210 likes | 307 Views
Improving Security Through Automated Policy Compliance. Christopher Stevens Director of Network and Technical Services Lewis & Clark College. Educause Live! November 12, 2004. Campus Statistics. 3260 Students 1875 Undergraduate, 750 Law and 635 Graduate 2300 Active Student Computers
E N D
Improving Security Through Automated Policy Compliance Christopher Stevens Director of Network and Technical Services Lewis & Clark College Educause Live! November 12, 2004
Campus Statistics • 3260 Students 1875 Undergraduate, 750 Law and 635 Graduate • 2300 Active Student Computers 80% PC, 20% Mac
Network Registration and Policy Enforcement at LC • Fall 2002 –Web based registration (Nomadix). Wireless and Public Wired areas only. • Fall 2003 – Blaster hits the residence halls Like many campuses, we experienced 100s of infected machines which required hours of staff time to locate and patch infected computers. We needed a better solution. • Fall 2004 – Perfigo gateway with “SmartEnforcer”.
Implementing Policy Enforcement • Commercial vs. Open Source Small staff made supporting open source products more challenging. We also needed to implement a solution in a short amount of time. • Products NetReg (Southwestern) – Open source network registration. BlueSocket – Gateway only (although they now offer BlueSecure as an IDS add-on product) Nomadix – Gateway only. Geared toward the hospitality market. Bradford Software (Campus Manager) – Users are moved into VLANs until they have registered. Also has a plug-in to Packetshaper that gives it some passive monitoring ability. Perfigo – Gateway with optional agent.
Implementing Policy Enforcement (Continued) • Policy Detection – Active, Passive or Agent Active – Determine policy compliance externally. Passive – Determine policy compliance by monitoring network traffic. Agent – Client installed on workstation. We originally wanted active detection but host-based firewalls made products such as Nessus less reliable. Ultimately decided that a local agent would provide the greatest ability to determine compliance. We are also looking to supplement the installed agent with Passive monitoring (via ISS RealSecure).
Implementing Policy Enforcement (Continued) • Isolation/Segregation Once a computer has been found to be out of compliance, we assign that user a Temporary Role. However, there may be better ways to contain these users (i.e. segment using “/30” IP subnets, moving VLAN ports, etc). • Detection Interval Currently we can only verify compliance when a user logs into the network (which could be once a semester). Ideally we would like to check on a daily or weekly basis. • Remediation We wanted users to be as self-sufficient as possible so we provide step by step instructions about each failed policy.
How is it working? • No worms or viruses on the student network (yet) Knock on wood – we have not had any outbreaks since we started. • Reduced End User Support 85% of our users were able to install the client and other software updates on their own. We also reduced our time in the residence halls from 4 weeks to 1 week. However, we ended up touching the remaining 15% (~300 computers). Most were problems related to spyware interfering with windows updates. • Surprisingly Few Complaints Most undergraduate students don’t mind having the software installed. We get more complaints from graduate and law students.
Future • “RemoteEnforcer” Instead of students coming to campus and trying to download all the windows updates and virus definitions at once, they can check and see if they meet all the policy requirements from home. • Real Time Policy Enforcement Currently, we can only check to see if a user has the necessary updates when they login. However, there is a new PC client that will check for policies on a schedule that we can set. • Integration with Cisco With the purchase of Perfigo in October, Cisco will integrate the SmartEnforcer client with their “Self-Defending Network” suite.
Questions? Please contact me at cstevens@lclark.edu Additional information can also be found at: http://www.lclark.edu/~infotech/NETWORK/sefaq.html