Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto
Computing and Networking Services University of Toronto Unmanaged ‘Endpoints’ Systems not proactively managed by University IT staff: 7000 student residents – Sept & Jan overload. active unique wireless user accounts. Subject to: Missing OS updates, missing/expired AV protection, unsupported/pirated OS/SP. Already compromised – spyware, V / W / T.
Computing and Networking Services University of Toronto Automation Framework Network Isolation VulnerabilityDetectionRemediation Missing Patches ↔ user - WindowsUpdate Missing Patches ↔ user - WindowsUpdate … ↔ … … ↔ … CompromiseDetectionRemediation V / W / T ↔ user – SAV scan V / W / T ↔ user – SAV scan … ↔ … … ↔ …
Computing and Networking Services University of Toronto Isolation IP based – DHCP using two address pools, routable and non-routable (SWU Netreg) with full DNS. HTTP control (Squid) – configure access for users in restricted zone. Dynamic firewall port control (IPtables) – block services in restricted zone – except for IDS test interval
Computing and Networking Services University of Toronto Detection Framework Active Scanning from external source, eg. Nmap, Nessus. Passive Monitoring network traffic, eg. Tcpdump, Snort. Agent Client software, continuous or run-once.
Computing and Networking Services University of Toronto Detection Implementation Vulnerability Missing critical patches: MBSA (cli version) Missing antivirus: registry check and wmic Weak passwords: John the Ripper Insecure user configuration: user privileges, AutoUpdates, root cert audit Compromise Virus/worm/trojan: IDS (Snort, TCPView), Microsoft MSR* Spyware: Spybot cli Rootkit: RootkitRevealer
Computing and Networking Services University of Toronto Remediation Vulnerability WindowsUpdate (user) Install SAV (user) Weak passwords (user) Insecure user configuration (user-run wizard) Compromise Virus/worm/trojan: SAV scan, TrendMicro Sysclean, Microsoft MSR MSR Spyware: (user-run Spybot) Rootkit: (assisted )
Computing and Networking Services University of Toronto Tools in Detail Wizard UI CLI utilities wrapped using open source Windows installers: NSIS, InnoSetup. Provides familiar wizard user interface for detection/remediation tools. Provides ‘run-once’ function – no installation required. API includes registry read/write, cookie writing. Two formats – stand-alone and server integration. MBSA Detection of all critical updates available day of release, also detects updates to existing versions. Detection
Computing and Networking Services University of Toronto Tools in Detail Password Audit Checks for blank password, password=username, dictionary lookup of words found in blended threats. Checks IDS Snort check for host/port scan (20 sec. sample) Note: Isolation opened up to allow client server connections. Snort TCPView check for excessive SYN rate. TCPView
Computing and Networking Services University of Toronto Applications - ESP integration of isolation, MBSA detection, user remediation. integration admin functions: init registration cycle, isolation/block MAC, configure isolation access.
Computing and Networking Services University of Toronto Applications - HealthChk integration of isolation, compromise detection for assisted detection and remediation. admin functions: convenient access to external utilities.
Computing and Networking Services University of Toronto Applications - Future Create a remote HealthChk system. User runs detection and remediation tools remotely, support for Linux? Other Applications? Managed environment use – encourage users to use automated systems, no isolation, enforcement via reminders.
Computing and Networking Services University of Toronto More Information