© 2005,2006 neoaccel inc. training endpoint security
TRANSCRIPT
© 2005,2006 NeoAccel Inc.
Training
Endpoint Security
© 2005,2006 NeoAccel Inc.
Helen of Troy
Troy had the strongest walls and hence it was impossible to break into the city
Trojans were led by Hector, best of many sons of Priam !
Trojans had employed defending parameters to protect enemies to break the gate and wall !
© 2005,2006 NeoAccel Inc.
Troy and Trojans
The only point of access into the city was through the “Gate”
Greeks fought for 10 years, but could not get through the Troy defense !
© 2005,2006 NeoAccel Inc.
Break into perimeter security
Trojan Horse !!!Sinon mislead Trojans by
telling them Odysseus is his enemy now.
© 2005,2006 NeoAccel Inc.
Come to 21st Century
Corporate Network
Access to only known services
Managed LAN hosts
accessing managed
server and resources
24X7 managed control and corporate
policy compliance
Perimeter Security
© 2005,2006 NeoAccel Inc.
A Hole in Perimeter Security
Corporate Network
Remote access to authorized users
Remote Access Server,
right there sitting in your
LAN, providing access to your
managed resources
Unmanaged or out of control access point
© 2005,2006 NeoAccel Inc.
What’s the security risk?
User may be authorized, but the medium of access-’The host machine’ may not be!
“We have strong authentication mechanisms. Only authorized users can access the network. What’s the security risk?”
An authentic authorized user will run only authorized applications, but other hidden programs like virus, trojans, spy-wares are free birds !
They can access what the user should not be accessing.
© 2005,2006 NeoAccel Inc.
Example…
An authorized user, knowingly or unknowingly, may lead to a security breach
Of course you are carrying a passport, you need to get through security check
Just Authentication is not enough for secure remote access.
Showing your passport at airport
© 2005,2006 NeoAccel Inc.
Then what!
Need a mechanism to deploy effective Endpoint Security Policy Management and Compliance
NeoAccel SSL VPN-Plus has this feature and we call it EndPoint Security (EPS)
© 2005,2006 NeoAccel Inc.
End Point Security: Introduction
EPS is meant for user’s machine’s security, hence securing corporate network
EPS checks if the user’s machine complies to corporate policies and can be allowed to connect to corporate network
e.g. It should haveAnti Virus Software
running,Firewall running,Latest security
patches,Etc.
Your luggage is checked on airport for
Explosives,Sharp objects,Your health status is
also checked
© 2005,2006 NeoAccel Inc.
End Point Security: Introduction
EPS scans user’s machine and decides the trust (security) level (or zone) of your machine and you are provided access based on the zone your machine fall into.
EPS is authorization of your machine. Trust level set by your identity is always overridden by Trust level of your machine.
© 2005,2006 NeoAccel Inc.
Scan host machine for required software and
cleanliness
User logs in using NeoAccel SSL VPN-Plus
Client
SSL VPN-Plus: Endpoint Security
Check for Firewall
Check for OS Patches
Check for Anti-Spy Wares
Check for Desktop Search engine
Check for Browser Security Settings
Check for Key loggers
Check for IP-forwarding & network bridging
Check for Antivirus
Check for customized files/process/service/port
Real time End-point security checks keeps the
host safe.
NeoAccel
SSL VPN Plus
GatewaySecurity level of host machine is calculated
and is sent to gateway.
Depending upon security level, Gateway decides how much access to be given to remote user.
Remote desktop
Web-mail (http)
File sharing
FTP
Private network resources
Remote user
NextNext
© 2005,2006 NeoAccel Inc.
NeoAccel Management Server
Endpoint Security Zone Definition File
Zone name, Zone Trust Level, Associated EPS policy list,
Associated ACL list
Endpoint Security Policy Database
Rules to scan host machine
User information database
Group, password (if local database)
Group Definition File
Group name, Group ID, Associated Users, Associated ACL
list, Authentication server type and address
Access
Control
Policy
Database
Input to Gateway
Input to Gateway
Input to Client through gateway
Endpoint
security Client
DAT file
EPS policy and
Zone levels
Level 1-Endpoint host integrity based authorization mechanism. Highest priority
Level 2-User identity based authorization mechanism. Lower priority
System Architecture
© 2005,2006 NeoAccel Inc.
NeoAccel Gateway Module
Host Scanning DAT file
NeoAccel Client Application
Host Scanning Engine
User
Login challenge handshake protocol Start
Scan the host and calculate security level
Read rules to execute
Update DAT file from gateway
Login
Client Sends Security level of machine
Apply Access control over this connection
Endpoint Security Zone Definition File
Zone name, Zone Trust Level, Associated EPS policy list, Associated
ACL list
Endpoint security Client
DAT file
EPS policy and Zone levels
Access Control Policy Database
If new version DAT file is available, send EPS DAT file.
Client Sends Client information:Client VersionEPS DAT Version
If upgraded client is available, gateway sends upgrade notification
Query Access Control Policies for current zone level.
TCP & SSL Handshake
Gateway Queries Current Security level of host machine
Endpoint Host machine integrity based
Level 1 Authorization
© 2005,2006 NeoAccel Inc.
• Two level of authorization– Level 1: Trust level of machine– Level 2: Identification of user
• Endpoint Security Policy Management Capabilities• Can create 40 security zone profiles• Most intuitive and easiest interface to create EPS policies• Check for system security settings and status and security software
or custom policies• Browser cache cleanup, visited URL cleanup, cookies cleanup,
downloaded program files, Java cache• Blocks printing, copy-paste, saving file from browser to disk• Factory default rules and policies for quick deployment• Fine grained custom policy creation UI• Auto update of EPS policies• Support on windows and Linux• Timely updates for EPS policy database with release of new
software and service packs
EPS: Features
© 2005,2006 NeoAccel Inc.
• Option to specify information for users to troubleshoot or raise security level of machine
• Automatic enabling of certain mandatory services• Sense presence/absence of specified
applications/processes– Notify user to install required applications– Blocks black listed applications
• Real time scanning• On the fly updating of ACLs in case change in security
zone is detected• Provides architecture for Endpoint Vulnerability Checking
for administrators• Completely transparent to user
EPS: Features…contd
© 2005,2006 NeoAccel Inc.
Endpoint Security policies
EPS policies can be added/modified/delete
d from here
EPS Policy Definition Screen
© 2005,2006 NeoAccel Inc.
Creating an EPS policy as a set of already
existing EPS policies
EPS Policy as set of EPS policies
© 2005,2006 NeoAccel Inc.
EPS Policy as set of new rules
Add process/files/port/registr
y base rules
© 2005,2006 NeoAccel Inc.
EPS Zone Creation screen
Lower the security level, more stringent
will be the EPS policies
Associate EPS policies. a machine
will fall in this zone if all the checked
policies are satisfied
Associate Access Control Policies which
will be applied to connections from host machine falling in this
zone
© 2005,2006 NeoAccel Inc.
• Can create custom policies for– Files
• Modification time• Size• Version (binaries)
– Process• Existence• Owner• Status
– Registry• Values• Existence
– Open ports• State; open/close/listen
– Service• State
– Digital signatures• Existence based on parameters; CN, private key• Validity
– Loaded drivers– Key loggers
EPS: Custom Policies
© 2005,2006 NeoAccel Inc.
• Policies exist for– System security settings:
• Browser type and version• Browser security level• IP forwarding• Bridging
– System status• OS version• Service packs• Security patches• Auto-update service status
– Security software:• Anti virus; TrendMicro, AVG, McAfee, Symantec, Sophos, Alladin• Firewall; McAfee, TrendMicro, AVG, Zone alarm• Anti-spyware; Microsoft, McAfee, AVG, TrendMicro• Desktop Search Engines; Google• And many more…
EPS: Factory defined policies
© 2005,2006 NeoAccel Inc.
• Complete system monitoring to track the application cache or files saved from private network to local machine. Either the user is disallowed to save the data or is cleaned after logout based upon type of data stored.
• This feature is normally not present for full access clients or is implemented using third party secure desktop products.
EPS: Cache Cleanup
© 2005,2006 NeoAccel Inc.
Scanning Status
This dialog may appear at the time of login (before authentication).
The dialog shows that client machine does not satisfies all security policies. User should
enable the policies that has failed to get maximum access rights.
NextNext
Enable Windows firewall for each physical adapter to pass endpoint
security check.
© 2005,2006 NeoAccel Inc.
Virtual Keyboards
Virtual Keyboard to mitigate Key-logger threats.
NextNext
Though OS take care of not displaying password in plain text
but it is still hack-able. SSL VPN-Plus Client never passes password to OS
GUI. Hence mitigate threat from password crackers.