Home Download

MagNOS - More lightweight than a "Zero Client"


Built on a very slim and extremely hardened (according to military standard for the highest security domains) custom Linux platform, incorporating a secure network boot makes this client more "thin" than a standard "zero client" since it does not have ANY permament storage except for the TPM-module and an UEFI boot firmware. This makes it impossible to tamper with any installed bootable operating system since nothing that is executed in runtime is actually installed on the physical hardware.


It is not only the most secure client solution on the market today but probably also the easiest one to manage. All configuration and profile handling for each client is performed on a central management server (SSC-server where SSC=System of Secure Clients). The client does not even need to be powered on to change its configuration since it receives it in a secure manner during the boot process.


The security relies on a two-phase "birth"-process. When the client is entered into a system, it is staged and provisioned to the management server on a separate secure network. It will then initiate its TPM-module and transfer keys to the management server to be able to use cryptographic operations to secure transfer of sensitive data during the boot process on the less secure production network. After it is moved to the production network, all management will be done from the management server, including update of UEFI firmware, so the client will never have to be removed from this network or manually configured in any way after it is set in production.


The SSC system is scalable and can operate over several geograhically separated sites as long as there is some kind of network between them. Due to proprietary solutions in the system, the boot process is very smart to avoid network congestion problems and it has near zero latency in serving boot-images from the server, which makes it efficient even in the worst case where all your clients boot at the exact same moment.


To ensure that even the hardware is secure and runs smoothly with MagNOS, Enguild and Amulet Hotkey has developed the system together so that MagNOS runs in an Amulet hotkey Generation 6 diskless client with a special UEFI and bootloader custom made for MagNOS. The hardware has several intrusion detection/prevention mechanisms to protect it from any manipulation.


The hardware can be ordered to be compliant with TEMPEST requirements.


Security Features include:

  • Secure boot via a certificate authenticated HTTPS-server for maximal integrity of boot-image
  • No access to ANY protected system resources (not even authentication channels) without the use of a smartcard or other PKCS#11 compatible token.
  • The token is used to set up encrypted TCP-tunnels, thus fulfilling strong authentication of a user
  • Single-Sign-On all the way into the protected system. Note: Not compatible with all tokens
  • Security logging and boot-image integrity in real-time provided by ODIN Security Log as part of the complete solution
  • Optional IPSec tunnel towards a gateway in the protected system
  • Optional MACSec to a MACSec compatible switch
  • Optional 802.1X authentication
  • Whitelisting of all USB-devices that are attached to the client

    • Supported display protocols

  • BLAST
  • PCoIP
  • RDP
  • VNC

    • Product info sheet available here


    MagNOS is now available for orders. Please contact you local reseller for more information or the below email if you do not have a local reseller.

    info@enguildsec.com


    Enguild CA Certificate can be found under Documents on Enguild web site