Ensuring End-Point Compliance Christopher M. King, CISSP, CISM Principal Security Group V1.3
Agenda <ul><li>Hypotheses </li></ul><ul><li>Background </li></ul><ul><li>Problem set </li></ul><ul><li>Vulnerability Manag...
Speaker Background Comm Of Mass <ul><li>Published over 20 industry articles and a book on security architecture </li></ul>...
Hypothesis <ul><li>Enterprises have to protect themselves from exploited end-point clients as close to zero day as possibl...
Notable Quote “ We have seen the enemy and  he is us ”   -anonymous
What is an End-Point Device? <ul><li>A network enabled device that can access the corporate Intranet </li></ul><ul><li>A P...
Connectivity Methods <ul><li>VPN </li></ul><ul><ul><li>Fat IPsec client to VPN gateway </li></ul></ul><ul><ul><li>Browser ...
The Problem Set <ul><li>End-point devices have the weakest security controls. </li></ul><ul><li>Day-zero virus and worm in...
How does EP fit into Vulnerability Management? <ul><li>Vulnerability management is a set of processes and technology that ...
End-Point Security Policy <ul><li>Any compromised system will be removed from the network in a timely manner </li></ul><ul...
Compliance Process <ul><li>Provide enough network access to authenticate and run the compliance test (scan and block or sc...
Compliance Checks <ul><li>A compromised system  </li></ul><ul><ul><li>rogue processes </li></ul></ul><ul><ul><li>registry ...
The State of the Art <ul><li>Most organizations have a functional AntiVirus solution </li></ul><ul><ul><li>Centrally manag...
The State of the Art (2) <ul><li>Most organizations do NOT have a functional vulnerability management solution </li></ul><...
End-point Issues <ul><li>Organizations are finding they need more than Anti-Virus software on their PCs </li></ul><ul><li>...
EP Behavioral Analysis <ul><li>The goal is to identify compromised/misbehaving endpoint by looking for the following: </li...
Preventative EP Solutions <ul><li>Most of the EP solutions require an inline gateway server (layer 2 or 3) </li></ul><ul><...
Technology Used EAP/UDP EAP/802.1X VLAN DHCP ACLs Heurstics In-Memory Scanning Behavioral Analysis ActiveX Java Applet Inv...
802.1X <ul><li>IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized...
EP Detective Solutions <ul><li>The goal is to detect, isolate and block infected nodes to prevent propagation in real time...
Reactive Solutions
EP Security Deployment <ul><li>The goal of the infrastructure enabled end-point security device is to keep it as close to ...
EP Security Architecture EPC SSL VPN Ipsec VPN Per FW Point Solutions Routers Switches AV Svr Per FW Svr AAA Svr Cert Svr ...
EP Security Management <ul><li>EP Policy Server </li></ul><ul><ul><li>A gateway or direct connection to the AV, Patch leve...
Vendors <ul><li>End-point Client space </li></ul><ul><ul><li>Sygate </li></ul></ul><ul><ul><li>Symantec </li></ul></ul><ul...
EP Client Questionnaire <ul><li>1) How is the compliance test accomplished? (e.g., Agent, dynamic content, or network/regi...
Vendors Comparison Fix VLAN Block at switch/AP No VLAN Block at GW VLAN at Router VLAN No VLAN Non-comp No Yes At its GW N...
Audience Response <ul><li>How can you guarantee 100% enforcement with your access points? </li></ul><ul><li>Should EP-enfo...
Upcoming SlideShare
Loading in...5
×

End of the Line -- Ensuring End-Point Compliance

259

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
259
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • From location - Protecting your Infrastructure using End-Point security. Endpoint devices--laptops, SOHO desktops, public terminals, etc.--are your biggest security headache. Connectivity variances Physical, Remote, and Wireless ·         The problem statement (Why do is this a problem?) ·         End point Security requirements – What is a compliant PC? ·         The mistake of differentiating remote and physically attached users ·         Vendor solution (Infrastructure and Application)pros and cons – Hold until the Conf session
  • The biggest target for most malware are the end-points. Computer Economics estimates that the Slammer worm of January 2003 cost companies $1.5 billion – 8 Billion for all worms; Blaster in August 2003 cost $750 million; and Code Red and Nimda in 2001 cost $2.75 billion and $1.5 billion respectively.
  • VM is static – EPS is dynamic –happens at connect/login time
  • Senior management support is required Traditional desktop security requirements (physically secured, screen saver lock, only run corporate approved software)
  • Checkpoint Intraspect
  • Personal firewalls were designed to protect again inbound – not outbound traffic.
  • 802.1x was adopted in 2001 to remedy WEP&apos;s inability to provide either authentication or confidentiality. -Extensible Authentication Protocol (EAP), - Network port authentication All the EP vendors did is insert a compliance test before the authentication takes place. If you fail the test the switch will put you on a Quarantine VLAN.
  • End of the Line -- Ensuring End-Point Compliance

    1. 1. Ensuring End-Point Compliance Christopher M. King, CISSP, CISM Principal Security Group V1.3
    2. 2. Agenda <ul><li>Hypotheses </li></ul><ul><li>Background </li></ul><ul><li>Problem set </li></ul><ul><li>Vulnerability Management Overlap </li></ul><ul><li>Policy and Compliance </li></ul><ul><li>State of the Art </li></ul><ul><li>End-Point (EP) preventative, detective, and reactive solutions </li></ul><ul><li>EP security architecture and management </li></ul><ul><li>Specific vendors solutions </li></ul>
    3. 3. Speaker Background Comm Of Mass <ul><li>Published over 20 industry articles and a book on security architecture </li></ul><ul><li>National information security practice director of 40 engineers </li></ul><ul><li>Over 19 years in the information security discipline </li></ul><ul><li>Served as a consultant in the following organizations: </li></ul>
    4. 4. Hypothesis <ul><li>Enterprises have to protect themselves from exploited end-point clients as close to zero day as possible – interior security. </li></ul><ul><li>There should be no difference between remote access (VPN, Wireless) and physically connected users – most of the industry has been focused on RAS (client and gateway). </li></ul><ul><li>This problem can only be solved by a standardized/integrated infrastructure component (i.e., 802.1x enabled switch), end-point device agent (client participation) technology, and a detection/reaction capability. </li></ul><ul><li>The solution will be a combination of the following controls: </li></ul><ul><ul><li>Prevention - compliance enforcement by the end-point client with a cooperating infrastructure point </li></ul></ul><ul><ul><li>Detection – The ability to detect compromised devices without scanning </li></ul></ul><ul><ul><li>Reaction – The ability to contain, eradicate, and recover </li></ul></ul><ul><li>Don’t expect non-point product solution to be in production for at least 6-12 months. </li></ul>
    5. 5. Notable Quote “ We have seen the enemy and he is us ” -anonymous
    6. 6. What is an End-Point Device? <ul><li>A network enabled device that can access the corporate Intranet </li></ul><ul><li>A PC primarily desktop/windows </li></ul><ul><ul><li>XP </li></ul></ul><ul><ul><li>Win2000 </li></ul></ul><ul><ul><li>98/95 </li></ul></ul><ul><ul><li>some Linux (e.g., Novell SUSE) </li></ul></ul><ul><ul><li>Server security comes under vulnerability management </li></ul></ul><ul><li>Personal Digital Assistants </li></ul><ul><ul><li>WinCE </li></ul></ul><ul><ul><li>PalmOS </li></ul></ul><ul><ul><li>Cell phones </li></ul></ul><ul><ul><li>Blackberry </li></ul></ul><ul><li>Device owners </li></ul><ul><ul><li>Corporate </li></ul></ul><ul><ul><li>Personal </li></ul></ul><ul><ul><li>Kiosk </li></ul></ul>
    7. 7. Connectivity Methods <ul><li>VPN </li></ul><ul><ul><li>Fat IPsec client to VPN gateway </li></ul></ul><ul><ul><li>Browser to SSL termination gateway </li></ul></ul><ul><li>Dial (PPP) </li></ul><ul><ul><li>Dialing client to modem server </li></ul></ul><ul><li>Wireless </li></ul><ul><ul><li>Wireless network client to Wireless access point </li></ul></ul><ul><li>Physically connected to the Intranet </li></ul><ul><ul><li>Most corporations use DHCP to obtain IP address vs. manual IP management </li></ul></ul><ul><ul><li>The termination point is mostly likely a switch </li></ul></ul>
    8. 8. The Problem Set <ul><li>End-point devices have the weakest security controls. </li></ul><ul><li>Day-zero virus and worm invasions continue to disrupt business. </li></ul><ul><li>Corporations are relying more and more on their networks. </li></ul><ul><li>Due to the large number and varying platforms, it is a very costly security solution – difficult to detect and contain outbreaks. </li></ul><ul><li>Many of today’s worms are coming from inside the enterprise. </li></ul><ul><li>What we need is a solution which avoids the following problem: avoiding network downtime and lost business productivity and revenue as a result of allowing vulnerable or infected machines from accessing the network. </li></ul>
    9. 9. How does EP fit into Vulnerability Management? <ul><li>Vulnerability management is a set of processes and technology that establish and maintains the level of risk based on the following: </li></ul><ul><ul><li>Resource discovery (what is on my network?) </li></ul></ul><ul><ul><li>Platform/Infrastructure component discovery (What is its configuration?) </li></ul></ul><ul><ul><li>End-point Security (Is it susceptible to threats and what is the exposure?) </li></ul></ul><ul><ul><li>Event Management (Are there any network, platform, application anomalies)? </li></ul></ul><ul><ul><li>Asset management (What is the usage, value, and ownership of my resources?) </li></ul></ul><ul><ul><li>Compliance management (direction from corporate policy and regulations) </li></ul></ul><ul><ul><li>Incident management (Infrastructure changes and remediation steps) </li></ul></ul><ul><ul><li>Patch management remediation (write, test, deploy, and re-test) </li></ul></ul>
    10. 10. End-Point Security Policy <ul><li>Any compromised system will be removed from the network in a timely manner </li></ul><ul><li>Risk assessment must be performed (criticality and value of loss) </li></ul><ul><li>The end-point’s location is also an attribute that must be considered in the policy </li></ul><ul><li>Only authorized systems are allowed to access our network </li></ul><ul><li>All end-point system should be compliant with the aforementioned policy before network access is granted (i.e., trusted state) </li></ul><ul><li>The end-point will be continuously monitored for security anomalies </li></ul>
    11. 11. Compliance Process <ul><li>Provide enough network access to authenticate and run the compliance test (scan and block or scan and report) </li></ul><ul><li>If the compliance test fails, then you are directed into this restricted/quarantined zone where you could be brought back to a trusted state </li></ul><ul><li>A non supported device can be limited via network access controls </li></ul><ul><li>Compliance Steps </li></ul><ul><ul><li>Authenticate – restricted network access is granted </li></ul></ul><ul><ul><li>Interrogate – compliance test </li></ul></ul><ul><ul><ul><li>If passed - Access is granted based on the results </li></ul></ul></ul><ul><ul><ul><li>If failed – Network ACLs/VLANS are used to restrict access </li></ul></ul></ul>
    12. 12. Compliance Checks <ul><li>A compromised system </li></ul><ul><ul><li>rogue processes </li></ul></ul><ul><ul><li>registry (MS configuration database) </li></ul></ul><ul><ul><li>existence of a file </li></ul></ul><ul><ul><li>network traffic anomalies </li></ul></ul><ul><li>All AV signatures and scan validation must be up-to-date </li></ul><ul><li>All OS patches must be up-to-date </li></ul><ul><li>The appropriate client end-point software running </li></ul><ul><li>Only corporate applications installed </li></ul><ul><li>Only corporate devices or operating system allowed (optional) </li></ul>
    13. 13. The State of the Art <ul><li>Most organizations have a functional AntiVirus solution </li></ul><ul><ul><li>Centrally managed, reporting and auto updating (not usually forced) </li></ul></ul><ul><li>Most organizations have a functional software distribution solution </li></ul><ul><ul><li>Microsoft SMS </li></ul></ul><ul><li>Most organizations have somewhat functional internal access management controls (zones of trust) </li></ul><ul><li>Most organizations have a somewhat functional internal IDS solution </li></ul><ul><li>Some organizations have deployed personal firewalls on internal desktops </li></ul>
    14. 14. The State of the Art (2) <ul><li>Most organizations do NOT have a functional vulnerability management solution </li></ul><ul><li>Most organizations do NOT have the ability to detect and quarantine compromised hosts – in a timely fashion </li></ul><ul><li>End point security compliance checking is supported by most IPsec VPN client/server software packages </li></ul><ul><ul><li>Not fully featured (check existence of AV, not for updated signature or last time the disk was scanned) </li></ul></ul><ul><ul><li>Personal firewall process and name of the policy </li></ul></ul>
    15. 15. End-point Issues <ul><li>Organizations are finding they need more than Anti-Virus software on their PCs </li></ul><ul><li>Personal FW/IDS can detect and block unauthorized inbound and outbound traffic </li></ul><ul><li>The ability to quarantine infected files and terminate malicious processes </li></ul><ul><li>Must be centrally managed, deployed, (i.e., administration and logging) </li></ul><ul><li>AV software vendors are supporting FW, compliance, and vulnerability detection in a single agent </li></ul><ul><li>Fat client </li></ul><ul><li>Thin client (Applet) 3 Flavors of End-point security clients </li></ul><ul><li>Clientless </li></ul>
    16. 16. EP Behavioral Analysis <ul><li>The goal is to identify compromised/misbehaving endpoint by looking for the following: </li></ul><ul><ul><li>Presence of a virus or trojan horse </li></ul></ul><ul><ul><li>Key loggers </li></ul></ul><ul><ul><li>Password grabbers </li></ul></ul><ul><ul><li>Screen capturing </li></ul></ul><ul><ul><li>Illegal memory access violation </li></ul></ul><ul><ul><li>Erroneous network connections </li></ul></ul><ul><ul><li>Erroneous mail being sent </li></ul></ul><ul><ul><li>Spyware and Adware </li></ul></ul><ul><ul><li>Erroneous file access or system executable change </li></ul></ul><ul><ul><li>Running new executable in a Virtual Machine before allowing them to run native </li></ul></ul><ul><li>Don’t forget - no matter how much security software you put on the end-point client – Never trust the end-point. </li></ul>
    17. 17. Preventative EP Solutions <ul><li>Most of the EP solutions require an inline gateway server (layer 2 or 3) </li></ul><ul><li>No Endpoint Agent </li></ul><ul><ul><li>Interrogates the network ports and registry </li></ul></ul><ul><li>Agent (static or dynamic) </li></ul><ul><ul><li>EP is an IPsec, SSL VPN, or Firewall </li></ul></ul><ul><li>Infrastructure access protection/controls </li></ul><ul><ul><li>Requires network infrastructure components become security enabled (e.g., Firewall, authentication, compliance-proxies) </li></ul></ul><ul><ul><li>Requires the end-point to have a client to communicate with the infrastructure access end-point </li></ul></ul>VPN EPD FW EPD EPD = End-Point Devices EPC = End-Point Client EPC
    18. 18. Technology Used EAP/UDP EAP/802.1X VLAN DHCP ACLs Heurstics In-Memory Scanning Behavioral Analysis ActiveX Java Applet Inverted Firewall
    19. 19. 802.1X <ul><li>IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a local area network (LAN) through publicly accessible ports. </li></ul><ul><li>802.1x authenticates each user device that is connected to a switch port before making available any services that are offered by the switch or the LAN. </li></ul>
    20. 20. EP Detective Solutions <ul><li>The goal is to detect, isolate and block infected nodes to prevent propagation in real time. </li></ul><ul><li>Technology touts </li></ul><ul><ul><li>No signatures, no agents, no network re-architecture (?) </li></ul></ul><ul><li>In most cases, these devices need to monitor traffic and if they detect an anomaly they communicate to the switch/gateway and disconnect you from the network. </li></ul><ul><li>Leverage your multitude of event source (IDS, AV, Firewall, Routers, etc) with your Security Event Management investments </li></ul>
    21. 21. Reactive Solutions
    22. 22. EP Security Deployment <ul><li>The goal of the infrastructure enabled end-point security device is to keep it as close to the edge as possible (i.e., ingress point) </li></ul><ul><li>Enterprises on a whole are very reluctant to add client side software and in-line (two legged) networking components </li></ul><ul><li>Reactive Point Solutions </li></ul><ul><ul><li>This requires an additional client (optionally) and end device to be added to the infrastructure </li></ul></ul><ul><ul><li>There is a substantial cost associated with fielding an end-point security </li></ul></ul><ul><li>Reactive Standard Solution </li></ul><ul><ul><li>This requires an additional client or dynamic client (Windows NT, 2000, and XP) </li></ul></ul><ul><ul><li>Utilize 802.1x on your switches </li></ul></ul><ul><li>Detective Solution </li></ul><ul><ul><li>Point solution needs to mirror the IDS sensors </li></ul></ul><ul><ul><li>SEM with dynamic containment </li></ul></ul><ul><ul><li>Chose a client that support anomaly detection vs. high frequency scanning </li></ul></ul>
    23. 23. EP Security Architecture EPC SSL VPN Ipsec VPN Per FW Point Solutions Routers Switches AV Svr Per FW Svr AAA Svr Cert Svr PDC Svr Policy Svr Remediation Svr
    24. 24. EP Security Management <ul><li>EP Policy Server </li></ul><ul><ul><li>A gateway or direct connection to the AV, Patch level, PFW, PDC, etc. </li></ul></ul><ul><li>Metrics – Key Performance Indicators (PKI) </li></ul><ul><ul><li>Can we show improvement in our security posture over time? – Has our audit rating improved? </li></ul></ul><ul><ul><li>How much damage qualitatively and quantitatively did our security architecture posture prevent (effectiveness)? </li></ul></ul><ul><ul><li>How many (catastrophic, serve, malicious code) attacks were stopped? </li></ul></ul><ul><ul><li>How long did it take us to update all our vulnerable systems? </li></ul></ul><ul><ul><li>How much is our security architecture costing us from an operational standpoint? </li></ul></ul><ul><ul><li>How compliant is our security architecture and LOBs against regulatory corporate security policies, and best business practices? </li></ul></ul><ul><ul><li>Need to measure productivity costs, value of the assets, cost of repair and compare to the bottom line for the business. </li></ul></ul>
    25. 25. Vendors <ul><li>End-point Client space </li></ul><ul><ul><li>Sygate </li></ul></ul><ul><ul><li>Symantec </li></ul></ul><ul><ul><li>ZoneLabs/Checkpoint </li></ul></ul><ul><ul><li>Cisco security agent </li></ul></ul><ul><ul><li>StillSecure </li></ul></ul><ul><ul><li>InfoExpress </li></ul></ul><ul><ul><li>WholeSecurity </li></ul></ul><ul><ul><li>NetIntelligence </li></ul></ul><ul><ul><li>Endforce </li></ul></ul><ul><ul><li>Citadel </li></ul></ul><ul><li>Gateway space </li></ul><ul><ul><li>Sygate (optional), StillSecure, and InfoExpress </li></ul></ul><ul><li>Infrastructure space </li></ul><ul><ul><li>Cisco </li></ul></ul><ul><ul><li>Entrasys </li></ul></ul><ul><ul><li>Extreme </li></ul></ul><ul><ul><li>Nortel </li></ul></ul><ul><li>Infrastructure detection space </li></ul><ul><ul><li>Mirage Networks </li></ul></ul><ul><ul><li>Protego Networks </li></ul></ul><ul><ul><li>Silicon Defense </li></ul></ul>
    26. 26. EP Client Questionnaire <ul><li>1) How is the compliance test accomplished? (e.g., Agent, dynamic content, or network/registry scan) </li></ul><ul><li>2) Where is the compliance test enforced? (e.g., in-line gateway or by the client)? </li></ul><ul><li>3) How granular is the compliance test? </li></ul><ul><li>4) Does your product support heterogeneity?  </li></ul><ul><li>5) Does your product support physical network connections (i.e., LANs) </li></ul><ul><li>6) How does your product handle non-compliant end-points? </li></ul><ul><li>7) Does your product have any anomaly detection mechanisms? </li></ul>
    27. 27. Vendors Comparison Fix VLAN Block at switch/AP No VLAN Block at GW VLAN at Router VLAN No VLAN Non-comp No Yes At its GW No Yes At its GW At Router Yes No Yes Physical No 2 Same On Agent only Agent Citadel No 3 Same 802.1x Agent (MSI) EndForce No 3 In-line IPsec Switch control, 802.1X Agent /dynamic Agent NetIntelligence Yes 2 Same SSL VPN only Agent/dynamic Agent WholeSecurity No 2 Same Inline GW optional & 802.1x Agent InfoExpress rescan 1 Same Inline Gateway No Agent StillSecure Yes 2 Same Cisco NAC (Router) Agent Cisco CSA No 4 Same 802.1X, IPsec VPNs Agent/dynamic Agent Zonelabs Yes 2 Same IPsec VPN Agent – Part of IDS/PFW Symantec-V2 No 4 Same 802.1X, IPsec VPN Agent – Part of IDS/PFW Sygate Anomaly detection Hetero 1-5 RAS Compliance Enforcement Enforcement Technology Vendor
    28. 28. Audience Response <ul><li>How can you guarantee 100% enforcement with your access points? </li></ul><ul><li>Should EP-enforcement require an agent on the end-point? </li></ul><ul><li>How are the Cisco and Microsoft EP-solutions affecting your decision to deploy? </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×