NAC vendors have responded to customer needs for endpoint security with a wide range of endpoint scanning functionality. Some solutions use agentless scans to check for known vulnerabilities, and other solutions include downloadable agents that take a more in-depth inventory of machine security. Before analyzing the advantages and tradeoffs between downloadable agents and agentless approaches, first, you need to focus on what you can look for on these machines.
One of the most commonly used types of endpoint security policies are those that verify the presence, operation, and up-to-date nature of third-party endpoint security applications — ranging from personal firewall and antivirus applications to anti-spyware and disk encryption suites. Essentially, these types of policies ensure that endpoints connected to your network have the appropriate self-protection mechanisms in place. Not all NAC solutions are equal in their capabilities. Your NAC solution needs to do more than simply look at a registry setting or search for a file to ensure that the endpoint device has a certain antivirus package installed, for example. Your NAC solution should ensure that the endpoint device has active protection enabled.
Operating system scans allow you to verify the operating system (OS), and potentially the service pack, of the incoming endpoint device.
This information can help you to verify which type(s) of additional endpoint security mechanisms you want to put in place. You might have a different endpoint security policy for a Windows XP SP2 device than you might have for a Windows CE or Macintosh OS device. Even within something like the Windows OS, you might have some differentiation — for example, you might have a different corporate standard personal firewall on Windows XP machines versus Windows Vista machines.
Scanning for antivirus applications is one of the most common types of policy implemented for endpoint scanning in NAC environments. Organizations want to ensure that machines connecting to their networks have an appropriate level of protection, and most NAC deployments require the presence of an antivirus application when it comes to verifying endpoint integrity.
|
Most NAC vendors offer a solution that verifies not only that the machine has an antivirus application installed, but also that the application is running and up to date. Some of the available policies on the market include
Verifying installation of a particular version or vendor of antivirus solution(s)
Verifying that the system has real-time protection actively enabled
Verifying that virus signatures are fully up to date or that they've been updated at some point in the recent past, depending on your policy
Ensuring that the antivirus application has completed a successful full system scan in the recent past (within a number of days that you choose)
Depending on your organization's security policy, you might want to verify one or more of those attributes related to an antivirus application.
|
Organizations deploying NAC commonly check to ensure that a personal firewall is installed and enabled as an endpoint security measure. This scan ensures that the endpoint device has active protection enabled.
|
With the number of highly-visible data-loss incidents in the news, disk encryption is becoming more popular by the day. These scans allow you to ensure that the sensitive data on a mobile device's hard disk is secured and encrypted.
Scanning for appropriate backup software isn't necessarily a security mechanism, but it can help you verify, for example, that there is properly stored corporate data on a laptop in case the laptop is stolen, lost, or damaged.
NAC antispyware policies ensure that the machine has an anti-spyware application running and actively protecting the system, not only installed.
Many organizations fear peer-to-peer applications because they can inadvertently download viruses or malware, and because the access could potentially allow an intruder to get into a machine. NAC products are increasingly beginning to scan for these types of applications so that you can verify their presence and, if necessary, shut them down before allowing the user to have full access onto the network.
|
Figure 9-2 depicts a typical policy grid that you might enable on a group of devices in your network — managed devices, for example.
In today's world, new application and operating system vulnerabilities are discovered on a daily, even hourly, basis. Hackers are increasingly motivated by profit, rather than by fun and glory, so exploitation of these vulnerabilities happens alarmingly fast. As a result, you absolutely must appropriately patch operating systems, middleware, applications, and so on as often as possible.
Virtualization and data center management technologies allow the administrator to easily take machines offline, patch them, and then bring them back online with minimal user disruption.
Outside the data center, however, it's an entirely different ball game because of all the different types of devices on the average corporate network. These devices are often mobile in nature, coming into the corporate network at different times throughout the day. More frighteningly, the devices also connect to other, potentially insecure, networks. These devices might hold intellectual property, customer information, or sensitive financial data, so you need to both
Scan these machines when they come onto the network (to protect the network and network assets)
Ensure, at least on a periodic basis, that NAC can patch the device to protect against known exploits, thereby protecting the data on that machine.
To help solve this problem, many NAC solutions offer a mechanism that checks the endpoint machine for required patches prior to allowing it on the network. Because available patches change on a continual basis, NAC servers implementing this type of scan typically include some sort of update mechanism that allows them to stay up to date and dynamically enforce policies that scan for new patches.
For example, Microsoft sticks to a monthly release schedule for their new patches on what they call Patch Tuesday. After Microsoft releases these new patches, most NAC vendors publish new patch scans as soon as possible. The NAC vendor dynamically updates the NAC server, and then NAC enforces those new policies for new sessions or for policy re-evaluations.
But what to scan for? A fully loaded system might have dozens, or even hundreds, of applications available to the user. Do you need to ensure that every single application is fully patched and up to date?
Most patches are classified by severity, so you probably don't have to scan every single one.
When these patches are released, you might determine that the potential impact of some high-severity vulnerabilities is higher than others, so you want to make sure that all devices have these corresponding patches installed.
For example, in the retail marketplace, your customer relationship management (CRM) software might have a critical vulnerability that the vendor recently patched. You want to ensure that endpoint systems have this patch installed, but you don't really need to worry about whether your endpoint machines patched iTunes correctly.
|
Most organizations trust the machines that they own and manage more than foreign devices when it comes to accessing networks. Your organization can control the patch levels, software distribution, and (to some extent) who uses a managed device. As a result, you probably feel more comfortable providing access to sensitive corporate data from these machines.
If you find yourself in this boat, you might be looking for a programmatic way to identify your own machines versus others. You can make this identification easily enough when you can look at the PC and see your corporate asset tracking bar code or other physical identification, but your NAC solution may have problems differentiating between two seemingly identical Windows XP SP2 machines that have nearly the same installed software — only one of which is a corporate-managed laptop.
Over the years, we've seen customers use many different methods to accomplish this identification step, some of which are more secure than others. Because of the native, custom endpoint security scans that many NAC solutions provide, people have come up with these unsecured and easily bypassed tricks:
Registry setting identification: Some administrators hide information in Windows registries to identify corporate assets. This information creates a method of security by obscurity — although end users can easily spoof this secret registry setting, the administrators assume that no one will likely come across this secret and identify it.
Secret files: Similar to the registry setting, this scheme relies on security by obscurity, but instead of hiding information in the registry, the administrator hides a file somewhere in the file system where no one will likely find and delete it. The administrator then uses a custom scan to find this file and identify the machine.
MAC address: This technique involves storing the MAC address(es) of a user's machine in the corporate directory or somewhere accessible by the NAC solution. When the user logs in, the NAC solution extracts the MAC address of the endpoint machine and compares that address to the one stored in the directory. If the addresses match, NAC considers the machine managed.
|
To move beyond these less secure options, many companies have begun using a more secure method of device identification — machine (or computer) certificates. If you're looking for a secure way to identify corporate assets, machine certificates might be your best bet.
Machine certificates are standard X.509 digital certificates, similar to what you might find on a Web server or for user identification (such as in a smart card or USB drive). The key distinction between machine certificates and user certificates, however, is that machine certificates are stored in the computer or machine on the endpoint device, and NAC uses them to identify the machine, not the user. So, for example, a Web browser doesn't present these certificates to the user as identification. NAC must have another mechanism in place to extract and validate the certificate.
|
In many cases, you may not be able to have any type of software presence on a particular machine or device on the network:
Some machines, such as printers, for example, can't have software added.
Other machines might be outside of your organization's management control and completely locked down, making it impossible for you to install even simple Java or ActiveX dissolvable host-based scanning agents.
For these reasons, some NAC vendors allow remote vulnerability scanning — with no endpoint presence whatsoever. You can use two primary methods for remote vulnerability scanning:
Some methods actually look at the PC itself — for example, scanning the Windows registry to determine which patches the device has installed.
Other methods, such as Nessus and NMAP, take a more active approach by attempting various exploits against the endpoint device to determine how well it's patched.
|
Trusted Platform Module and the lying endpoint problemAny security technology has strong solutions, and then even stronger solutions. Although machine certificates are much more secure than some other possibilities, some security professionals still question whether the machine certificate really is secure. The lying endpoint problem goes beyond just verifying machine certificates because a compromised machine might also, for example, state that it's healthy when it really isn't. Luckily, most modern laptop and desktop computers are equipped with a special cryptographic processor known as the Trusted Platform Module (TPM). You can use TPMs, which the Trusted Computing Group (www.trustedcomputinggroup.org) devised and made popular, for many functions — ranging from disk encryption to machine authentication to machine integrity verification. Because the TPM is hardware-based, it doesn't have the same vulnerabilities that might cause harm to an operating system or the applications running on that OS. You can find a wealth of information on the Trusted Platform Module specification, systems containing TPM chips, and implementation of TPM for a wide range of secure operations online by doing a simple search on Google (www.google.com) or Wikipedia (www.wikipedia.org). |
You might find yourself wanting to scan endpoint devices for certain applications, patches, or other types of information that the predefined list of applications provided by your vendor doesn't include. For example, instead of scanning for a known personal firewall, your organization might have implemented its own endpoint security application. Or you may want to scan for some endpoint security application that's available from an outside vendor, but for which your vendor hasn't yet provided a predefined policy. You don't have to stick with predefined parameters.
Many NAC vendors offer you the ability to create your own custom endpoint integrity policies, which allow you to scan for such attributes on a system as
Presence or absence of certain files on the file system
Whether a particular process is running on the endpoint
The MD5 checksum of that process
Particular registry settings
Taken in conjunction, these scans can provide you with
A picture of whether a particular application is running on the system
Customized information that you might find applicable to access control for your organization, as set forth in the corporate security policy
Some NAC systems, by using either open standards or proprietary application programming interfaces (APIs), can provide an extensible mechanism that can use scan for additional types of endpoint security software that the native scans provided by the NAC vendor don't cover.
For example, your patch remediation system might have a client-side component that NAC needs to determine its operating system. Through these APIs, even if the NAC product doesn't have the ability to query the patch remediation client natively, NAC can still scan the client and use the results in the access control decision. In Chapter 13, we delve into NAC standards.