Automating Endpoint Security Automating Endpoint Security Policy EnforcementPolicy Enforcement
Computing and Networking Services University of Toronto
Computing and Networking Services University of Toronto
Unmanaged ‘Endpoints’Unmanaged ‘Endpoints’Systems not proactively managed by University IT staff:Systems not proactively managed by University IT staff:
7000 student residents – Sept & Jan overload.7000 student residents – Sept & Jan overload.
12000 active unique wireless user accounts.12000 active unique wireless user accounts.
Subject to:Subject to:
Missing OS updates, missing/expired AV protection, Missing OS updates, missing/expired AV protection, unsupported/pirated OS/SP.unsupported/pirated OS/SP.
Already compromised – spyware, V / W / T. Already compromised – spyware, V / W / T.
Computing and Networking Services University of Toronto
Automation FrameworkAutomation Framework
Network Isolation
Missing Patches ↔ user - WindowsUpdate
… ↔ …
Vulnerability
RemediationDetection
V / W / T ↔ user – SAV scan
… ↔ …
RemediationDetection
Compromise
Computing and Networking Services University of Toronto
IsolationIsolationIP based – DHCP using two address pools, routable IP based – DHCP using two address pools, routable and non-routable (SWU Netreg) with full DNS.and non-routable (SWU Netreg) with full DNS.
HTTP control (Squid) – configure access for users in HTTP control (Squid) – configure access for users in restricted zone.restricted zone.
Dynamic firewall port control (IPtables) – block Dynamic firewall port control (IPtables) – block services in restricted zone – except for IDS test intervalservices in restricted zone – except for IDS test interval
Computing and Networking Services University of Toronto
Detection FrameworkDetection Framework
ActiveActiveScanning from external source, eg. Nmap, Scanning from external source, eg. Nmap, Nessus.Nessus.
PassivePassiveMonitoring network traffic, eg. Tcpdump, Monitoring network traffic, eg. Tcpdump, Snort.Snort.
AgentAgentClient software, continuous or run-once.Client software, continuous or run-once.
Computing and Networking Services University of Toronto
Detection ImplementationDetection ImplementationVulnerabilityVulnerabilityMissing critical patches: MBSA (cli version)Missing critical patches: MBSA (cli version)Missing antivirus: registry check and wmicMissing antivirus: registry check and wmicWeak passwords: John the RipperWeak passwords: John the RipperInsecure user configuration: user privileges, AutoUpdates, root Insecure user configuration: user privileges, AutoUpdates, root cert auditcert audit
CompromiseCompromiseVirus/worm/trojan: IDS (Snort, TCPView), Microsoft MSR*Virus/worm/trojan: IDS (Snort, TCPView), Microsoft MSR*Spyware: Spybot cliSpyware: Spybot cliRootkit: RootkitRevealerRootkit: RootkitRevealer
Computing and Networking Services University of Toronto
RemediationRemediationVulnerabilityVulnerabilityWindowsUpdate (user)WindowsUpdate (user)
Install SAV (user)Install SAV (user)
Weak passwords (user)Weak passwords (user)
Insecure user configuration (user-run wizard) Insecure user configuration (user-run wizard)
CompromiseCompromiseVirus/worm/trojan: SAV scan, TrendMicro Sysclean, Microsoft Virus/worm/trojan: SAV scan, TrendMicro Sysclean, Microsoft MSRMSR
Spyware: (user-run Spybot)Spyware: (user-run Spybot)
Rootkit: (assisted Rootkit: (assisted ))
Computing and Networking Services University of Toronto
Tools in DetailTools in DetailWizard UIWizard UI
CLI utilities wrapped using open source Windows installers: NSIS, CLI utilities wrapped using open source Windows installers: NSIS, InnoSetup.InnoSetup.Provides familiar wizard user interface for detection/remediation tools.Provides familiar wizard user interface for detection/remediation tools.Provides ‘run-once’ function – no installation required.Provides ‘run-once’ function – no installation required.API includes registry read/write, cookie writing.API includes registry read/write, cookie writing.Two formats – stand-alone and server integration.Two formats – stand-alone and server integration.
MBSAMBSA
DetectionDetection of all critical updates available day of release, also detects of all critical updates available day of release, also detects updates to existing versions.updates to existing versions.
Computing and Networking Services University of Toronto
Tools in DetailTools in DetailPassword AuditPassword Audit
ChecksChecks for blank password, password=username, dictionary lookup of for blank password, password=username, dictionary lookup of words found in blended threats.words found in blended threats.
IDS IDS
SnortSnort check for host/port scan (20 sec. sample) Note: Isolation opened check for host/port scan (20 sec. sample) Note: Isolation opened up to allow client server connections.up to allow client server connections.
TCPViewTCPView check for excessive SYN rate. check for excessive SYN rate.
Computing and Networking Services University of Toronto
Applications - ESPApplications - ESP
integrationintegration of isolation, MBSA detection, of isolation, MBSA detection, user remediation.user remediation.
admin functions: init registration cycle, admin functions: init registration cycle, isolation/block MAC, configure isolation isolation/block MAC, configure isolation access.access.
Computing and Networking Services University of Toronto
Applications - HealthChkApplications - HealthChk
integration of isolation, compromise integration of isolation, compromise detection for assisted detection and detection for assisted detection and remediation.remediation.
admin functions: convenient access to admin functions: convenient access to external utilities.external utilities.
Computing and Networking Services University of Toronto
Applications - FutureApplications - Future
Create a remote HealthChk system.Create a remote HealthChk system.User runs detection and remediation tools User runs detection and remediation tools remotely, support for Linux?remotely, support for Linux?
Other Applications?Other Applications?Managed environment use – encourage Managed environment use – encourage users to use automated systems, no users to use automated systems, no isolation, enforcement via email reminders.isolation, enforcement via email reminders.
Computing and Networking Services University of Toronto
More InformationMore Informationhttp://http://www.utoronto.ca/security/UTORprotectwww.utoronto.ca/security/UTORprotect
http://security.internet2.edu/netauthhttp://security.internet2.edu/netauth
http://http://www.netreg.orgwww.netreg.org