130 likes | 271 Views
Automating Endpoint Security Policy Enforcement. Computing and Networking Services University of Toronto. Unmanaged ‘Endpoints’. Systems not proactively managed by University IT staff: 7000 student residents – Sept & Jan overload. 12000 active unique wireless user accounts.
E N D
Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto
Unmanaged ‘Endpoints’ Systems not proactively managed by University IT staff: 7000 student residents – Sept & Jan overload. 12000 active unique wireless user accounts. Subject to: Missing OS updates, missing/expired AV protection, unsupported/pirated OS/SP. Already compromised – spyware, V / W / T. Computing and Networking Services University of Toronto
Automation Framework Computing and Networking Services University of Toronto
Isolation IP based – DHCP using two address pools, routable and non-routable (SWU Netreg) with full DNS. HTTP control (Squid) – configure access for users in restricted zone. Dynamic firewall port control (IPtables) – block services in restricted zone – except for IDS test interval Computing and Networking Services University of Toronto
Detection Framework Active Scanning from external source, eg. Nmap, Nessus. Passive Monitoring network traffic, eg. Tcpdump, Snort. Agent Client software, continuous or run-once. Computing and Networking Services University of Toronto
Detection Implementation Vulnerability Missing critical patches: MBSA (cli version) Missing antivirus: registry check and wmic Weak passwords: John the Ripper Insecure user configuration: user privileges, AutoUpdates, root cert audit Compromise Virus/worm/trojan: IDS (Snort, TCPView), Microsoft MSR* Spyware: Spybot cli Rootkit: RootkitRevealer Computing and Networking Services University of Toronto
Remediation Vulnerability WindowsUpdate (user) Install SAV (user) Weak passwords (user) Insecure user configuration (user-run wizard) Compromise Virus/worm/trojan: SAV scan, TrendMicro Sysclean, Microsoft MSR Spyware: (user-run Spybot) Rootkit: (assisted ) Computing and Networking Services University of Toronto
Tools in Detail Wizard UI CLI utilities wrapped using open source Windows installers: NSIS, InnoSetup. Provides familiar wizard user interface for detection/remediation tools. Provides ‘run-once’ function – no installation required. API includes registry read/write, cookie writing. Two formats – stand-alone and server integration. MBSA Detection of all critical updates available day of release, also detects updates to existing versions. Computing and Networking Services University of Toronto
Tools in Detail Password Audit Checks for blank password, password=username, dictionary lookup of words found in blended threats. IDS Snort check for host/port scan (20 sec. sample) Note: Isolation opened up to allow client server connections. TCPView check for excessive SYN rate. Computing and Networking Services University of Toronto
Applications - ESP integration of isolation, MBSA detection, user remediation. admin functions: init registration cycle, isolation/block MAC, configure isolation access. Computing and Networking Services University of Toronto
Applications - HealthChk integration of isolation, compromise detection for assisted detection and remediation. admin functions: convenient access to external utilities. Computing and Networking Services University of Toronto
Applications - Future Create a remote HealthChk system. User runs detection and remediation tools remotely, support for Linux? Other Applications? Managed environment use – encourage users to use automated systems, no isolation, enforcement via email reminders. Computing and Networking Services University of Toronto
More Information http://www.utoronto.ca/security/UTORprotect http://security.internet2.edu/netauth http://www.netreg.org Computing and Networking Services University of Toronto