Automating Endpoint Security Policy Enforcement

1. Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto

2. Unmanaged ‘Endpoints’ Systems not proactively managed by University IT staff: 7000 student residents – Sept & Jan overload. 12000 active unique wireless user accounts. Subject to: Missing OS updates, missing/expired AV protection, unsupported/pirated OS/SP. Already compromised – spyware, V / W / T. Computing and Networking Services University of Toronto

3. Automation Framework Computing and Networking Services University of Toronto

4. Isolation IP based – DHCP using two address pools, routable and non-routable (SWU Netreg) with full DNS. HTTP control (Squid) – configure access for users in restricted zone. Dynamic firewall port control (IPtables) – block services in restricted zone – except for IDS test interval Computing and Networking Services University of Toronto

5. Detection Framework Active Scanning from external source, eg. Nmap, Nessus. Passive Monitoring network traffic, eg. Tcpdump, Snort. Agent Client software, continuous or run-once. Computing and Networking Services University of Toronto

6. Detection Implementation Vulnerability Missing critical patches: MBSA (cli version) Missing antivirus: registry check and wmic Weak passwords: John the Ripper Insecure user configuration: user privileges, AutoUpdates, root cert audit Compromise Virus/worm/trojan: IDS (Snort, TCPView), Microsoft MSR* Spyware: Spybot cli Rootkit: RootkitRevealer Computing and Networking Services University of Toronto

7. Remediation Vulnerability WindowsUpdate (user) Install SAV (user) Weak passwords (user) Insecure user configuration (user-run wizard) Compromise Virus/worm/trojan: SAV scan, TrendMicro Sysclean, Microsoft MSR Spyware: (user-run Spybot) Rootkit: (assisted ) Computing and Networking Services University of Toronto

8. Tools in Detail Wizard UI CLI utilities wrapped using open source Windows installers: NSIS, InnoSetup. Provides familiar wizard user interface for detection/remediation tools. Provides ‘run-once’ function – no installation required. API includes registry read/write, cookie writing. Two formats – stand-alone and server integration. MBSA Detection of all critical updates available day of release, also detects updates to existing versions. Computing and Networking Services University of Toronto

9. Tools in Detail Password Audit Checks for blank password, password=username, dictionary lookup of words found in blended threats. IDS Snort check for host/port scan (20 sec. sample) Note: Isolation opened up to allow client server connections. TCPView check for excessive SYN rate. Computing and Networking Services University of Toronto

10. Applications - ESP integration of isolation, MBSA detection, user remediation. admin functions: init registration cycle, isolation/block MAC, configure isolation access. Computing and Networking Services University of Toronto

11. Applications - HealthChk integration of isolation, compromise detection for assisted detection and remediation. admin functions: convenient access to external utilities. Computing and Networking Services University of Toronto

12. Applications - Future Create a remote HealthChk system. User runs detection and remediation tools remotely, support for Linux? Other Applications? Managed environment use – encourage users to use automated systems, no isolation, enforcement via email reminders. Computing and Networking Services University of Toronto

13. More Information http://www.utoronto.ca/security/UTORprotect http://security.internet2.edu/netauth http://www.netreg.org Computing and Networking Services University of Toronto