objectives€¦ · rev. 6.41 7 – 1 layer 4: endpoint integrity module 7 objectives despite strong...

Rev. 6.41 7 – 1

Layer 4: Endpoint Integrity Module 7

Objectives Despite strong authentication requirements and strict access control, network endpoint devices may continue to be a threat to network security. Even the most securely protected network can become threatened if a single network entry point is compromised. Likewise, a single authenticated and authorized user may unknowingly bring in a security threat once he or she begins accessing network. To help deter threats such as these from internal sources, many software applications monitor and protect endpoint devices; this module is intended to raise your awareness of the many endpoint security applications available for this purpose.

After reading this module, you should be able to:

Describe how antivirus software on endpoint devices works to keep the network safe

Explain what a sandbox is and how it can prevent malware infections

Show how personal firewalls help protect against internal or Web-based attacks

Describe software patches and how they protect a network

Understand how network security solutions monitor and ensure endpoints’ security compliance

Sampl

e

ProCurve Network Security Fundamentals

7 – 2 Rev. 6.41

Network Endpoints

Consider a corporation operating in a well-secured building. This corporation probably uses security guards, keys, and perhaps even biometrics to secure access to all areas of the building. Those in charge of the company do what they can to secure the building from the outside. However, this corporation, operating within a well-protected building, may still succumb to infiltration and theft if the employees are not vigilant: employees may be overly casual about following company security policies or make choices about their work environment without understanding the security implications.

For example, an employee may intentionally or inadvertently leave an office window open after hours. It may be that the employee simply wanted to keep the room from getting too warm or too stuffy and forgot to close it at the end of the day. Or perhaps someone doing maintenance in his office opened the window without the employee’s knowledge or consent. Either way, the open window presents a security vulnerability that can allow an attacker to enter the building.

Layer 4: Endpoint Integrity

Rev. 6.41 7 – 3

In a network environment, endpoint devices such as servers, laptops, workstations, and personal digital assistants (PDAs) are employee resources that can be intentionally or inadvertently mishandled, opening security holes in the network. For example, an employee may disable the antivirus software to allow the workstation to boot up more quickly. Or the employee install personal software that secretly includes malware, thereby unknowingly opening a window to the network.

To prevent this and other security risks, employers may require employees to abide by security standards, supervision requirements, and risk management policies. Similarly, network administrators can take steps to ensure that employee-handled and other network endpoint devices operate according to network security standards.

In this module, you will be introduced to networking technologies that help to implement and maintain network endpoint device security. These technologies include compliance monitoring, personal firewalls, sandboxes, software patches, and antivirus software.


7 – 4 Rev. 6.41

Antivirus Software

Some of the most common and expensive network attacks are those from worms and viruses that access the network through endpoint devices. Not only can viruses and worms cause large amounts of damage and network downtime, but some well-known worms such as MyDoom and Sasser can also install malware and open back doors on infected devices, as well as use the infected devices to launch distributed-denial-of-service (DDoS) attacks.

To help prevent and mitigate the damage caused by worm and virus infections, you should install antivirus software on all endpoint devices. This is particularly true for devices that may have access to untrusted networks such as the Internet.

Antivirus programs provide two functions: they continuously scan the endpoint device for infections, and they manage infected files. Antivirus program components include:

Antivirus software—This is a software engine that scans the endpoint device and manages infected files.

Virus definition files—Antivirus software diagnoses infections based on the presence of small snippets of code that are exclusive to worms and viruses. These bits of code are called “signatures” and are used in virus definition files. Many viruses and worms share common propagation or infection code, so a particular antivirus signature may be able to detect multiple viruses or worms.


Rev. 6.41 7 – 5

New definition files are continually created as new viruses and worms are discovered. New viruses and worms are analyzed, and an attack signature file is created and distributed by the antivirus software vendor. Keeping your definition files current gives your network endpoint devices the best chance of defending against new attacks.

Infection Detection Methods

Antivirus software detects the presence of a worm or virus by comparing endpoint system file code against known worm and virus signatures. However, while this is a reliable way to detect certain infections, it leaves the device vulnerable to polymorphic infections (in which the virus or worm produces varied copies of itself to elude detection) as well as to zero-day attacks (which spread quickly and can use a unique code that may not be detected by most antivirus software currently installed). Good antivirus software uses several methods in addition to signatures to discover and diagnose infections. These methods include:

Integrity checks—Viruses and worms often target specific OS files without which the endpoint device would not function. These files are opened and used at each device bootup, but are rarely altered or adjusted. Antivirus software can create a database of cyclic redundancy check (CRC) checksum values for these files and regularly check the file checksum against the stored checksum. If the values do not match, the antivirus software reports an infection warning.

Heuristic analysis—Infected devices almost always display certain behavior. For example, when a worm infects a workstation, it begins to generate and send emails to every address in the email address book. Using a heuristic algorithm, antivirus software can compare current endpoint behavior against typical endpoint behavior and known virus and worm infection behaviors. While this check may allow the antivirus software to detect zero-day and polymorphic infections, the method can also generate a large number of false positives.

Scans—Every file that is created, opened, saved, closed, or emailed can be scanned and compared against the virus definition files. Files on the device can also be scanned on demand. Scanning provides a reliable way to detect infections while producing a very small number of false positives. However, constantly scanning can occupy a large amount of processing power and be a drain on endpoint device resources.

For strong protection, particularly against zero-day and polymorphic infections, endpoint devices should use all three methods.


7 – 6 Rev. 6.41

Infection Management

Once a worm or virus is diagnosed, the infection must be handled to prevent further spread and damage. Antivirus software handles an infection in one of three ways:

It repairs the file—In cases where the virus that is infecting the endpoint is known and well understood, the virus code can be deleted from the file.

It deletes the file—When a worm file or virus-infected file is discovered, the quickest way to nullify the infection is to delete the file. You should delete infected non-essential files.

It quarantines the file—In some cases, the infected file is important or necessary for normal device operation. In cases such as this, the file cannot be deleted. If the file cannot be repaired or deleted, it can be quarantined. Quarantine prevents further damage to the network and endpoint device by restricting the infected file from being opened or altered by endpoint applications. However, quarantined files may be eventually repaired: virus definition files sometimes include updates that allow the antivirus software to repair previously quarantined files.

Installing antivirus software on every network endpoint will protect your network in two ways: endpoint devices with access to untrusted networks will be protected from known attacks from outside, and they will be protected from known worms and viruses that might gain access to the internal network.

Viruses and worms are not the only attacks that threaten network endpoints. While antivirus software can protect endpoints from self-replicating code-based attacks, the next endpoint security measure can protect servers and workstations from methodical attacks that use seemingly legitimate traffic.

Further Reading Many vendors offer antivirus software. For more information on antivirus solutions, you can look up vendor Web sites or whitepapers, or go to http://en.wikipedia.org/wiki/Antivirus_software.


Rev. 6.41 7 – 7

Personal Firewalls

Every network should have a perimeter firewall to protect all internal network devices. Perimeter firewalls can protect against attacks that use seemingly legitimate traffic: spoofing, malformed packet attacks, and some DoS attacks. However, the perimeter firewall does not protect against attacks that originate from internal sources such as infected laptops. Firewalls installed on network endpoints can add a much-needed additional layer of protection.

Personal firewalls work in a similar manner to network perimeter firewalls. Both types of firewalls check traffic at multiple layers, serve as a barrier against network attacks, and permit or deny traffic based on a security policy. This security policy stipulates a definition for the types of traffic that will be blocked. Based on the security policy, personal firewalls can:

terminate or block a connection when an intrusion is suspected

check traffic at Layers 3 and 4 to permit or deny traffic based on source and destination IP address and TCP/UDP flag logic, and to protect the device against malformed packets

look at Layer 7 processes to decide access permission (to connect to a particular port, for example)


7 – 8 Rev. 6.41

Personal firewalls also have the following advantages:

Antivirus capabilities and malware removal—Personal firewall software can be a complete solution, providing attack checking, antivirus software, and malware removal tools.

Instance control—Rather than immediately drop all requests associated with suspicious behavior, personal firewalls can query the user for instructions in certain instances. For example, many of today’s firewalls include provisions for non-network applications attempting to access the Internet. When an application attempts to transmit traffic over the Internet, the firewall may query the user about whether to allow the transmission. This sort of control provides a good level of security while also allowing the user to maintain productivity.

The benefits of personal firewalls may be offset by various costs: the difficulty of widespread deployment, vulnerabilities specific to personal firewalls, and false positives.

Deployment—Personal firewalls must be installed and maintained on every network endpoint device. Teaching all users of personal firewalls to distinguish between legitimate Internet-related traffic and requests to open potentially harmful connections is a formidable task for any IT department.

Vulnerabilities—Personal firewalls can be subverted by some worms and malware programs. These programs can use, disable, or corrupt the firewall software, making the endpoint (and the network) vulnerable. For example, the Witty Worm can target a personal firewall and use it to overwhelm the device’s processing power.

False Positives—When a firewall flags traffic that is not truly a threat, it has found a false positive. While false positives do not seem to pose a threat, they can lead users to takes steps that do. For example, instance control provides end users with the flexibility to securely access the Internet services they need to maintain productivity. However, instance control can also produce a great many security notices and queries with which users may tire of dealing. Unaware of the potential threat, end users may start to simply click “OK” to every query without reading the notice, allowing malware or network attacks to succeed despite the firewall.

Yet with all of the difficulties, the advantages of implementing personal firewall software on network endpoints outweigh the disadvantages. The additional layer of protection can prevent successful internal attacks as well as intrusions that seek to attack the network through its weakest links. It is also good to remember that many times “traveling” employees will use their laptops inside of unsecured networks such as at coffee shop hotspots, airports, and hotels, often over wireless connections. Attackers can easily wait for the unsuspecting employee to begin work in this “open” environment and wreak havoc on that user’s laptop, or worse, steal personal or company private information.


Rev. 6.41 7 – 9

It’s not always easy to tell whether a particular file or email is infected with a worm or virus. Similarly, it’s not always possible to know whether a particular program includes malware. The next endpoint integrity measure can allow you to run a suspicious program or open an untrusted Web page while minimizing the chances that the virus, worm, or malware will infect the endpoint device.

Further Reading As with antivirus software, many vendors offer personal firewall solutions. For more information, you can visit vendor Web sites or see http://en.wikipedia.org/wiki/Personal_firewall.


7 – 10 Rev. 6.41

Sandboxes

Another way to protect network endpoints from attacks that use seemingly legitimate traffic is by using a sandbox. A sandbox is a highly restricted environment in which you can run untrusted files.

Sandboxes were originally used by software developers to test projects that were in progress without actually putting the device at risk. New code is often unstable and may have unexpected results: sandboxes allowed the software developers to see where the code was unstable or to observe the unexpected results without worrying about the potential damage.

Because sandboxes allow potentially damaging programs to be run in a restricted environment, they can also be used to run programs that may have malicious code while preventing them from attacking or harming the endpoint device.


Rev. 6.41 7 – 11

There are two types of sandboxes:

Emulators—An emulator simulates a normal OS work environment while acting as an intermediary between the untrusted program and OS resources. Programs running in this virtual environment have very limited access to device resources and have no direct access to the OS.

Jails—A jail works by imposing device resource restrictions without completely isolating the untrusted content from the OS. A jail often consists of a file system that has severe limits on CPU time, RAM, shared memory, and bandwidth. The untrusted content is placed in this highly restricted file system before it is executed.

Sandboxes can work for many types of files. For example, you probably already have sandboxes for Java and Flash installed on your home computer: many Web browsers run all Java applets in a sandbox, and Flash Player runs Flash presentations, by default, in a virtual environment. To protect network endpoints from infection from non-Flash- or Java-based files, you can use sandbox software such as Norman Sandbox or Virtual Sandbox.

Not only do sandboxes provide a protected environment in which to run suspect files and programs, but for experienced network administrators sandboxes can provide valuable information on how a network attack is perpetrated. A sandbox allows a network administrator to analyze virus code, worm code, or malware code within the virtual environment. Understanding how the code works helps the administrator to improve network security.

Sandboxes, antivirus software, and personal firewalls can all help to protect the endpoint device and the network from vulnerabilities that arise from file transfers over the Internet. The next endpoint security measure, however, helps to close vulnerabilities introduced by faulty software already operating on the endpoint devices themselves.

Further Reading For more information on sandboxes, see http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29.


7 – 12 Rev. 6.41

Software Patches

New software is sometimes released before the implications of a feature or seemingly harmless bug are fully understood. Security vulnerabilities inherent in the software application may be discovered well after the software has been released and distributed.

After the software flaw is discovered, the software developers will usually write and distribute new code to cover the faulty code. This new code, called a “patch” or a “software update,” allows end users to plug the vulnerability hole.

In some cases, however, software patches may be very poorly written and can create more problems than they solve. For example, a software patch may plug a security hole, but cause the program to become unstable or conflict with other software. Despite this problem, it is important to download and maintain the most current patches on all endpoint devices.

When a security vulnerability is discovered by a software user, that user can report the problem to the software maker. However, the user might also publish the vulnerability on the Internet. Attackers then write and distribute programs, such as worms, that take advantage of the vulnerability. Often a vulnerability is made public within a few days of (or in some cases, prior to) the software maker becoming aware of the problem. Many worms that exploit a software vulnerability to infect endpoint devices continue to spread and successfully attack simply because the most recent patches have not been installed.


Rev. 6.41 7 – 13

Patches are easy to download and install, but installing patches on every vulnerable endpoint device can quickly become a management nightmare. One way to ease software patch deployment and ensure endpoint security is through network management.

Further Reading For more information on software patches and computer security, see http://en.wikipedia.org/wiki/Software_patch. Visit http://www.softwarepatch.com/ for information on available software patches and upgrades.


7 – 14 Rev. 6.41

Web Browser Security

Web browser caches and HTTP cookies reduce the amount of information that must travel over the Internet. This, in turn, speeds up Web page displays and Internet access. However, the information stored in endpoint devices’ caches and cookies can be used by an attacker to retrieve private information.

Caching

Caching is a data management technique for storing copies of frequently accessed data in an easily accessible area and thus significantly reducing the amount of data that has to be retransmitted or re-accessed to run an operation.

For example, a person living in a gated community must know his or her personal combination to open the gate and enter the community. There are a couple of ways that the person can manage the personal access code: he can memorize the code so that he can quickly enter it when needed, or he can spend the time and effort of stopping at the guard gate and requesting the code every time he wants to enter the community. Similarly, caching allows devices to readily store frequently accessed data rather than repeatedly requesting it every time it is needed.


Rev. 6.41 7 – 15

The Web browser cache is a file that stores information regarding recently accessed graphics, sounds, and URLs. The cache allows a browser to quickly display a recently visited Web page without having to reload it from the Web server. However, when accessed by an attacker, a cache can reveal sensitive information. For example, any personal or sensitive information that has been sent over an Internet connection may be stored in the Web cache. This data is available to an attacker with unauthorized access to the device, either through physical access or through spyware programs. Additionally, data that may have been encrypted before being forwarded through the Internet is often stored as plaintext in the Web browser cache. To protect sensitive or personal data that has been sent over the Internet from being compromised, you should routinely clear Web browser caches.

Cookies

Cookies are little bits of data that act as an identifier between a Web browser and a Web server. Cookies are created by and sent from a Web server to the Web browser. The Web browser stores the cookie and sends it back unchanged to the server the next time that Web site is visited. The cookie contains personalized information, such as Web page display and other browser preferences, the site shopping cart contents, successful login verification, and so on. Unique cookie content allows a Web server to customize the Web page for each client. However, because each Web page has a separate cookie, an attacker can see what Web sites you have visited—and over time track your browsing behavior—by looking at the cookies stored in your Web browser. Additionally, cookies may include personal information that has been given to a Web site.

To protect personal and Web browsing information, most browsers allow users to manage cookies by specifying which cookies are trusted and setting the browser to routinely delete all other cookies. However, deleting certain cookies makes some Web sites unusable.

Further Reading For specific instructions on how to clear a Web cache or manage cookies, see http://www.pcworld.com/article/106715-1/article.html, or visit vendor Web sites:

• http://www.microsoft.com/windows/ie/ie7/privacy/ieprivacy_pr7.mspx

• http://www.mozilla.org/projects/security/pki/psm/help_20/using_priv_help.html

• http://browser.netscape.com/ns8/help/options-privacy.jsp#cookie_settings


7 – 16 Rev. 6.41

Security Compliance Monitoring

It is one thing to create a security policy that requires all network endpoints to use antivirus software, personal firewalls, and current patches, and quite another to verify that each endpoint actually complies with this policy. By monitoring and tracking endpoint software, behavior, and network usage, network security compliance solutions can pinpoint security problems and ensure that endpoints meet requirements. In some cases, these solutions can also distribute such software from a central network location, further reducing the manpower required to manage and maintain endpoint security.

A network that attempts to control endpoints’ compliance can be compared to a government attempting to inoculate its population against various diseases. Just as inoculating a single individual protects not just that individual from a disease but those who might catch the disease from him, ensuring that an endpoint has the correct patches and antivirus software protects both the endpoint and the network. Network security compliance solutions are the means by which a network ensures endpoints do not “spread disease.”

Network security compliance solutions include:

Monitoring and configuration solutions—These solutions monitor endpoints to ensure that they comply with network security policies. Some solutions simply report on endpoints’ compliance, but the best solutions now prohibit non-compliant endpoints from connecting to the network. For


Rev. 6.41 7 – 17

example, an endpoint might be scanned when it sends a Dynamic Host Configuration Protocol (DHCP) request, something almost all connected devices do immediately on booting. Or the solution might function with 802.1X authentication, controlling the access of authenticated endpoints according to their compliance with network security policies.

Some solutions continue to monitor and verify endpoint security throughout the connection, tracking information such as endpoints’ bandwidth and application usage. This information can be used to trend normal network usage or pinpoint security problems.

Antivirus update and patch management solutions—These solutions deploy patches and virus file updates from a remote, central location, helping endpoints that failed the compliance test meet the requirements.

Network security compliance solutions have three components: the management server, managed devices, and agents.

Management server—The management server is a central server that stores and analyzes information received from endpoint devices. This information is used to verify that endpoints comply with security policies, to monitor network usage, and to detect attacks. In some solutions, software patches, virus definition file updates, and configuration changes can also be quickly deployed from the management server to endpoint devices.

Managed devices—These are network endpoint devices that are managed or monitored by the management server. Even devices foreign to the network can become managed devices. In fact, some solutions are specifically geared to managing devices that are introduced by guests or are otherwise out of your control.

Agent—An agent is an application on the managed devices. The agent acts as the management server’s intermediary, reporting information on the managed device’s network usage and activity and executing configuration and software changes on behalf of the management server. Like doctors, who are specially trained to check patients’ medical records and administer inoculations, agents are specifically designed to help endpoints prove that they comply with security policies (and if necessary to help them comply).

While all compliance solutions require some sort of agent, the type and capabilities of agents vary. Some agents passively monitor the endpoint and report to the management server. Other agents are able to record and analyze endpoint behavior, discard false positives, generate alerts when warranted, and even make configuration changes.

Compliance solutions come in two flavors: agent-based and agentless. The next section of this module will discuss the benefits and drawbacks of these types of solutions.


7 – 18 Rev. 6.41

Agent-based Solutions: Permanent

All monitoring and management solutions require agents, but they differ in the type of agent they use and the way in which that agent is installed on the endpoint.

Perhaps the most straightforward approach for deploying agents is to manually install on each managed device the software application specific to your network security compliance solution. Solutions that use this approach are considered permanent agent-based solutions.

Permanent agent-based solutions have several benefits:

Reduced network bandwidth usage—Permanent agents can generate and send alerts only when there is a problem, or they can send information to the management server when requested.

Robustness—Permanent agents run independently from the management server and can continue to monitor and manage a device even in the event of a network outage.

Control—Permanent agents can often automatically correct configuration problems.


Rev. 6.41 7 – 19

These permanent agent-based solutions provide good management and monitoring solutions that can help establish and maintain endpoint security. However, there are some drawbacks to using software-based agents:

Cost—Many vendors require you to purchase licenses for the agents that you install on your network. This can become very costly for large networks.

Deployment—Software-based agents must be installed on each managed network device. These installations take time and IT resources.

Some vendors offer lightweight compliance solutions to overcome these problems. The next two slides discuss these types of solutions.


7 – 20 Rev. 6.41

Agent-based Solutions: Transient

Manually installing the agent permanently on every endpoint is not always feasible, particularly for companies that must accommodate guests that bring their own devices. With a permanent agent-based solution, those endpoints unable to prove their compliance are unilaterally denied network access (or at best are given extremely limited access).

Returning to the analogy of inoculations should clarify the problem. Often a government requires citizens to prove they have received their inoculations before they can receive certain services such as admission to a public school. However, some people cannot afford to visit a private doctor (just as some endpoints do not have installed agents). Therefore, the government might offer a free clinic at which citizens can see a doctor for the specific purpose of receiving the necessary shots.

Similarly, some solutions offer a modified agent-based solution that relies on a transient agent. This agent is installed on endpoints only for the duration of the compliance scan, which usually occurs when the endpoint first connects. The endpoint downloads the transient agent, an executable program, which begins working with the management server to complete the compliance scan. When the scan is finished and the endpoint is declared compliant or non-compliant, the agent is erased from the endpoint. For this reason, transient agents are sometimes called disposable agents.


Rev. 6.41 7 – 21

For example, your company uses Web authentication (Web-Auth) to control the complimentary network access it offers guests. Before prompting a user to enter his username and password, the system directs him to a link where he can download the agent that helps scan his device for compliance.

Transient agent-based solutions have several benefits:

Ease of deployment—Time and resources are saved because the solution itself manages the installation of the transient agent.

Control—Like a permanent agent, a transient agent is designed to work with your network compliance solution, so it may be able to help the endpoint fix problems as specified by that solution.

But transient agent-based solutions are not without drawbacks:

Time to connect—Installing permanent agents on every endpoint may be time consuming, but it is a one-time affair for each individual endpoint. With transient agents, users must always wait for the agent to download before they can connect to the network.

Imperfect deployment—Some endpoints still might fail to receive the agent either because the user refuses the download or because the endpoint’s security policies prohibit downloading executable files.

Note Some vendors call their transient agent-based solutions “agentless” solutions because you do not have to install software manually on every station. However, the solutions do require an agent, albeit one that deploys automatically.


7 – 22 Rev. 6.41

Agentless Solutions

In an attempt to further simplify network monitoring and management implementation, vendors began to create and market truly agentless solutions.

Agentless solutions use applications that are already available on the device, such as Windows Management Interface (WMI) and the Simple Network Management Protocol (SNMP), to provide the agent functions.

Agentless solutions have several benefits:

Ease of deployment—Time and resources are saved because agentless solutions do not require the installation of a separate software program on each endpoint. You don’t have to train users to set up endpoints for management: in most cases, the native applications that provide agent functions are already active.

Cost—Agentless solutions are generally less expensive than agent-based solutions; agentless monitoring does not require the purchase of agent software or licenses, and the vendor cost is usually less expensive.


Rev. 6.41 7 – 23

Problems include:

Drain on network bandwidth—Communication and information gathering between the managed device and the management server occurs through device polling and SNMP traffic. Because all information from every managed device must be collected by a management server, agentless solutions can occupy a great deal of bandwidth and cause traffic choke points at the management server.

Decreased security—Many agentless solutions use SNMP as a method to report and collect information about managed devices. This leaves the managed devices vulnerable to security issues raised by SNMP and the additional open TCP/UDP ports.

Limited problem management—If a problem is discovered, agents can usually implement an automatic configuration change, or changes can be passed down from the management server. Agentless solutions, on the other hand, are unable to make automatic or remote configuration changes. However, users can still be directed toward resources that help them to solve the problem.

An agentless solution can be compared to a government that consolidates medical records with other commonly carried documents. When necessary, a citizen can prove that she has received mandatory inoculations without the hassle of visiting the doctor. However, should she find that she does not have the required inoculations, she has fewer options for receiving them.


7 – 24 Rev. 6.41

Combined Solutions

Agentless solutions can work well on devices that do not allow the installation of software-based agents or on devices that only need to be monitored. Agent-based solutions are necessary for devices that need robust monitoring and management. For the best of both worlds, some vendors are now offering solutions that combine several types of agents. Combined solutions support the robustness of permanent agent-based monitoring with the ease of deployment and smaller expense of transient agent-based and agentless monitoring.

For example, network administrators might install software-based agents on devices that require high availability and robust management, but use an agentless approach for endpoint devices that need only monitoring or patch and update management.

Some network compliance solutions automatically determine the best type of monitoring for a particular endpoint based on configurable policies. For example, the solution might automatically apply agentless monitoring to all endpoints with the necessary native capabilities. Network administrators install permanent agent software on older devices for which this approach fails. Finally, transient agents deploy to endpoints missed by both of these methods.


Rev. 6.41 7 – 25

Combined solutions mitigate the cost and deployment time of agent-based solutions as well as the management shortfalls of agentless solutions. They also maximize the opportunity for all endpoints to prove their compliance with security policies—or, if necessary, to improve their compliance.


7 – 26 Rev. 6.41

Trusted Network Connect (TNC)

To this point, the discussion of network security compliance solutions has focused on testing for compliance. But tests mean little unless their results affect the level of access an endpoint is granted.

Some security solutions force endpoints to download patches and antivirus software when they connect to the network, but are implemented on the endpoint. Abdicating control to the endpoint clearly causes problems: an endpoint without the appropriate software connects to your network freely, and yet this is the very type of device you want to control. It is far better to integrate compliance scans into a network-based access control solution (such as those discussed in Module 4—Layer 1: Network Access Control Security), preventing unprotected endpoints from ever connecting to your network.

Trusted Network Connect (TNC) is a security standard developed by the Trusted Computing Group (TCG) to integrate compliance testing with network access control solutions. In other words, in order to receive network access rights, an endpoint must prove its integrity in addition to its identity.

Because TNC defines open standards to which all vendors can develop, by conforming with TNC you no longer have to worry so much about whether your compliance solution integrates with software on your endpoints and with your network access control solution.


Rev. 6.41 7 – 27

TNC defines standards for:

Completing scans and checking the results against a network policy—Integrity Measurement Collectors (IMCs) reside on the endpoint and scan for particular security features: for example, the most recent OS patch, the antivirus signature file, and a working firewall. The TNC client (TNCC) distills information from the IMCs, passing it on to the TNC server. Integrity Measurement Verifiers (IMVs) reside on the server and match the information submitted by the TNCC against your network’s security policies.

Controlling network access based on the result of the scan—TNC defines several standards for integrating access control based on compliance with existing access control technologies.

At a high-level, TNC manages this general process:

1. The endpoint connects to the network edge device, called a Policy Enforcement Point (PEP) in the TNC standard, and the PEP forces the endpoint to authenticate. The PEP might be a virtual private network (VPN) gateway, an 802.1X authenticator, or another device that enforces network access control. (See Module 4—Layer 1: Network Access Control Security.)

2. TNC inserts layers into the network access control technology for checking the endpoint’s integrity.

For example, 802.1X traditionally consists of an authentication layer under an access control layer: the state of the port (activated or deactivated) depends entirely on the endpoint’s authentication state. With TNC, the state of the port depends on both the endpoint’s authentication state and its compliance with network policies.

a. The endpoint is first authenticated with one of the many protocols supported by TNC.

b. Next, the endpoint’s compliance is checked. The server requests certain checks, and the client submits information collected by IMCs.

3. Using its IMVs, the server comes to a verdict about whether the endpoint complies and grants network rights accordingly.

The slide has described one standard for making network access hinge on compliance with security policies. Similar standards include:

Network Endpoint Assessment (NEA)—Developed by the Internet Engineering Task Force (IETF), NEA is a network access control solution that outlines a framework quite similar to TNC’s.

Network Access Protection (NPA)—Microsoft’s solution for integrating compliance checks with network access control, NPA is automatically installed with Windows Vista and the emerging Windows Server version.


7 – 28 Rev. 6.41

The next slide will explain some of the actions both TNC and non-TNC solutions can take to deal with non-compliant endpoints.

Further Reading TCG is a group that includes over 50 of the networking industry’s leading companies. For more information on TCG and the companies involved, see http://www.trustedcomputinggroup.org. For more information specifically on TNC, see https://www.trustedcomputinggroup.org/groups/network/.


Rev. 6.41 7 – 29

Dealing with Non-compliant Endpoints

When an endpoint fails to meet your company’s security policies, the network security compliance solution may dictate one of three possible responses:

Disconnect—Without the proper antivirus software and OS patches, the endpoint might open security holes in your network. The most secure solution would be to then shut down the port through which the non-compliant device is trying to access the network. However, this can prevent important users from accessing network resources they might need. Rather than outright denying the endpoint access, you can specify that the network grant the non-compliant device limited access.

Quarantine—Because a non-compliant network device is a security risk, it is prudent to use virtual local area networks (VLANs) or other network segregating techniques when granting such a device limited network access. The VLAN should be highly restrictive: it should include severe rate-limiting and access control lists (ACLs) to prevent the non-compliant devices from having any contact with other devices on the network. Traditionally, while a quarantine VLAN prevented, for example, an endpoint infected with a worm from infecting fully compliant and trusted network devices, it did not prevent the infected endpoint from contaminating other devices on the quarantine VLAN. However, some solutions now place each quarantined device in its own isolated VLAN. In either case, a quarantine VLAN protects the network


7 – 30 Rev. 6.41

from a non-compliant device; it does not present such a device with the specific resources it needs to become compliant. (For more information on VLANs and ACLs, see Module 4—Layer 1: Network Access Control Security.)

Remediation—The third option is to quarantine the non-compliant device but also provide it with the resources it needs to become compliant. Ideally, the solution should inform the user how his or her device fails to comply with security policies and what he or she can do to remediate the problem—for example, users might be redirected to a network server from which their devices can download the software they need to become compliant. For the duration of this process, the endpoint is placed in a carefully controlled remediation VLAN, which typically allows access only to the Web sites or network servers with the necessary antivirus software and patches. (Depending on your solution, the remediation VLAN might also provide limited network access, such as to the Internet only.) Once the required software is installed, the endpoint can be granted greater access to the network (though access is still controlled by network policies).

Further Reading For more information on quarantine and remediation solutions, see vendor Web sites such as: http://trial.patchlink.com/update.aspx http://www.miragenetworks.com/products/quarantining.asp http://www.stillsecure.com/safeaccess/index.php Or you can see http://www.engr.sc.edu/its/ClientValidation/?c=4.


Rev. 6.41 7 – 31

Summary

An understanding of endpoint vulnerabilities can help you protect your network from attacks that target endpoint devices or that use trusted endpoints to infiltrate a private network. This module introduced you to software solutions that allow you to reduce network vulnerabilities arising from endpoint devices, manage endpoint network intrusions, and monitor and implement endpoint security.

The next module will introduce you to comprehensive security solutions. These solutions can provide network security on more than one security layer.

objectives€¦ · rev. 6.41 7 – 1 layer 4: endpoint integrity module 7 objectives despite strong...

Documents