Disable access to the local network.

I wrote a upper filter disk driver for usb device that contains data in an encrypted form. The second task is to limit / disable the local network, the Internet after the data on the device is decrypted. So that there were no attempts to steal information through a local network. Is it possible to make it from my driver or is it easier to implement it in a user application? And if possible, how is it better?

Isn’t there a a Group Policy to,disable network access?

Pete

On Nov 23, 2018, at 5:37 AM, Alexey_Yerakhavets wrote:
>
> I wrote a upper filter disk driver for usb device that contains data in an encrypted form. The second task is to limit / disable the local network, the Internet after the data on the device is decrypted.

How do you think that’s going to work? When someone reads a sector of data from your encrypted drive, you have no idea at all how the data will be used, nor how long it will live. How would you know how long to limit the access? If I copy the file to my local disk, are you going to track the life of that data?

> So that there were no attempts to steal information through a local network. Is it possible to make it from my driver or is it easier to implement it in a user application?

This is, of course, impossible. You cannot tell the difference between the user sending the file through FTP or SCP and a malicious process attempting to copy the data under the radar.

Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.

How do you think that’s going to work? When someone reads a sector of data from your encrypted drive, you have no idea at all how the data will be used, nor how long it will live. How would you know how long to limit the access? If I copy the file to my local disk, are you going to track the life of that data?

This task was set before me, and not I myself decided to do so. I did not know whether it was possible or not. That’s why I asked. No need to track data theft attempt, but simply disable the local network itself.
Is it possible to simply disable the local network through my driver or not?

Well, if you think about it a bit you are (hopefully) going to realise that the whole “data protection” thing in itself is simply nonsensical in this context…

How can the data be possibly stolen across the network without any malicious KM and UM components running on the target machine???
I hope you agree that it is is simply impossible - it may happen only if the target system is already compromised and has some malicious components running on it.

In such case temporarily disabling the network access is not going to provide you with any protection. To begin with, there is no guarantee that our “potential culprit” is going to send the data straight away, in the first place. Instead, it may be temporarily saving it locally in a file, and sending it away only upon its counter-party’s request in accordance with some elaborate communication protocol. In fact, from the culprit’s perspective, this is the most reasonable modus operandi anyway.

Another point to consider is that, assuming the sufficient privilege level of our “potential culprit”, it can undo ABSOLUTELY everything that your driver ever tries to do in order to protect your data. If there is any malicious KM driver running on the target machine, all the bets are off. Full stop

To summarise, you are trying to win a battle that simply cannot be won this way…

Anton Bassov

I’ll repeat what I said before, given that you apparently ignored it: isn’t there a Group Policy that will do this? Hint, hint…

Peter

Sorry, Peter. I did not notice your answer.
Thank you, Anton, for your answer. I agree with you. It remains for me to somehow convey this information to my superiors :slight_smile:

On Nov 25, 2018, at 1:25 AM, Alexey_Yerakhavets wrote:
>
>
>> How do you think that’s going to work? When someone reads a sector of data from your encrypted drive, you have no idea at all how the data will be used, nor how long it will live. How would you know how long to limit the access? If I copy the file to my local disk, are you going to track the life of that data?
>
> This task was set before me, and not I myself decided to do so. I did not know whether it was possible or not. That’s why I asked. No need to track data theft attempt, but simply disable the local network itself.

For how long? You’re going to irritate users if you just shut off their network and it never comes back, but how would you know when to restore it? Remember that just because the driver is unplugged does not mean the data it contained is gone. Also remember that you don’t decrypt an entire drive. You decrypt sectors as they are read. Once that happens, that data is simply outside of your control.

Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.