[FDE] full disk encryption for NAS

[Naveen Mamindlapalli]

Hi Mike,

Thanks a lot for your reply.

Rightnow I am using truecrypt for disk encryption.
I have gone through the ISC's SpyProof! product and
found that truecrypt is almost same except the
authentication part using PKCS#11 Support.

Incase of NAS box first we have to mount it locally on
to the windows machine & then create a virtual
encrypted disk of that NAS drive.So our data will be
encrypted over the Network.

But if I have a NAS box with disk encryption software
inbuilt, then the data over the network will be in
clear-text (correct me if i am wrong), since the
encryption (or) decryption is happenning at the disk
level not at the socket level (or) application level.
In this case there can be a threat from the Network to
the NAS box.

So I am doubting should we use file level encryption
also ( means application level encryption ).

Regards
Naveen

--- Mike Markowitz <markowitz at infoseccorp.com> wrote:

> Naveen wrote on Tue Dec 5 22:55:44 MST 2006:
> 
>  >I have a confusion whether to use
>  >file encryption (or) disk encryption incase of NAS
> box
>  >because the data over network is in clear-text
> when
>  >the clients are accessing the NAS box.So in that
> case
>  >file encryption will be useful.But incase of
> physical
>  >security like theft it is better to use disk
>  >encryption.
>  >
>  >I have googled about this and no where I found the
>  >correct answer.Is it better to use both types of
>  >encryption at a time. Then the burden will be more
> in
>  >encrypting & decrypting twice the data file level
> & at
>  >disk level.
>  >
>  >Is there any alternate technique to protect the
> NAS
>  >box form both physical & network attacks.
> 
> Naveen:
> 
> You might want to consider ISC's SpyProof! product.
> It allows you to create encrypted virtual partitions
> -- locally on a Windows system, on a remote NAS box,
> or even on removable media. When "mounted," these
> partitions appear as normal (networked) drives on
> client Windows systems.
> 
> A device driver on each client locally encrypts all
> data written to a mounted drive on-the-fly, and
> decrypts all data locally after reads, so both
> processes are transparent to all Windows
> applications, all network traffic is encrypted, and
> you always end up with ciphertext on the NAS device
> (or wherever the encrypted partition resides).
> 
> Mounting/unmounting an encrypted partition can be
> performed manually or tied to the Windows
> login/logout processes. The mounting process
> requires strong authentication based on X.509
> certificates, with or without a hardware token --
> PKCS#11 and CAPI-based tokens are supported. Users
> can install an existing key pair, create a
> self-signed certificate, or request a free 1-year
> certificate from us. All data is encrypted with AES
> (your choice of key size) in CBC mode. Encrypted
> disks can be expanded (but not contracted) after
> creation, re-keyed upon demand, and users
> added/deleted
> from the "access control lists" on a drive-by-drive
> basis. (The free space on a disk can be encrypted or
> not, a decision to be made by an administrator based
> on its potential impact on incremental backup
> processes.)
> 
> One caveat: simultaneous read/write access by
> multiple users to a given encrypted drive is not
> supported at this time; first user to mount a drive
> gets read/write access, subsequent users get
> readonly
> access. In some applications this is not a
> significant
> limitation, for others it is, so you need to take
> it into consideration.
> 
> More info is available here:
>    
>
http://www.infoseccorp.com/products/spyproof/contents.htm
> 
> -mjm
> 
> 


Thanks & Regards
         Naveen.M
   
   
   


Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php