© 2005,2006 neoaccel inc. training endpoint security

© 2005,2006 NeoAccel Inc.

Training

Endpoint Security


Helen of Troy

Troy had the strongest walls and hence it was impossible to break into the city

Trojans were led by Hector, best of many sons of Priam !

Trojans had employed defending parameters to protect enemies to break the gate and wall !


Troy and Trojans

The only point of access into the city was through the “Gate”

Greeks fought for 10 years, but could not get through the Troy defense !


Break into perimeter security

Trojan Horse !!!Sinon mislead Trojans by

telling them Odysseus is his enemy now.


Come to 21st Century

Corporate Network

Access to only known services

Managed LAN hosts

accessing managed

server and resources

24X7 managed control and corporate

policy compliance

Perimeter Security


A Hole in Perimeter Security

Corporate Network

Remote access to authorized users

Remote Access Server,

right there sitting in your

LAN, providing access to your

managed resources

Unmanaged or out of control access point


What’s the security risk?

User may be authorized, but the medium of access-’The host machine’ may not be!

“We have strong authentication mechanisms. Only authorized users can access the network. What’s the security risk?”

An authentic authorized user will run only authorized applications, but other hidden programs like virus, trojans, spy-wares are free birds !

They can access what the user should not be accessing.


Example…

An authorized user, knowingly or unknowingly, may lead to a security breach

Of course you are carrying a passport, you need to get through security check

Just Authentication is not enough for secure remote access.

Showing your passport at airport


Then what!

Need a mechanism to deploy effective Endpoint Security Policy Management and Compliance

NeoAccel SSL VPN-Plus has this feature and we call it EndPoint Security (EPS)


End Point Security: Introduction

EPS is meant for user’s machine’s security, hence securing corporate network

EPS checks if the user’s machine complies to corporate policies and can be allowed to connect to corporate network

e.g. It should haveAnti Virus Software

running,Firewall running,Latest security

patches,Etc.

Your luggage is checked on airport for

Explosives,Sharp objects,Your health status is

also checked


End Point Security: Introduction

EPS scans user’s machine and decides the trust (security) level (or zone) of your machine and you are provided access based on the zone your machine fall into.

EPS is authorization of your machine. Trust level set by your identity is always overridden by Trust level of your machine.


Scan host machine for required software and

cleanliness

User logs in using NeoAccel SSL VPN-Plus

Client

SSL VPN-Plus: Endpoint Security

Check for Firewall

Check for OS Patches

Check for Anti-Spy Wares

Check for Desktop Search engine

Check for Browser Security Settings

Check for Key loggers

Check for IP-forwarding & network bridging

Check for Antivirus

Check for customized files/process/service/port

Real time End-point security checks keeps the

host safe.

NeoAccel

SSL VPN Plus

GatewaySecurity level of host machine is calculated

and is sent to gateway.

Depending upon security level, Gateway decides how much access to be given to remote user.

Remote desktop

Web-mail (http)

File sharing

FTP

Private network resources

Remote user

NextNext


NeoAccel Management Server

Endpoint Security Zone Definition File

Zone name, Zone Trust Level, Associated EPS policy list,

Associated ACL list

Endpoint Security Policy Database

Rules to scan host machine

User information database

Group, password (if local database)

Group Definition File

Group name, Group ID, Associated Users, Associated ACL

list, Authentication server type and address

Access

Control

Policy

Database

Input to Gateway

Input to Gateway

Input to Client through gateway

Endpoint

security Client

DAT file

EPS policy and

Zone levels

Level 1-Endpoint host integrity based authorization mechanism. Highest priority

Level 2-User identity based authorization mechanism. Lower priority

System Architecture


NeoAccel Gateway Module

Host Scanning DAT file

NeoAccel Client Application

Host Scanning Engine

User

Login challenge handshake protocol Start

Scan the host and calculate security level

Read rules to execute

Update DAT file from gateway

Login

Client Sends Security level of machine

Apply Access control over this connection

Endpoint Security Zone Definition File

Zone name, Zone Trust Level, Associated EPS policy list, Associated

ACL list

Endpoint security Client

DAT file

EPS policy and Zone levels

Access Control Policy Database

If new version DAT file is available, send EPS DAT file.

Client Sends Client information:Client VersionEPS DAT Version

If upgraded client is available, gateway sends upgrade notification

Query Access Control Policies for current zone level.

TCP & SSL Handshake

Gateway Queries Current Security level of host machine

Endpoint Host machine integrity based

Level 1 Authorization


• Two level of authorization– Level 1: Trust level of machine– Level 2: Identification of user

• Endpoint Security Policy Management Capabilities• Can create 40 security zone profiles• Most intuitive and easiest interface to create EPS policies• Check for system security settings and status and security software

or custom policies• Browser cache cleanup, visited URL cleanup, cookies cleanup,

downloaded program files, Java cache• Blocks printing, copy-paste, saving file from browser to disk• Factory default rules and policies for quick deployment• Fine grained custom policy creation UI• Auto update of EPS policies• Support on windows and Linux• Timely updates for EPS policy database with release of new

software and service packs

EPS: Features


• Option to specify information for users to troubleshoot or raise security level of machine

• Automatic enabling of certain mandatory services• Sense presence/absence of specified

applications/processes– Notify user to install required applications– Blocks black listed applications

• Real time scanning• On the fly updating of ACLs in case change in security

zone is detected• Provides architecture for Endpoint Vulnerability Checking

for administrators• Completely transparent to user

EPS: Features…contd


Endpoint Security policies

EPS policies can be added/modified/delete

d from here

EPS Policy Definition Screen


Creating an EPS policy as a set of already

existing EPS policies

EPS Policy as set of EPS policies


EPS Policy as set of new rules

Add process/files/port/registr

y base rules


EPS Zone Creation screen

Lower the security level, more stringent

will be the EPS policies

Associate EPS policies. a machine

will fall in this zone if all the checked

policies are satisfied

Associate Access Control Policies which

will be applied to connections from host machine falling in this

zone


• Can create custom policies for– Files

• Modification time• Size• Version (binaries)

– Process• Existence• Owner• Status

– Registry• Values• Existence

– Open ports• State; open/close/listen

– Service• State

– Digital signatures• Existence based on parameters; CN, private key• Validity

– Loaded drivers– Key loggers

EPS: Custom Policies


• Policies exist for– System security settings:

• Browser type and version• Browser security level• IP forwarding• Bridging

– System status• OS version• Service packs• Security patches• Auto-update service status

– Security software:• Anti virus; TrendMicro, AVG, McAfee, Symantec, Sophos, Alladin• Firewall; McAfee, TrendMicro, AVG, Zone alarm• Anti-spyware; Microsoft, McAfee, AVG, TrendMicro• Desktop Search Engines; Google• And many more…

EPS: Factory defined policies


• Complete system monitoring to track the application cache or files saved from private network to local machine. Either the user is disallowed to save the data or is cleaned after logout based upon type of data stored.

• This feature is normally not present for full access clients or is implemented using third party secure desktop products.

EPS: Cache Cleanup


Scanning Status

This dialog may appear at the time of login (before authentication).

The dialog shows that client machine does not satisfies all security policies. User should

enable the policies that has failed to get maximum access rights.

NextNext

Enable Windows firewall for each physical adapter to pass endpoint

security check.


Virtual Keyboards

Virtual Keyboard to mitigate Key-logger threats.

NextNext

Though OS take care of not displaying password in plain text

but it is still hack-able. SSL VPN-Plus Client never passes password to OS

GUI. Hence mitigate threat from password crackers.

© 2005,2006 neoaccel inc. training endpoint security

Documents