Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto
Unmanaged ‘Endpoints’ <ul><li>Systems not proactively managed by University IT staff: </li></ul><ul><li>7000 student resid...
Automation Framework Computing and Networking Services University of Toronto Network Isolation Missing Patches  ↔  user - ...
Isolation <ul><li>IP based – DHCP using two address pools, routable and non-routable (SWU Netreg) with full DNS. </li></ul...
Detection Framework <ul><li>Active </li></ul><ul><ul><li>Scanning from external source, eg. Nmap, Nessus. </li></ul></ul><...
Detection Implementation <ul><li>Vulnerability </li></ul><ul><li>Missing critical patches: MBSA (cli version) </li></ul><u...
Remediation <ul><li>Vulnerability </li></ul><ul><li>WindowsUpdate (user) </li></ul><ul><li>Install SAV (user) </li></ul><u...
Tools in Detail <ul><li>Wizard UI </li></ul><ul><li>CLI utilities wrapped using open source Windows installers: NSIS, Inno...
Tools in Detail <ul><li>Password Audit </li></ul><ul><li>Checks  for blank password, password=username, dictionary lookup ...
Applications - ESP <ul><li>integration  of isolation, MBSA detection, user remediation. </li></ul><ul><li>admin functions:...
Applications - HealthChk <ul><li>integration of isolation, compromise detection for assisted detection and remediation. </...
Applications - Future <ul><li>Create a remote HealthChk system. </li></ul><ul><ul><li>User runs detection and remediation ...
More Information <ul><li>http:// www.utoronto.ca/security/UTORprotect </li></ul><ul><li>http://security.internet2.edu/neta...
Upcoming SlideShare
Loading in …5
×

Automating Endpoint Security Policy Enforcement

493 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
493
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Automating Endpoint Security Policy Enforcement

  1. 1. Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto
  2. 2. Unmanaged ‘Endpoints’ <ul><li>Systems not proactively managed by University IT staff: </li></ul><ul><li>7000 student residents – Sept & Jan overload. </li></ul><ul><li>12000 active unique wireless user accounts. </li></ul><ul><li>Subject to: </li></ul><ul><li>Missing OS updates, missing/expired AV protection, unsupported/pirated OS/SP. </li></ul><ul><li>Already compromised – spyware, V / W / T. </li></ul>Computing and Networking Services University of Toronto
  3. 3. Automation Framework Computing and Networking Services University of Toronto Network Isolation Missing Patches ↔ user - WindowsUpdate … ↔ … Vulnerability Remediation Detection V / W / T ↔ user – SAV scan … ↔ … Remediation Detection Compromise
  4. 4. Isolation <ul><li>IP based – DHCP using two address pools, routable and non-routable (SWU Netreg) with full DNS. </li></ul><ul><li>HTTP control (Squid) – configure access for users in restricted zone. </li></ul><ul><li>Dynamic firewall port control (IPtables) – block services in restricted zone – except for IDS test interval </li></ul>Computing and Networking Services University of Toronto
  5. 5. Detection Framework <ul><li>Active </li></ul><ul><ul><li>Scanning from external source, eg. Nmap, Nessus. </li></ul></ul><ul><li>Passive </li></ul><ul><ul><li>Monitoring network traffic, eg. Tcpdump, Snort. </li></ul></ul><ul><li>Agent </li></ul><ul><ul><li>Client software, continuous or run-once. </li></ul></ul>Computing and Networking Services University of Toronto
  6. 6. Detection Implementation <ul><li>Vulnerability </li></ul><ul><li>Missing critical patches: MBSA (cli version) </li></ul><ul><li>Missing antivirus: registry check and wmic </li></ul><ul><li>Weak passwords: John the Ripper </li></ul><ul><li>Insecure user configuration: user privileges, AutoUpdates, root cert audit </li></ul><ul><li>Compromise </li></ul><ul><li>Virus/worm/trojan: IDS (Snort, TCPView), Microsoft MSR* </li></ul><ul><li>Spyware: Spybot cli </li></ul><ul><li>Rootkit: RootkitRevealer </li></ul>Computing and Networking Services University of Toronto
  7. 7. Remediation <ul><li>Vulnerability </li></ul><ul><li>WindowsUpdate (user) </li></ul><ul><li>Install SAV (user) </li></ul><ul><li>Weak passwords (user) </li></ul><ul><li>Insecure user configuration (user-run wizard) </li></ul><ul><li>Compromise </li></ul><ul><li>Virus/worm/trojan: SAV scan, TrendMicro Sysclean, Microsoft MSR </li></ul><ul><li>Spyware: (user-run Spybot) </li></ul><ul><li>Rootkit: (assisted  ) </li></ul>Computing and Networking Services University of Toronto
  8. 8. Tools in Detail <ul><li>Wizard UI </li></ul><ul><li>CLI utilities wrapped using open source Windows installers: NSIS, InnoSetup. </li></ul><ul><li>Provides familiar wizard user interface for detection/remediation tools. </li></ul><ul><li>Provides ‘run-once’ function – no installation required. </li></ul><ul><li>API includes registry read/write, cookie writing. </li></ul><ul><li>Two formats – stand-alone and server integration. </li></ul><ul><li>MBSA </li></ul><ul><li>Detection of all critical updates available day of release, also detects updates to existing versions. </li></ul>Computing and Networking Services University of Toronto
  9. 9. Tools in Detail <ul><li>Password Audit </li></ul><ul><li>Checks for blank password, password=username, dictionary lookup of words found in blended threats. </li></ul><ul><li>IDS </li></ul><ul><li>Snort check for host/port scan (20 sec. sample) Note: Isolation opened up to allow client server connections. </li></ul><ul><li>TCPView check for excessive SYN rate. </li></ul>Computing and Networking Services University of Toronto
  10. 10. Applications - ESP <ul><li>integration of isolation, MBSA detection, user remediation. </li></ul><ul><li>admin functions: init registration cycle, isolation/block MAC, configure isolation access. </li></ul>Computing and Networking Services University of Toronto
  11. 11. Applications - HealthChk <ul><li>integration of isolation, compromise detection for assisted detection and remediation. </li></ul><ul><li>admin functions: convenient access to external utilities. </li></ul>Computing and Networking Services University of Toronto
  12. 12. Applications - Future <ul><li>Create a remote HealthChk system. </li></ul><ul><ul><li>User runs detection and remediation tools remotely, support for Linux? </li></ul></ul><ul><li>Other Applications? </li></ul><ul><ul><li>Managed environment use – encourage users to use automated systems, no isolation, enforcement via email reminders. </li></ul></ul>Computing and Networking Services University of Toronto
  13. 13. More Information <ul><li>http:// www.utoronto.ca/security/UTORprotect </li></ul><ul><li>http://security.internet2.edu/netauth </li></ul><ul><li>http:// www.netreg.org </li></ul>Computing and Networking Services University of Toronto

×