2. PGP
  3. Endpoint Device Control 4.3

PGP Endpoint Device Control 4.3 User guide

  • Hello! I am an AI chatbot trained to assist you with the PGP Endpoint Device Control 4.3 User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
PGP Endpoint Device Control
Version 4.3.0
Users Guide
Version Information
PGP Endpoint Device Control User's Guide. PGP Endpoint Version 4.3.0. Released: June 2008.
02_103_4.3.0.55
Copyright Information
Copyright © 19912008 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in
any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP
Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries.
IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a
registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are
trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or
registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines
Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are
trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of
Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective
owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128
encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-
commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number
10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-
blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is
licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you
would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support
(http://www.pgp.com/support). PGP Corporation may have patents and/or pending patent applications covering subject matter in
this software or its documentation; the furnishing of this software or documentation does not give you any license to these
patents.
Acknowledgments
This product includes or may include:
The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-
ZIP implementation, developed by zlib (http://www.zlib.net). Libxml2, the XML C parser and toolkit developed for the Gnome
project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html.
Copyright © 2007 by the Open Source Initiative. bzip2 1.0, a freely available high-quality data compressor, is copyrighted by
Julian Seward, © 1996-2005. Application server (http://jakarta.apache.org/), web server (http://www.apache.org/), Jakarta
Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by
the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. Castor, an open-source,
databinding framework for moving data from XML to Java programming language objects and from Java to databases, is
released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. Xalan, an
open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language
and the XPath XML query language, is released under the Apache Software License, version 1.1, available at
http://xml.apache.org/xalan-j/#license1.1. Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol")
used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt. mx4j, an open-source implementation of the Java Management Extensions
(JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. jpeglib version
6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) libxslt the XSLT C library developed for
the GNOME project and used for XML transformations is distributed under the MIT License
http://www.opensource.org/licenses/mit-license.html. PCRE version 4.5 Perl regular expression compiler, copyrighted and
distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. BIND
Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems
Consortium, Inc. (http://www.isc.org) Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006.
Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992,
Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd.© 2001- 2003, Sun Microsystems, Inc., ©
2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. NTP
version 4.2 developed by Network Time Protocol and copyrighted to various contributors. Lightweight Directory Access
Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the
Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is
at http://www.openldap.org/software/release/license.html. Secure shell OpenSSH version 4.2.1 developed by OpenBSD
project is released by the OpenBSD Project under a BSD-style license, available at
http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. PC/SC Lite is a free implementation of PC/SC, a
specification for SmartCard integration is released under the BSD license. Postfix, an open source mail transfer agent (MTA),
is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. PostgreSQL, a free
software object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL
database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is
released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. PostgreSQL Regular Expression
Library, a free software object-relational database management system, is released under a BSD-style license, available at
http://www.postgresql.org/about/licence. 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified
programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. JacORB, a Java object used to
facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library
General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. TAO (The
ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication
between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group
at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is
available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. libcURL, a library for downloading files via common network
services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html.
Copyright (c) 1996 - 2007, Daniel Stenberg. libuuid, a library used to generate unique identifiers, is released under a BSD-style
license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore
Ts'o. libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License
available at http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. gSOAP, a
development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed
under the GNU Public License, available at http://www.cs.fsu.edu/~engelen/soaplicense.html. Windows Template Library
(WRT) is used for developing user interface components and is distributed under the Common Public License v1.0 found at
http://opensource.org/licenses/cpl1.0.php. The Perl Kit provides several independent utilities used to automate a variety of
maintenance functions and is provided under the Perl Artistic License, found at
http://www.perl.com/pub/a/language/misc/Artistic.html.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time
to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export
of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User
License Agreement provided with the software. The information in this document is subject to change without notice. PGP
Corporation does not warrant that the information meets your requirements or that the information is free of errors. The
information may include technical inaccuracies or typographical errors. Changes may be made to the information and
incorporated in new editions of this document, if and when made available by PGP Corporation
PGP Endpoint Device Control User Guide 4.3.0 1
Contents
About this guide ......................................................................................................... 7
Introduction ..................................................................................................................................... 7
Complete security .............................................................................................................................. 8
Whats in this guide ........................................................................................................................... 8
Conventions ..................................................................................................................................... 9
Notational conventions .................................................................................................................. 9
Typographic conventions ................................................................................................................ 9
Keyboard conventions ................................................................................................................... 9
Getting Assistance ............................................................................................................................. 9
Getting product information ........................................................................................................... 9
Contacting Technical Support ......................................................................................................... 10
Chapter 1: Introducing PGP Endpoint Device Control .......................................................... 13
Welcome to PGP Endpoint Device Control................................................................................................ 13
What is PGP Endpoint Device Control ..................................................................................................... 13
What can you do with PGP Endpoint Device Control .................................................................................. 14
Benefits of using PGP Endpoint Device Control ......................................................................................... 14
Major features of PGP Endpoint............................................................................................................ 15
What is new on this version ................................................................................................................ 17
Device types supported ...................................................................................................................... 17
Conclusions ..................................................................................................................................... 20
Chapter 2: Using the PGP Endpoint Console ..................................................................... 21
Starting the PGP Endpoint Management Console ...................................................................................... 21
Connecting to the Server ............................................................................................................... 22
Log in as a different user............................................................................................................... 22
The PGP Endpoint Management Console screen ........................................................................................ 23
Customizing your workspace .......................................................................................................... 24
The PGP Endpoint Device Control modules .............................................................................................. 26
The PGP Endpoint Management Console menus and tools .......................................................................... 28
File menu .................................................................................................................................. 28
View menu ................................................................................................................................ 28
Tools menu ................................................................................................................................ 28
Endpoint Maintenance ................................................................................................................. 29
Reports menu ............................................................................................................................. 31
Explorer menu ............................................................................................................................ 32
Window menu ............................................................................................................................ 32
Help menu ................................................................................................................................. 32
Other administrative functions ............................................................................................................ 33
Setting and changing default options .............................................................................................. 33
Synchronizing domain members ..................................................................................................... 33
Synchronizing with Novell eDirectory ............................................................................................... 33
Adding workgroup computers......................................................................................................... 34
Performing database maintenance .................................................................................................. 34
Defining PGP Endpoint administrators .............................................................................................. 35
Sending updated permissions to client computers............................................................................... 37
Everyday work .................................................................................................................................38
Identifying and organizing users and user groups ...............................................................................38
Identifying the devices to be managed .............................................................................................38
Working with the PGP Endpoint systems pre-defined device classes ....................................................... 39
Adding your own, user-defined devices to the system ........................................................................ 40
Identifying specific, unique, removable devices ................................................................................ 40
Organizing devices into logical groups .............................................................................................. 41
Identifying specific computers to be managed ................................................................................... 42
Defining different types or permissions ............................................................................................ 42
Encrypting removable media & authorizing specific DVDs/CDs................................................................. 43
Forcing users to encrypt removable media ....................................................................................... 44
Practical setup examples ................................................................................................................... 44
DVD/CD burner permissions assignments .......................................................................................... 44
Removable permissions assignments .............................................................................................. 45
Contents
2 PGP Endpoint Device Control User Guide 4.3.0
Assigning permissions to groups instead of users ................................................................................ 45
Shadowing notes ........................................................................................................................ 45
Chapter 3: Using the Device Explorer ............................................................................. 49
How does the Device Explorer work ...................................................................................................... 50
Restricted and unrestricted devices ...................................................................................................... 51
Optimizing the way you use the Device Explorer ...................................................................................... 52
Context menu and drag & drop ...................................................................................................... 52
Keyboard shortcuts ...................................................................................................................... 52
Adding comments to an entry ........................................................................................................ 53
Computer groups ........................................................................................................................ 53
Renaming Computer Groups/Device Groups/Devices ............................................................................. 53
Event notification ....................................................................................................................... 54
Device Groups ............................................................................................................................ 57
Supported devices types .................................................................................................................... 58
Managing permissions ....................................................................................................................... 58
Chapter 4: Managing permissions/rules ......................................................................... 59
Using the Permissions dialog .............................................................................................................. 59
Special case: Working with Removable Storage Devices ........................................................................ 61
Using file filters ............................................................................................................................... 63
To remove File Filtering settings from a permission ............................................................................. 65
File Filtering examples ................................................................................................................. 66
Adding a user or group when defining permissions .................................................................................. 68
To assign default permissions ............................................................................................................. 69
Root-level permissions ................................................................................................................. 69
To assign default permissions to users and groups .............................................................................. 69
Priority of default permissions ........................................................................................................ 71
Read/Write permissions ................................................................................................................ 72
To assign computer-specific permissions to users and groups ..................................................................... 73
To modify permissions.................................................................................................................. 74
To remove permissions ................................................................................................................. 75
To assign scheduled permissions to users and groups ............................................................................... 75
To modify scheduled permissions.................................................................................................... 76
To remove scheduled permissions ....................................................................................................77
To assign temporary permissions to users ...............................................................................................77
To remove temporary permissions ................................................................................................... 78
To assign temporary permissions to offline users ..................................................................................... 78
To assign online and offline permissions ............................................................................................... 82
To remove offline or online permissions ........................................................................................... 83
To export and import permission settings .............................................................................................. 84
To manually export or import permissions settings ............................................................................. 84
Shadowing devices ........................................................................................................................... 85
To shadow a device ..................................................................................................................... 85
To remove the shadow rule ........................................................................................................... 87
To view a shadowed file ............................................................................................................. 87
Copy limit ....................................................................................................................................... 87
To add a copy limit ......................................................................................................................88
To remove a copy limit ................................................................................................................. 89
Applying multiple permissions to the same user ...................................................................................... 89
Forcing users to encrypt removable storage devices .................................................................................. 90
Setting permissions to force users to encrypt removable storage devices .................................................. 91
Managing devices ............................................................................................................................ 95
To add a new device .................................................................................................................... 95
To remove a device ...................................................................................................................... 97
Specific, unique, removable devices ................................................................................................ 97
Changing permissions mode .......................................................................................................... 97
Priority options when defining permissions ...................................................................................... 98
Informing client computers of permission changes .................................................................................. 99
Chapter 5: Using the Log Explorer ................................................................................ 101
Introduction .................................................................................................................................. 101
Monitoring user input/output device actions .................................................................................... 101
Monitoring administrator actions ................................................................................................... 103
Accessing the Log Explorer ................................................................................................................. 103
Log Explorer templates ..................................................................................................................... 104
To use an existing template .......................................................................................................... 105
Predefined templates .................................................................................................................. 105
To create and use a new template ................................................................................................. 107
Backing-up your templates .......................................................................................................... 108
Log Explorer window........................................................................................................................ 108
Navigation/Control bar ................................................................................................................ 109
Column headers ......................................................................................................................... 109
Results panel / custom report contents ............................................................................................ 114
Contents
PGP Endpoint Device Control User Guide 4.3.0 3
Criteria/Properties panel .............................................................................................................. 116
Control button panel ................................................................................................................... 116
Select and edit templates window ....................................................................................................... 117
Template settings window ................................................................................................................. 119
General tab ............................................................................................................................... 120
Query & Output tab ..................................................................................................................... 120
Criteria ..................................................................................................................................... 121
The advanced view ..................................................................................................................... 123
Schedule tab ............................................................................................................................. 127
Viewing access attempts to devices ...................................................................................................... 130
Viewing client error reports ................................................................................................................ 131
Viewing shadow files ........................................................................................................................ 132
When the Data File Directory is not available .................................................................................... 133
Shadowing file names only ................................................................................................................ 134
DVD/CD Shadowing ........................................................................................................................... 134
Forcing the latest log files to upload .................................................................................................... 134
To manage devices using the Log Explorer module .................................................................................. 135
Viewing administrator activity ............................................................................................................ 136
Audit events .............................................................................................................................. 136
Chapter 6: Using the Media Authorizer ......................................................................... 139
Introduction ................................................................................................................................... 139
Creating a DVD/CD hash .................................................................................................................... 140
What happens when a user wants access to the DVD/CD...................................................................... 140
Accessing the Media Authorizer ........................................................................................................... 141
Authorizing users to use specific DVDs/CDs ............................................................................................. 141
Pre-requisites ........................................................................................................................... 141
To authorize the use of a specific DVD/CD .......................................................................................... 141
Encrypting removable storage devices .................................................................................................. 142
Pre-requisites ........................................................................................................................... 143
Decentralized encryption..............................................................................................................144
Limitations ...............................................................................................................................144
To encrypt a specific removable storage device ..................................................................................144
Removable device encryption methods comparison ........................................................................... 146
Problems encrypting a device ....................................................................................................... 146
Authorizing access. ......................................................................................................................... 148
Selecting users for a device. ......................................................................................................... 149
Selecting devices for a user .......................................................................................................... 150
Removing media from the database .................................................................................................... 151
To remove a DVD/CD .................................................................................................................... 151
To remove an encrypted removable storage device ............................................................................. 152
To remove lost or damaged media from the database ......................................................................... 152
Other Media Authorizer utilities .......................................................................................................... 153
To rename a DVD, CD, or removable storage device ............................................................................. 153
Exporting encryption keys ............................................................................................................ 153
Ejecting a CD or DVD ....................................................................................................................154
Recovering a password for decentralized encryption when connected ....................................................154
Permissions Priority ......................................................................................................................... 157
Encrypting devices without a Certificate Authority .................................................................................. 159
To encrypt a removable media without installing a Certificate Authority ................................................. 159
Chapter 7: Accessing encrypted media outside of your organization ................................... 161
Exporting encryption keys ................................................................................................................. 161
Exporting encryption keys centrally ................................................................................................ 161
Exporting encryption keys locally ................................................................................................... 161
To export the encryption key to a file .............................................................................................. 162
To export the encryption key to the device itself ................................................................................ 163
Accessing encrypted media outside your organization ............................................................................. 164
Accessing media on a machine with PGP Endpoint Client Driver installed ............................................... 164
Accessing media without using PGP Endpoint Client Driver .................................................................. 169
Using encryption inside and outside your organization ....................................................................... 174
Decentralized encryption ................................................................................................................... 175
How to configure PGP Endpoint so that users can encrypt their own devices ............................................ 175
Recovering a decentralized encryption password without PGP Endpoint Client .......................................... 175
Chapter 8: Setting and changing options ...................................................................... 181
Default options ............................................................................................................................... 181
Computer-specific options ................................................................................................................. 182
To change an option setting ............................................................................................................... 182
Sending updates to client computers .............................................................................................. 183
Individual option settings ................................................................................................................. 183
Certificate generation .................................................................................................................. 183
Contents
4 PGP Endpoint Device Control User Guide 4.3.0
Client hardening ........................................................................................................................ 183
Device log ................................................................................................................................ 184
Device log throttling ................................................................................................................... 184
eDirectory translation ................................................................................................................. 184
Encrypted media password ........................................................................................................... 185
Endpoint status ......................................................................................................................... 185
Log upload interval .................................................................................................................... 185
Log upload threshold .................................................................................................................. 185
Log upload time ........................................................................................................................ 186
Log upload delay ....................................................................................................................... 186
Online state definition ................................................................................................................ 186
Server address ........................................................................................................................... 187
Shadow directory ....................................................................................................................... 187
Update notification .................................................................................................................... 187
USB Keylogger ........................................................................................................................... 188
Checking settings on a client machine.................................................................................................. 188
Chapter 9: Generating PGP Endpoint Reports................................................................. 189
User Permissions report .................................................................................................................... 191
Device Permissions report ................................................................................................................. 192
Computer Permissions report ............................................................................................................. 193
Media by User report ........................................................................................................................ 194
Users by Medium report .................................................................................................................... 195
Shadowing by Device report .............................................................................................................. 196
Shadowing by User report ................................................................................................................. 197
Online Machines report .................................................................................................................... 198
Machine Options report .................................................................................................................... 199
Server Settings Report ..................................................................................................................... 200
Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data .................. 201
How it works .................................................................................................................................. 201
Limitations and supported media ....................................................................................................... 201
Pre-requisites ................................................................................................................................ 202
Encrypting a CD/DVD ......................................................................................................................... 202
To assign a user permission to encrypt a DVD/CD ................................................................................ 203
To assign a user permission to read an already encrypted DVD/CD ......................................................... 204
To encrypt a DVD/CD ................................................................................................................... 204
Using an already encrypted CD/DVD ..................................................................................................... 208
To use an already encrypted CD/DVD on a machine protected by PGP Endpoint ........................................ 208
To use an already encrypted CD/DVD on a machine not protected by PGP Endpoint ................................... 208
If you forget the CD/DVD password ...................................................................................................... 208
DVD/CD icons ................................................................................................................................. 208
Chapter 11: Using PGP-Encrypted Removable Devices ........................................................ 211
Introduction ................................................................................................................................... 211
Defining Permission Using the PGP Endpoint Management Console ............................................................. 212
To Allow Users to Encrypt a Device Using PGP WDE .............................................................................. 213
To Allow User to Use a PGP WDE Encrypted Removable Device ............................................................... 213
To Check the Client Status .................................................................................................................. 214
To Decrypt or Re-encrypt a Removable Device Using PGPs Desktop ............................................................. 214
Shadow ........................................................................................................................................ 215
Reports ......................................................................................................................................... 215
Using the Log Explorer ...................................................................................................................... 215
Auditing Logs ................................................................................................................................. 216
Appendix A: DVD/CD Shadowing .................................................................................. 219
Introduction .................................................................................................................................. 219
Operation of the PGP Endpoint Client Driver ..................................................................................... 219
Disk space requirements .............................................................................................................. 219
Supported formats when shadowing ................................................................................................... 220
Handling of unsupported shadowing formats ........................................................................................ 220
CD image analysis ............................................................................................................................ 221
Files ........................................................................................................................................ 221
Logs ........................................................................................................................................ 221
Saved image ............................................................................................................................. 221
Sample analysis log ......................................................................................................................... 221
Supported and unsupported CD formats ............................................................................................... 223
Summary ................................................................................................................................. 223
Supported data block formats and recording modes ........................................................................... 223
Supported and unsupported file system features ............................................................................... 223
Supported DVD/CD burning software ............................................................................................... 225
Contents
PGP Endpoint Device Control User Guide 4.3.0 5
Appendix B: Important notes ..................................................................................... 227
Appendix C: PGP Endpoint Device Control encryption ...................................................... 231
Introduction ................................................................................................................................... 231
PGP Endpoint Device Control encryption ................................................................................................ 231
Centralized encryption using the Full Encryption Method .......................................................................... 231
Centralized encryption using Easy Exchange ........................................................................................... 232
Decentralized encryption ................................................................................................................... 232
How is the medium assigned to a user/user group ..................................................................................233
Centralized versus decentralized encryption ...........................................................................................233
Full Encryption vs. Easy Exchange ....................................................................................................... 235
Other available encryption methods ................................................................................................... 236
Access to encrypted data using the PGP Endpoint Client Driver ................................................................... 237
If a MS Enterprise Certificate Authority (CA) is installed ........................................................................ 237
If no MS Enterprise Certificate Authority (CA) installed ........................................................................ 238
Access to encrypted data outside the network ....................................................................................... 239
Accessing encrypted data outside the network when using Full Encryption ............................................. 239
PGP Endpoint Stand-Alone Decryption Tool, SADEC ............................................................................ 239
Accessing encrypted data outside the network when using Easy Exchange .............................................. 240
Encryption scenarios ....................................................................................................................... 243
Simple examples ....................................................................................................................... 243
Complex examples ..................................................................................................................... 244
Understanding Cryptography ..............................................................................................................247
Defining cryptography .................................................................................................................247
How do we achieve privacy? ............................................................................................................. 248
Signing communications ............................................................................................................. 249
The security principles of SDC encryption explained ................................................................................ 249
The AES algorithm ...................................................................................................................... 249
Public/private key based communication between SDC tiers ................................................................ 250
The Key Pair Generator ............................................................................................................... 250
Symmetric AES key public/private key based encryption ...................................................................... 250
Digital Signatures ...................................................................................................................... 250
Digital Signatures & Certificate Authorities (CA) .................................................................................. 251
The AES Algorithm ........................................................................................................................... 252
What is AES? ............................................................................................................................. 252
How does AES work? ................................................................................................................... 252
AES and PGP Endpoint Device Control ............................................................................................. 253
Why is AES so secure? ................................................................................................................. 253
Other useful info ............................................................................................................................ 254
What is considered as a removable media? ..................................................................................... 254
What happens if I have forgotten my password? ............................................................................... 254
Recovering a password when using decentralized encryption .............................................................. 254
What happens to my unencrypted data when I encrypt the device it is on?............................................. 254
How do I decrypt a device? .......................................................................................................... 254
Appendix D: PGP Endpoints Architecture ...................................................................... 257
The whitelist approach ..................................................................................................................... 257
Concepts .................................................................................................................................. 257
Advantages/disadvantages of using a white list ................................................................................. 257
Whitelist and blacklist examples ................................................................................................... 258
A complete security solutions portfolio ................................................................................................ 258
PGP Endpoint Application Control Suite ........................................................................................... 259
PGP Endpoint Device Control ........................................................................................................ 259
PGP Endpoint for Embedded Devices .............................................................................................. 259
PGP Endpoint components ................................................................................................................ 259
The PGP Endpoint Database ......................................................................................................... 260
The PGP Endpoint Administration Server .......................................................................................... 261
PGP Endpoint Client Driver ........................................................................................................... 262
Protocol and ports ..................................................................................................................... 264
Operation overview .................................................................................................................... 265
Key usage ................................................................................................................................ 266
If the PGP Endpoint Administration Server is not reachable ................................................................. 266
The PGP Endpoint Management Console.......................................................................................... 270
Administration Tools ................................................................................................................... 271
Network communications ............................................................................................................. 272
PGP Endpoint Client Driver communications ...................................................................................... 272
PGP Endpoint Administration Server communications ......................................................................... 272
How PGP Endpoint works .................................................................................................................. 272
PGP Endpoint Application Control Suite ............................................................................................ 272
PGP Endpoint Device Control .........................................................................................................274
Contents
6 PGP Endpoint Device Control User Guide 4.3.0
Glossary................................................................................................................. 279
Index of Figures ...................................................................................................... 285
Index of Tables ....................................................................................................... 291
Index .................................................................................................................... 293
PGP Endpoint Device Control User Guide 4.3.0 7
About this guide
Introduction
PGP Endpoint provides policy-based control for all devices and applications that can be used on enterprise
endpoints. Using a whitelist approach (see a detailed explanation in Appendix D: PGP Endpoints
Architecture) , PGP Endpoint enables the development, enforcement, and auditing for application and device
use in order to maintain IT security, reduce the effort and cost associated with supporting endpoint
technologies, and ensure compliance with regulations. By using a whitelist approach, administrator can
concentrate in approving a list of a few selected device/application accesses instead of banning
devices/applications and maintaining endless blacklist subscriptions.
PGP Endpoint links application and device policies to eDirectory- and Active Directory-based identities,
dramatically simplifying the management of endpoint application and device resources.
As a security officer or network administrator, you are not only aware but also concerned of the potential
damage a typical user can cause on your network. It has been proven that most attacks and damage come
from within the bound of the internal firewall performed by employees intentionally or unintentionally. If the
typical end user can be limited in its ability, then it scope of damage can also be restricted and, most
probably, stopped. This is what the Least Privilege Principle advocates: give users only the access and
privileges needed to complete the task at hand.
PGP Endpoint Device Control controls access to devices by applying permission rules to each device type.
Based on the Least Privilege Principle, access to any device is prohibited by default for all users. To grant
access, the administrator associates users or user groups with the devices or complete device classes
for which they should have read and/or write privileges. In this way, PGP Endpoint Device Control extends
the standard Windows security model to control input/output (I/O) devices.
The PGP Endpoint Device Control approach contrasts traditional security solutions that use black lists to
specify devices that cannot be used. With PGP Endpoint Device Control, your IT infrastructure is protected
from unauthorized devices until you decide to include them in the whitelist and, thus, authorize them.
About this guide
8 PGP Endpoint Device Control User Guide 4.3.0
Complete security
PGP offers a portfolio of security solutions for regulating your organizations applications and devices.
> Our PGP Endpoint Application Control Suite, which includes any of the following programs depending
on your needs:
> PGP Endpoint Application Control Terminal Services Edition extends application control to
Citrix or Microsoft Terminal Services environments, which share applications among multiple users.
> PGP Endpoint Application Control Server Edition delivers application control to protect your
organizations servers, such as its Web server, email server, and database server.
> PGP Endpoint Device Control prevents unauthorized transfer of applications and data by controlling
access to input/output devices, such as memory sticks, modems, and PDAs.
> PGP Endpoint for Embedded Devices moves beyond the traditional desktop and laptop endpoints and
onto a variety of platforms that include ATMs, industrial robotics, thin clients, set-top boxes, network area
storage devices and the myriad of other systems running Windows XP Embedded.
Whats in this guide
This guide explains how to use PGP Endpoint Device Control to control end user access to I/O devices,
including floppy disk drives, DVDs/CDs drives, serial and parallel ports, USB devices, hot swappable and
internal hard drives as well as other devices.
We have divided this manual in three sections:
Part I contains a general introduction to the PGP Endpoint Device Control program. It is strongly
recommended that you review this section:
> Chapter 1: Introducing PGP Endpoint Device Control provides a high-level overview of PGP Endpoint
Device Control, how it works and how it benefits your organization.
> Chapter 2: Using the PGP Endpoint Console describes the basic principles of how to use PGP Endpoint
Device Control.
Part II contains reference material. It provides information about how to use each of the PGP Endpoint
Device Control modules. The functionality of each module is explained in detail.
> Chapter 3: Using the Device Explorer explains how to set the Access Control List permissions on I/O
devices.
> Chapter 4: Managing permissions/rules shows you how to create, delete, modify, organize, combine
permissions and rules, and how to force a user to encrypt removable storage devices.
> Chapter 5: Using the Log Explorer provides information on both how to view a copy of traced files, errors,
access attempts on client computers, and how to display administrative logs and copies of files (known
as shadow files) users have been written to or read from specific devices.
> Chapter 6: Using the Media Authorizer illustrates how to create a database of known DVD/CDs and
encrypted media and how to assign their rights to individual users and groups.
> Chapter 7: Accessing encrypted media outside of your organization explains how to use encrypted media
outside the company.
> Chapter 8: Setting and changing options describes how to customize default and computer-specific
options for your organization.
> Chapter 9: Generating PGP Endpoint Reports explains how to obtain the HTML reports generated by
PGP Endpoint Device Control.
> Chapter 10: Comprehensive CD/DVD encryption for securing all your CD/DVD data demonstrates how to
encrypt DVDs/CDs and use then outside your organization in a secure way.
> Chapter 11: Using PGP-Encrypted Removable Devices show you how to define permissions to use
removable devices encrypted with PGP in a PGP Endpoint-protected environment.
About this guide
PGP Endpoint Device Control User Guide 4.3.0 9
Part III contains additional information to help you in day-to-day operations.
> Appendix A: DVD/CD Shadowing describes how to copy the contents of files written/read to/from
DVD/CD (shadowing), the DVD/CD disk and file formats supported by the shadowing operations, and
how to interpret the files written to the Log Explorer module.
> Appendix B: Important notes shows some key comments you should take into account when using PGP
Endpoint Device Control.
> Appendix C: PGP Endpoint Device Control encryption describes complete behind the scene comparison
between the different encryption methods available in PGP Endpoint Device Control and an explanation
of how this encryption is achieved.
> Appendix D: PGP Endpoints Architecture provides you with an overview of PGP Endpoint solution
architecture.
> The Glossary provides definitions of standard acronyms and terms used throughout the guide.
> The several indexes (Index of Figures, Index of Tables, and Index) provide quick access to specific
figures, tables, information, items, or topics.
Conventions
Notational conventions
The following symbols are used throughout this guide to emphasize important points about the information
you are reading:
Take note. You can find here more information about the topic in question. These may
relate to other parts of the system or points that need particular attention.
Shortcut. Here is a tip that may save you time.
Caution. This symbol means that proceeding with a course of action introduces a risk
data loss or potential problem with the operation of your system, for example.
Typographic conventions
The following typefaces are used throughout this guide:
> Italic Represents fields, menu commands, and cross-references.
> Fixed width Shows messages or commands typed at a command prompt.
> SMALL CAPS Represents buttons you click.
Keyboard conventions
A plus sign between two keyboard keys means that you must press those keys at the same time. For
example, ALT+R means that you hold down the ALT key while you press R.
A comma between two or more keys signifies that you must press each of them consecutively. For example
Alt, R, U means that you press each key in sequence.
Getting Assistance
For additional resources, see these sections.
Getting product information
Unless otherwise noted, the product documentation is provided as Adobe Acrobat PDF files that are installed
with PGP Endpoint. Online help is available within the PGP Endpoint product. Release notes are also
available, which may have last-minute information not found in the product documentation.
About this guide
10 PGP Endpoint Device Control User Guide 4.3.0
Once PGP Endpoint is released, additional information regarding the product is entered into the online
Knowledge Base available on the PGP Corporation Support Portal (https://support.pgp.com).
Contacting Technical Support
> To learn about PGP support options and how to contact PGP Technical Support, please visit the PGP
Corporation Support Home Page (http://www.pgp.com/support).
> To access the PGP Support Knowledge Base or request PGP Technical Support, please visit PGP
Support Portal Web Site (https://support.pgp.com). Note that you may access portions of the PGP
Support Knowledge Base without a support agreement; however, you must have a valid support
agreement to request Technical Support.
> For any other contacts at PGP Corporation, please visit the PGP Contacts Page
(http://www.pgp.com/company/contact/index.html).
> For general information about PGP Corporation, please visit the PGP Web Site (http://www.pgp.com).
> To access the PGP Support forums, please visit PGP Support (http://forums.pgpsupport.com). These are
user community support forums hosted by PGP Corporation.
PGP Endpoint Device Control User Guide 4.3.0 11
Part I: Administration
PGP Endpoint Device Control User Guide 4.3.0 13
Chapter 1: Introducing PGP Endpoint Device
Control
This chapter introduces PGP Endpoint Device Control, and explains how it benefits your organization,
protects your data, and improves your productivity. It also contains an overview of the entire PGP Endpoint
system and an explanation of the how the program works.
Welcome to PGP Endpoint Device Control
PGP Endpoint Device Control eliminates many of the dangers associated with the abuse of network
resources and mission critical information from within your organization. PGP Endpoint Device Control
enhances security by controlling end user access to I/O devices, including:
> Floppy disk drives
> DVDs/CDs drives
> Serial and parallel ports
> USB devices
> Hot swappable and internal hard drives
> and other devices
This is a very effective way of preventing data leakage and theft of electronic intellectual property and
proprietary information.
PGP Endpoint Device Control also prevents the upload and installation of malicious code, unlicensed
software, and other counterproductive applications on your system preventing inappropriate use of corporate
resources, which can incur unnecessary expenses.
PGP Endpoint Device Control allows you to increase employee productivity and lower corporate legal
liabilities while protecting your organizations reputation, image, and assets.
What is PGP Endpoint Device Control
PGP Endpoint Device Control controls access to I/O devices by applying an Access Control List (ACL) to
each device type. By default, access to any device is prohibited for all users. Designated administrators can
assign access and permissions to specific users or groups of users for the devices that they require in their
day-to-day tasks. These permissions can be temporary, online or offline, scheduled, copy limit, shadow (a
copy of transferred data), read, read/write, and so on.
The PGP Endpoint Device Control approach works in contrast to traditional security solutions that utilize a list
of specific devices that cannot be used which have administrators scrambling to update systems whenever
some new class of device is introduced. With PGP Endpoint Device Control, your IT infrastructure is
protected from any kind of device until you sanction it use.
Chapter 1: Introducing PGP Endpoint Device Control
14 PGP Endpoint Device Control User Guide 4.3.0
What can you do with PGP Endpoint Device Control
As previously stated, using PGP Endpoint Device Control you can boost your IT security levels by:
> Controlling and managing I/O devices through any port including USB, firewire, WiFi, Bluetooth, etc.
> Preventing data theft and data leakage
> Preventing malware introduction via removable media usage
> Auditing I/O device usage
> Blocking USB keyloggers (hardware artifacts that captures and save all keystrokes)
> Encrypting removable media
> Enabling regulatory compliance
And many other features that we will be enumerated in this introductory chapter.
With PGP Endpoint Device Control, you can add or change access rights quickly and without the need to
reboot the computer while controlling and monitoring all activities from a central location.
This solution is network friendly and uses a three-tiered architecture that minimizes policy-checking traffic.
Actual control is performed within the client computer itself and is transparent to the user. Because the
implementation of the control feature is also local, the power of PGP Endpoint Device Control extends to
employees using disconnected laptops delivering the same security regardless of their physical location.
PGP Endpoint Device Control allows you to do the following:
> Define user and group-based permissions on all or specific machines.
> Prevent unknown devices from being installed on your networks.
> Authorize particular device types within a class.
> Uniquely identify individual devices.
> Schedule I/O access for a predefined time or day of the week.
> Create a temporary device access (same day or planned for future timeframe).
> Restrict the amount of data copied to a device.
> Assign administrators roles.
> Create shadow files (i.e. copies of transferred data) of all data written or read, to or from external devices
or specific ports.
> Encrypt media with the powerful AES algorithm.
> Block some media (DVDs/CDs) while permitting other specific ones to be used.
> Enforce specific users and user groups to encrypt their removable devices.
You can find a full list of characteristics in the Major features section on page 15.
Benefits of using PGP Endpoint Device Control
The advantages of using PGP Endpoint Device Control include the following:
> Strict user policy enforcement: With no more data leakage, you are in control of the four ws who,
where, what, and when.
> Specific device permission rules: Permissions enforce a specific organization-approved model.
> Administrators actions logging: A complete report of what your administrators are doing.
Chapter 1: Introducing PGP Endpoint Device Control
PGP Endpoint Device Control User Guide 4.3.0 15
> Comprehensive reporting: Useful information to keep everything under the strictest control. For example
you can create a daily or weekly scheduled report of all user attempts to access an unauthorized device.
> Data scrutiny: You can optionally enable a copy (shadow) of all data written/read to/from certain devices.
> Copied data restrictions: You have the choice of establishing a daily limit on, or simply stopping, data
being written to external devices.
> Media restrictions: Define in advance which DVDs/CDs can be used in your company.
> Data encryption: Encrypt data as it is being written to a device.
Major features of PGP Endpoint
PGP Endpoint Device Control is designed for large organizations with complex needs. It offers many powerful
features such as:
Centralized device access management
PGP Endpoint Device Control's core functionality is its ability to centrally define and manage user, user
groups, computers and computer groups access to devices on the computer.
Intuitive user interface
Access to devices is controlled using a native Access Control List, arranged in the same way as navigating
through files and folders in Windows Explorer. You can apply permissions at different levels: users, user
groups, all machines, machine groups, specific machines, groups of devices, or even specific devices.
Novell support
PGP Endpoint Device Control fully supports Novells eDirectory/NDS structure. The Novells eDirectory trees
are synchronized using an external script. These objects appear on the Device Explorer structure and
permissions and rules can be assigned to them explicitly. Administrators can schedule the synchronization
script using Windowss scheduler task manager (see PGP Endpoint Setup Guide).
Support for a wide variety of device types and buses
You can grant or deny access permissions for a wide variety of devices using USB, FireWire, ATA/IDE, SCSI,
PCMCIA (or Cardbus), Bluetooth and IrDA buses. See Device types supported on page 17 for a list of the
supported device types.
Read-only access
PGP Endpoint Device Control lets you define a particular device as read-only. You can set read-only
permissions for all file-system based devices, for example, a floppy drive, DVD/CD writer, PCMCIA hard
drive, and so on. Other device permissions you can set restrict writing, encrypting, decrypting, exporting data
to file/media and importing data.
Copy limit
You can limit the quantity of data users can write to floppy disks and removable storage devices on a daily
basis so they cannot abuse their writing permissions.
Temporary access
PGP Endpoint Device Control lets you grant users temporary access to their devices. This means that you
can switch access on without having to remember to switch it off again later. You can also use it to grant
access in the future for a limited period.
Scheduled device access
PGP Endpoint Device Control lets you grant or deny permissions to use a device during a specific period.
This lets you develop sophisticated security policies where certain devices can only be used from, for
example, 9 A.M. to 5 P.M., Monday to Friday.
Chapter 1: Introducing PGP Endpoint Device Control
16 PGP Endpoint Device Control User Guide 4.3.0
Context-sensitive permissions
You can apply different permissions depending on their context while others are valid regardless of the
connection status. However, you can create others that are only relevant when the machine either is or is not
connected to the network. For example, this allows you to disable the WiFi cards when laptops are connected
to the company network and enable them when the machine does not have a wired connection to the system.
File shadowing
PGP Endpoint Device Control's shadow technology enables full auditing of all data written and/or read to/from
file-system based devices such as Recordable DVD/CD, removable storage devices, floppy disks, Zip and
PCMCIA drives, as well as to serial and parallel ports (only written data). This feature is available on a per
user basis. Some of these devices only support a partial shadowing only the files name and not the
complete content.
User-defined devices
PGP Endpoint Device Control gives you the ability to manage other kind of devices in addition to those
supported by default. You can add any device that is not managed by the default installation to the database
as a user-defined device and apply permissions in the usual way.
Offline updates
You can update the permissions of remote machines that cannot establish a network connection toyoure
your corporate network. New permissions can be exported to a file that is later imported onto the client
computer.
Per-device permissions
Sometimes a device type is too general for you to control access to sensitive data effectively. Therefore, you
may want to implement greater control at a lower level a device model or even for a specific device within
a model. For instance, rather than grant permissions to use any type of removable media, you can restrict
access to a specific device of a company-approved model.
Unique, serial identified, removable devices
Administrators can control devices by defining permissions at a class level (for example, all DVD/CD
devices), classify devices in logical entities called device groups, or include a device model. When working
with removable devices, administrators can go up to a fourth level by defining permissions for a unique, serial
identified removable device.
Per-device encryption
Restricting access for a specific device to a particular user also incorporates an encryption process to ensure
that sensitive data is not inadvertently exposed to those without authorized access.
Centralized and/or decentralized encryption
Using PGP Endpoint Device Control you, as an administrator, can not only grant user(s)/group(s) access to a
removable storage device (defined at the class, group, model, or uniquely identified device level) but can also
force users to encrypt their devices locally. This decentralized encryption schema is a work-around for those
organizations that do not want (or need) to manage device encryption centrally while ensuring that the
companys data is not inadvertently exposed.
DVD/CD recorder shadowing
Shadowing, a copy of the files data, can be used in the following writable media formats: CD-R, CD-RW,
DVD-R, DVD+R, DVD-RW, DVD+RW and DVD-RAM. Shadowing means that data written/read to/from these
media is intercepted and made available to the administrators. By default, PGP Endpoint Device Control
disables writing to such media and, when writing must be enabled, you can optionally select to shadow the
data.
DVD/CD Recorder shadowing is supported on Windows 2000 (Service Pack 4 or later) and
later only. Windows NT4 is no longer supported by PGP Endpoint Device Control.
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
/