1 / 28

Ensuring End-Point Compliance

This presentation by Christopher M. King delves into the importance of endpoint security management, covering vulnerability management, policy compliance, and state-of-the-art solutions. Discover how to protect your network from zero-day exploits and ensure compliance with cutting-edge technologies.

cshaw
Download Presentation

Ensuring End-Point Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ensuring End-Point ComplianceChristopher M. King, CISSP, CISMPrincipal Security Group V1.3

  2. Agenda • Hypotheses • Background • Problem set • Vulnerability Management Overlap • Policy and Compliance • State of the Art • End-Point (EP) preventative, detective, and reactive solutions • EP security architecture and management • Specific vendors solutions

  3. Speaker Background • Published over 20 industry articles and a book on security architecture • National information security practice director of 40 engineers • Over 19 years in the information security discipline • Served as a consultant in the following organizations: Comm Of Mass

  4. Hypothesis • Enterprises have to protect themselves from exploited end-point clients as close to zero day as possible – interior security. • There should be no difference between remote access (VPN, Wireless) and physically connected users – most of the industry has been focused on RAS (client and gateway). • This problem can only be solved by a standardized/integrated infrastructure component (i.e., 802.1x enabled switch), end-point device agent (client participation) technology, and a detection/reaction capability. • The solution will be a combination of the following controls: • Prevention - compliance enforcement by the end-point client with a cooperating infrastructure point • Detection – The ability to detect compromised devices without scanning • Reaction – The ability to contain, eradicate, and recover • Don’t expect non-point product solution to be in production for at least 6-12 months.

  5. Notable Quote “We have seen the enemy and he is us” -anonymous

  6. What is an End-Point Device? • A network enabled device that can access the corporate Intranet • A PC primarily desktop/windows • XP • Win2000 • 98/95 • some Linux (e.g., Novell SUSE) • Server security comes under vulnerability management • Personal Digital Assistants • WinCE • PalmOS • Cell phones • Blackberry • Device owners • Corporate • Personal • Kiosk

  7. Connectivity Methods • VPN • Fat IPsec client to VPN gateway • Browser to SSL termination gateway • Dial (PPP) • Dialing client to modem server • Wireless • Wireless network client to Wireless access point • Physically connected to the Intranet • Most corporations use DHCP to obtain IP address vs. manual IP management • The termination point is mostly likely a switch

  8. The Problem Set • End-point devices have the weakest security controls. • Day-zero virus and worm invasions continue to disrupt business. • Corporations are relying more and more on their networks. • Due to the large number and varying platforms, it is a very costly security solution – difficult to detect and contain outbreaks. • Many of today’s worms are coming from inside the enterprise. • What we need is a solution which avoids the following problem: avoiding network downtime and lost business productivity and revenue as a result of allowing vulnerable or infected machines from accessing the network.

  9. How does EP fit into Vulnerability Management? • Vulnerability management is a set of processes and technology that establish and maintains the level of risk based on the following: • Resource discovery (what is on my network?) • Platform/Infrastructure component discovery (What is its configuration?) • End-point Security (Is it susceptible to threats and what is the exposure?) • Event Management (Are there any network, platform, application anomalies)? • Asset management (What is the usage, value, and ownership of my resources?) • Compliance management (direction from corporate policy and regulations) • Incident management (Infrastructure changes and remediation steps) • Patch management remediation (write, test, deploy, and re-test)

  10. End-Point Security Policy • Any compromised system will be removed from the network in a timely manner • Risk assessment must be performed (criticality and value of loss) • The end-point’s location is also an attribute that must be considered in the policy • Only authorized systems are allowed to access our network • All end-point system should be compliant with the aforementioned policy before network access is granted (i.e., trusted state) • The end-point will be continuously monitored for security anomalies

  11. Compliance Process • Provide enough network access to authenticate and run the compliance test (scan and block or scan and report) • If the compliance test fails, then you are directed into this restricted/quarantined zone where you could be brought back to a trusted state • A non supported device can be limited via network access controls • Compliance Steps • Authenticate – restricted network access is granted • Interrogate – compliance test • If passed - Access is granted based on the results • If failed – Network ACLs/VLANS are used to restrict access

  12. Compliance Checks • A compromised system • rogue processes • registry (MS configuration database) • existence of a file • network traffic anomalies • All AV signatures and scan validation must be up-to-date • All OS patches must be up-to-date • The appropriate client end-point software running • Only corporate applications installed • Only corporate devices or operating system allowed (optional)

  13. The State of the Art • Most organizations have a functional AntiVirus solution • Centrally managed, reporting and auto updating (not usually forced) • Most organizations have a functional software distribution solution • Microsoft SMS • Most organizations have somewhat functional internal access management controls (zones of trust) • Most organizations have a somewhat functional internal IDS solution • Some organizations have deployed personal firewalls on internal desktops

  14. The State of the Art (2) • Most organizations do NOT have a functional vulnerability management solution • Most organizations do NOT have the ability to detect and quarantine compromised hosts – in a timely fashion • End point security compliance checking is supported by most IPsec VPN client/server software packages • Not fully featured (check existence of AV, not for updated signature or last time the disk was scanned) • Personal firewall process and name of the policy

  15. End-point Issues • Organizations are finding they need more than Anti-Virus software on their PCs • Personal FW/IDS can detect and block unauthorized inbound and outbound traffic • The ability to quarantine infected files and terminate malicious processes • Must be centrally managed, deployed, (i.e., administration and logging) • AV software vendors are supporting FW, compliance, and vulnerability detection in a single agent • Fat client • Thin client (Applet) 3 Flavors of End-point security clients • Clientless

  16. EP Behavioral Analysis • The goal is to identify compromised/misbehaving endpoint by looking for the following: • Presence of a virus or trojan horse • Key loggers • Password grabbers • Screen capturing • Illegal memory access violation • Erroneous network connections • Erroneous mail being sent • Spyware and Adware • Erroneous file access or system executable change • Running new executable in a Virtual Machine before allowing them to run native • Don’t forget - no matter how much security software you put on the end-point client – Never trust the end-point.

  17. Preventative EP Solutions • Most of the EP solutions require an inline gateway server (layer 2 or 3) • No Endpoint Agent • Interrogates the network ports and registry • Agent (static or dynamic) • EP is an IPsec, SSL VPN, or Firewall • Infrastructure access protection/controls • Requires network infrastructure components become security enabled (e.g., Firewall, authentication, compliance-proxies) • Requires the end-point to have a client to communicate with the infrastructure access end-point EPC = End-Point Client EPD = End-Point Devices VPN EPD FW EPC EPD

  18. Technology Used EAP/UDP EAP/802.1X ACLs Inverted Firewall VLAN ActiveX DHCP In-Memory Scanning Heurstics Java Applet Behavioral Analysis

  19. 802.1X • IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a local area network (LAN) through publicly accessible ports. • 802.1x authenticates each user device that is connected to a switch port before making available any services that are offered by the switch or the LAN.

  20. EP Detective Solutions • The goal is to detect, isolate and block infected nodes to prevent propagation in real time. • Technology touts • No signatures, no agents, no network re-architecture (?) • In most cases, these devices need to monitor traffic and if they detect an anomaly they communicate to the switch/gateway and disconnect you from the network. • Leverage your multitude of event source (IDS, AV, Firewall, Routers, etc) with your Security Event Management investments

  21. Reactive Solutions

  22. EP Security Deployment • The goal of the infrastructure enabled end-point security device is to keep it as close to the edge as possible (i.e., ingress point) • Enterprises on a whole are very reluctant to add client side software and in-line (two legged) networking components • Reactive Point Solutions • This requires an additional client (optionally) and end device to be added to the infrastructure • There is a substantial cost associated with fielding an end-point security • Reactive Standard Solution • This requires an additional client or dynamic client (Windows NT, 2000, and XP) • Utilize 802.1x on your switches • Detective Solution • Point solution needs to mirror the IDS sensors • SEM with dynamic containment • Chose a client that support anomaly detection vs. high frequency scanning

  23. EP Security Architecture SSL VPN Ipsec VPN Per FW Point Solutions AV Svr Per FW Svr AAA Svr Cert Svr PDC Svr Policy Svr Remediation Svr EPC Routers Switches

  24. EP Security Management • EP Policy Server • A gateway or direct connection to the AV, Patch level, PFW, PDC, etc. • Metrics – Key Performance Indicators (PKI) • Can we show improvement in our security posture over time? – Has our audit rating improved? • How much damage qualitatively and quantitatively did our security architecture posture prevent (effectiveness)? • How many (catastrophic, serve, malicious code) attacks were stopped? • How long did it take us to update all our vulnerable systems? • How much is our security architecture costing us from an operational standpoint? • How compliant is our security architecture and LOBs against regulatory corporate security policies, and best business practices? • Need to measure productivity costs, value of the assets, cost of repair and compare to the bottom line for the business.

  25. End-point Client space Sygate Symantec ZoneLabs/Checkpoint Cisco security agent StillSecure InfoExpress WholeSecurity NetIntelligence Endforce Citadel Gateway space Sygate (optional), StillSecure, and InfoExpress Infrastructure space Cisco Entrasys Extreme Nortel Infrastructure detection space Mirage Networks Protego Networks Silicon Defense Vendors

  26. EP Client Questionnaire 1) How is the compliance test accomplished? (e.g., Agent, dynamic content, or network/registry scan) 2) Where is the compliance test enforced? (e.g., in-line gateway or by the client)? 3) How granular is the compliance test? 4) Does your product support heterogeneity?  5) Does your product support physical network connections (i.e., LANs) 6) How does your product handle non-compliant end-points? 7) Does your product have any anomaly detection mechanisms?

  27. Vendors Comparison

  28. Audience Response • How can you guarantee 100% enforcement with your access points? • Should EP-enforcement require an agent on the end-point? • How are the Cisco and Microsoft EP-solutions affecting your decision to deploy?

More Related