1 / 24

Defending Laptops with MinUWet

Defending Laptops with MinUWet. By Erick Engelke. Laptops and our future?. laptops now outsell desktops we expect continued growth of laptops laptops present new opportunities for learning and budgets, but also new IT staff challenges laptop security issues are time-consuming for staff

crescent
Download Presentation

Defending Laptops with MinUWet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Defending Laptops with MinUWet By Erick Engelke

  2. Laptops and our future? • laptops now outsell desktops • we expect continued growth of laptops • laptops present new opportunities for learning and budgets, but also new IT staff challenges • laptop security issues are time-consuming for staff • outdated antivirus definitions and OS updates need Internet connectivity to be updated

  3. Solution: We need a strategy which encourages responsible client laptop management

  4. Possible Solutions • Cisco NAC (Network Admission Control) - forklift upgrade • Microsoft… NAP (Network Access Protection) vapourware due with Vista server • UToronto Endpoint Security Policy (see Managing Self-Managed Computers at this conference) (just learned about it this May)

  5. Continuum of Security none - anarchy available but optional encouraged / accessible heavily enforced

  6. Accessible Security? • make technology simple to conceptualize though not necessarily understand • it becomes part of the culture • examples: • privacy of PIN numbers on debit cards • security of SSL web sites • eventual tolerance by users

  7. Educate Reward Remind Nag Embarrass Punish How to Encourage Security or

  8. Possible Education Points 1. secure your computer • Antivirus, Workstation Firewall, Updates, … 2. secure your applications • MyWaterloo, SSH, Secure IMAP, VPN 3. secure yourself • best practices, (strong secret passwords), avoid probable malware users can conceptualize these points, but will they act ?

  9. MinUWet Setting minimum standards • NAA detects OS at login screen • highly vulnerable OS’s must endure a scan using MinUWet (currently only MS Windows) • Antivirus enabled and up-to-date? Freshen! • OS getting patches?

  10. MinUWet Setting minimum standards (cont.) • NAA detects OS at login screen • highly vulnerable OS’s must endure a scan using MinUWet(currently only MS Windows) • Antivirus enabled and up-to-date? Freshen! • OS getting patches? • HTTP always allowed, download patches • pass test… get additional or “premium” network access

  11. MinUWet Setting minimum standards (cont) • only test once per week, cache results • other OS’s are not affected • users who do not wish to participate or fail are granted web-only access • web only access is sufficient for AV and OS updates • will still do existing security scans and SNORT • complementary solutions add more security

  12. Some MinUWet Facts • idea is similar to Cisco NAC and MS NAP • MinUWet is compatible with all existing hardware and safe with non-MS OSs (challenging, many PDAs claim to be Windows). • local expertise, we can adapt it • Cisco and MS solutions are stronger but more difficult to run and inflexible • MinUWet doesn’t have to be hack-proof, it just has to be better than today’s mess! • MinUWet - retired upon better options

  13. Statistics from Two Week Engineering Trial • 6486 NAA Windows sessions • 3161 or 49% of sessions ran MinUWet • 628 distinct users ran MinUWet • 168 or 26% of them failed the test initially • 75 or 45% of those who failed later passed. • this indicate users upgraded their systems • zero security threats observed (snort)

  14. Campus-wide Rollout • March 2nd • “help desks” co-ordinate information sharing • March 3rd – • appears in daily newsletter • brief message appears at each wireless user login • both messages point to a web site where users can learn more and test their laptops (http://minuwet.uwaterloo.ca) • Two Weeks Later: March 16th • MinUWet goes live and enforces user security

  15. Adding Memory • Users didn’t like testing every time • we subsequently added memory - computers need only validate once per week • 2/3rds of passes are typically pre-approved

  16. Client System user logs in using browser browser Identifies OS download MinUWet run MinUWet collect stats transmit stats displays decision Web server logs user in checks OS against list looks for prior pass sets routing rules informs user of status makes decision changes router settings How it Works

  17. What we did right… • MinUWet is not too strict • not testing for absolute latest patch, look for trend • users can still download the patches they need • Web access granted until user demonstrates compromised/vulnerable system • one week between tests, good compromise of security versus annoyance • MinUWet is still strict • Not a one-time deal, we catch computers that fall out of scope for patches

  18. Future • move to a shared database to store notes of problem users • adopt a self-remediation system – some prefer human contact, others want automation. • wider deployment, grad student offices, maybe residences • eventual retirement when vendor product is better

  19. Thank you

More Related