
alistg Newcomer 13 posts since
Jan 13, 2011
Currently Being Moderated

Jan 13, 2011 4:56 PM

Query about Use of McAfee EE setup to Autoboot vs Bitlocker in Transparent Operations Mode

Hello

 

I'm investigating a  requirement to encrypt desktop PCs but without having them prompt for a password (or PIN) at bootup.

The aim is to only prompt if the hard disk is removed from the machine and placed in another mahcine.

 

I'm looking at the pros / cons of use of McAfee Endpoint Encryption configured to AutoBoot vs use of something like Bitlocker in "Transparent Operations Mode" to do this.

 

Questions:
1) Is it a supported configuration to use McAfee EE permanently configured to Autoboot (I notive a post here from Simon which mentions "this situation is explicitly excluded from the EULA", but I'd like to confirm if he was referring to the same thing and / or if this situation is still the case).

 

Assuming that it's "ok" to run like that ...

 

2) What happens if the disk is removed and put into another mahcine (given it's set to autoboot). Will it continue to autoboot or will it realise that he HW has changed and complain?

(The aim is to prevent the machine booting and getting to a windows logon prompt)

 

In-fact reading "How to automatically bypass pre-boot using the AutoBoot Account" I think I problaby know the answer!

It sounds like it would be a really bad idea and should only be used for a very temporary period (such as patching).

 

This begs the questions - is there something more "akin" to "Transparent Operations Mode" - what do McAfee "reccomend" (or does the reliance on TPM for that mean that it can't be proivided)

 

I realise there is a much wider discussion around physical access, other ways of getting data off etc etc, but I'd like the response to focus on the specific questions above.

 

Many thanks in advance.

- AL

 

 

on 13/01/11 16:56:08 CST
  • SafeBoot Group Leader 8,588 posts since
    Oct 28, 2008

    My opinion is neither offer any protection, and are not appropriate for use if you are trying to adher to any regulatory compliance laws, like HIPPA, HITECH, or any of the state or international data protection laws.

     

    But, security is all about risk assesment, so if you are happy with the risk, you are happy with defending yourself against a claim that you did not follow "Industry Best Practice" (ie NIST 800-111 in the USA), and you are happy that in both cases the effort to break into the system is minimal, then by all means go ahead...

     

    I think you can do better though - tens of millions of users are running full disk encryption with pre boot authentication, and those companies are still operating quite effectivly.

     


    Heisenberg is pulled over for speeding: “Do you know how fast you were going?” the police officer asks, incredulously. “No,” replies Heisenberg, “but I know exactly where I am!”
    Personal Blog : http://mcaf.ee/simon | Corporate Blog : http://SIBlog.mcafee.com | Create your own safe, short URL's - http://mcaf.ee

  • rbarstow The Place at McAfee Member 154 posts since
    Apr 22, 2009

    SafeBoot and I have discussed the philosophy of disk encryption with "weak" (eg, non-existent) authentication. Our legal office has determined that they are willing to take on the risk presented by autoboot, in exchange for the user acceptance, and lack of issues related to passwords, change intervals, etc.

     

    That said, permanent use of Autoboot has become a common practice (at least with several large companies), and that shift is reflected in some of the more recent versions.

     

    If you put the HD into similar hardware...it will try to boot to windows. If the HD contoller is close enough, then the PBA will run. Then it's just a question of getting Windows to boot with different hardware present.

     

    One issue with BitLocker: Once a laptop has disappeared, how do you KNOW that the HD was encrypted? What can you present to the State (in the USA) so that you are not forced to disclose the loss of the device?

  • SafeBoot Group Leader 8,588 posts since
    Oct 28, 2008

    it will boot for sure, but whether it goes into Windows is dependent on the OS.

     

    The trouble with Bitlocker in TPM mode, is a) TPM has been hacked, b) the key is on the drive, so it does not give you protection from data disclosure laws. You have to use TPM plus PIN to get protection - even Microsoft recomend that you DO NOT use TPM only.


    Heisenberg is pulled over for speeding: “Do you know how fast you were going?” the police officer asks, incredulously. “No,” replies Heisenberg, “but I know exactly where I am!”
    Personal Blog : http://mcaf.ee/simon | Corporate Blog : http://SIBlog.mcafee.com | Create your own safe, short URL's - http://mcaf.ee

  • SafeBoot Group Leader 8,588 posts since
    Oct 28, 2008

    1. No, since eveyone uses much the same algorithms, everyone performs much the same. There are some differences though, Bitlocker uses a smaller key than everyone else, and McAfee have an RC5 implementation which is around 40x faster than AES.

     

    The performance impact is so low that it does not matter much, but you are right, AES-NI is an order of magnitude faster than software crypto.

     

    2. I hope SED's replace software crypto, as it's a pain, but it relies on everyone buying SEDs and the manufacturers getting their act together and releasing OPAL spec drives. Anything else is pretty much useless in the enterprise space.

     

    We already have OPAL support in the lab, but with so few drives available, there's no point releasing it. Sure, you could use WAVE, but are your users capable of using BIOS-style passwords, one per machine, disconnected from their Windows credentials? That's the problem OPAL will solve.


    Heisenberg is pulled over for speeding: “Do you know how fast you were going?” the police officer asks, incredulously. “No,” replies Heisenberg, “but I know exactly where I am!”
    Personal Blog : http://mcaf.ee/simon | Corporate Blog : http://SIBlog.mcafee.com | Create your own safe, short URL's - http://mcaf.ee

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points