Automating Endpoint Security Policy Enforcement

Automating Endpoint Security Automating Endpoint Security Policy EnforcementPolicy Enforcement

Computing and Networking Services University of Toronto


Unmanaged ‘Endpoints’Unmanaged ‘Endpoints’Systems not proactively managed by University IT staff:Systems not proactively managed by University IT staff:

7000 student residents – Sept & Jan overload.7000 student residents – Sept & Jan overload.

12000 active unique wireless user accounts.12000 active unique wireless user accounts.

Subject to:Subject to:

Missing OS updates, missing/expired AV protection, Missing OS updates, missing/expired AV protection, unsupported/pirated OS/SP.unsupported/pirated OS/SP.

Already compromised – spyware, V / W / T. Already compromised – spyware, V / W / T.


Automation FrameworkAutomation Framework

Network Isolation

Missing Patches ↔ user - WindowsUpdate

… ↔ …

Vulnerability

RemediationDetection

V / W / T ↔ user – SAV scan

… ↔ …

RemediationDetection

Compromise


IsolationIsolationIP based – DHCP using two address pools, routable IP based – DHCP using two address pools, routable and non-routable (SWU Netreg) with full DNS.and non-routable (SWU Netreg) with full DNS.

HTTP control (Squid) – configure access for users in HTTP control (Squid) – configure access for users in restricted zone.restricted zone.

Dynamic firewall port control (IPtables) – block Dynamic firewall port control (IPtables) – block services in restricted zone – except for IDS test intervalservices in restricted zone – except for IDS test interval


Detection FrameworkDetection Framework

ActiveActiveScanning from external source, eg. Nmap, Scanning from external source, eg. Nmap, Nessus.Nessus.

PassivePassiveMonitoring network traffic, eg. Tcpdump, Monitoring network traffic, eg. Tcpdump, Snort.Snort.

AgentAgentClient software, continuous or run-once.Client software, continuous or run-once.


Detection ImplementationDetection ImplementationVulnerabilityVulnerabilityMissing critical patches: MBSA (cli version)Missing critical patches: MBSA (cli version)Missing antivirus: registry check and wmicMissing antivirus: registry check and wmicWeak passwords: John the RipperWeak passwords: John the RipperInsecure user configuration: user privileges, AutoUpdates, root Insecure user configuration: user privileges, AutoUpdates, root cert auditcert audit

CompromiseCompromiseVirus/worm/trojan: IDS (Snort, TCPView), Microsoft MSR*Virus/worm/trojan: IDS (Snort, TCPView), Microsoft MSR*Spyware: Spybot cliSpyware: Spybot cliRootkit: RootkitRevealerRootkit: RootkitRevealer


RemediationRemediationVulnerabilityVulnerabilityWindowsUpdate (user)WindowsUpdate (user)

Install SAV (user)Install SAV (user)

Weak passwords (user)Weak passwords (user)

Insecure user configuration (user-run wizard) Insecure user configuration (user-run wizard)

CompromiseCompromiseVirus/worm/trojan: SAV scan, TrendMicro Sysclean, Microsoft Virus/worm/trojan: SAV scan, TrendMicro Sysclean, Microsoft MSRMSR

Spyware: (user-run Spybot)Spyware: (user-run Spybot)

Rootkit: (assisted Rootkit: (assisted ))

http://www.utoronto.ca/security/UTORprotect/windows/mediation_tk.htm


Tools in DetailTools in DetailWizard UIWizard UI

CLI utilities wrapped using open source Windows installers: NSIS, CLI utilities wrapped using open source Windows installers: NSIS, InnoSetup.InnoSetup.Provides familiar wizard user interface for detection/remediation tools.Provides familiar wizard user interface for detection/remediation tools.Provides ‘run-once’ function – no installation required.Provides ‘run-once’ function – no installation required.API includes registry read/write, cookie writing.API includes registry read/write, cookie writing.Two formats – stand-alone and server integration.Two formats – stand-alone and server integration.

MBSAMBSA

DetectionDetection of all critical updates available day of release, also detects of all critical updates available day of release, also detects updates to existing versions.updates to existing versions.

http://cns.utoronto.ca/test/checker.exe


Tools in DetailTools in DetailPassword AuditPassword Audit

ChecksChecks for blank password, password=username, dictionary lookup of for blank password, password=username, dictionary lookup of words found in blended threats.words found in blended threats.

IDS IDS

SnortSnort check for host/port scan (20 sec. sample) Note: Isolation opened check for host/port scan (20 sec. sample) Note: Isolation opened up to allow client server connections.up to allow client server connections.

TCPViewTCPView check for excessive SYN rate. check for excessive SYN rate.




Applications - ESPApplications - ESP

integrationintegration of isolation, MBSA detection, of isolation, MBSA detection, user remediation.user remediation.

admin functions: init registration cycle, admin functions: init registration cycle, isolation/block MAC, configure isolation isolation/block MAC, configure isolation access.access.

http://www.utoronto.ca/security/UTORprotect/ESP/screen.htm


Applications - HealthChkApplications - HealthChk

integration of isolation, compromise integration of isolation, compromise detection for assisted detection and detection for assisted detection and remediation.remediation.

admin functions: convenient access to admin functions: convenient access to external utilities.external utilities.


Applications - FutureApplications - Future

Create a remote HealthChk system.Create a remote HealthChk system.User runs detection and remediation tools User runs detection and remediation tools remotely, support for Linux?remotely, support for Linux?

Other Applications?Other Applications?Managed environment use – encourage Managed environment use – encourage users to use automated systems, no users to use automated systems, no isolation, enforcement via email reminders.isolation, enforcement via email reminders.


More InformationMore Informationhttp://http://www.utoronto.ca/security/UTORprotectwww.utoronto.ca/security/UTORprotect

http://security.internet2.edu/netauthhttp://security.internet2.edu/netauth

http://http://www.netreg.orgwww.netreg.org

http://www.utoronto.ca/security/UTORprotect

http://www.utoronto.ca/security/UTORprotect

http://security.internet2.edu/netauth

http://www.netreg.org/

http://www.netreg.org/

Documents

Automating Endpoint Security Policy Enforcement