Identity and Access Management Security School

Top Tactics for Endpoint Security

Ben Rothke, CISSP, CISM

searchsecurity.com/iamschool
1

Times have changed

Just 15 years ago, when you called and

spoke to someone in area code 212, you could reasonably assume that the person was indeed in New York City. Today, when you call area code 212, the person might be in Manhattan; but can also be in Los Angeles, Moscow, Rio or anyplace in the world. Endpoints are clearly changing, both in the physical world -- and as we will see -- in the digital world.

Digital endpoint security

Within information security, the perimeter of old was

simply a router or firewall

Today, the endpoint is the perimeter

In most organizations, with a laptop and DHCP, everyone gets in. At this point, there is no validation.

The old perimeter is dead Network perimeter weakness

Remote access with 80% of enterprises using VPNs Web-based extranet and partner connectivity

Your perimeter firewall simply is not enough

some firewalls are so open, that all they do is simply slow down traffic. In fact, in some organizations, its hard to tell the difference between a fw and a
router.

Glass houses had no rogues

In the mainframe era of glass houses and

dumb terminals, there were simply no rogue devices

Networks were private, leased and closed

Everything around the IBM mainframes was
proprietary and closed.

Today, networks are made to be open Today, rogue devices are a bane And endpoint security is becoming a
crucial aspect of an information security endeavor
4

Security risks of rogue devices

The inability to control network admission exposes significant risk to an organization Can be accidental or malicious in nature Often leads to network downtime or exposure of sensitive
information

Therefore, only allow authorized devices onto the network With endpoint security, non-compliant endpoints attempt connection, but are first quarantined After inspection and remediation, only then are they admitted Your endpoints are now secure

Definition While there is no single universal definition for endpoint security, the general definition of endpoint security is:
the use of a network access control
system used to restrict network access only to systems that demonstrate adherence to a pre-defined corporate security policy

Why do we need endpoint security? 8 bullet items

Viruses and worms continue to disrupt business Zero-day attacks make reactive solutions less effective Point technologies preserve host rather than network availability and enterprise resiliency Non-compliant servers and desktops are difficult to detect and contain Locating and isolating infected systems takes significant time and is extremely resource intensive

Users are often authenticated, but devices are not Non-compliant/unmanaged devices pose an unacceptable risk

Often source of infection Rogue assets untracked, invisible

Device compliance as important as user authentication

Where are the endpoint threats?

15 of innumerable threats

Remote users Mobile users Regional, remote and

branch offices Non-compliant laptops Wireless Guests Contractors Interconnected networks Distributed data Business extranets

Remote access Web services Wireless Mobile smart devices VoIP phones and many more

What are the endpoint threats?

Rogue wireless access Keystroke loggers Contractor with latest worm or virus on
their laptop Kiosks Backdoor listening for inbound connections Spyware download via P2P IM and more

Origination points

Accessed by employees, consultants, From home office, hotel, branch office,

customers, trading partners client site, airport, conference, restaurant, home, trains, planes, automobiles

Using laptops running Windows, Linux, Mac OS/X;

PDA running PocketPC, Symbian or PalmOS; mobile phone, public kiosk By dial-up modem, hotel Ethernet, Wi-Fi, mobile carrier, cable modem, DSL To connect with email, Web-based intranet, terminal services, CRM, ERP, partner data

Contrast this with the old dumb terminals.

hard connection.

One location, one

10

Endpoint security benefits

Manage zero-day threats Reduce incident response cost Eliminate system downtime Reduce hot fixes and patching Lower recovery cost Comply with regulatory requirements Single solution, multiple security functions, low performance impact Increased security of corporate resources

Ensures endpoints (laptops, PC, PDA, servers, etc.) conform to security policy Proactively protects against worms, viruses, spyware and malware Reduced risk of outbreak due to infected endpoints Safe access to networks through VPN access Controlled remediation and patching of unhealthy endpoints

11

Evolution of endpoint security

Today Static network access Every device is permitted Infected or unhealthy devices are frequently the root of an outbreak Tomorrow Dynamic network access based on policies Screen devices before granting access Infected or unhealthy devices treated separately

12

How do you start thinking about endpoint security?

Know what you want to inspect Ensure you have policies in place Risk assessment
Define in detail what are your risks Not all risks are created equal Not all endpoints are created equal

13

Questions you need to ask

How do we enforce compliance with our

security policies in order to provide a safe and secure network environment for everyone?

How do we identify unmanaged desktops

to deliver our security message?

How do we ensure all types of users have

adequate awareness and training of security issues?

14

Next steps

Assessment of endpoint
security requirements and needs

Decision making based on policy

compliance

Admission enforcement at the network

infrastructure level

Quarantining/remediation of unhealthy
devices

15

Determine the context of the endpoint device

Function Location Criticality Compliance state

16

What are your minimums?

Define and evaluate what is necessary What is to be allowed? Obligatory compliance of all desktops to minimum corporate security policy Define minimum desktop requirements Current OS patches Latest Web browser Latest AV signatures and definitions Up-to-date personal firewall Latest spyware signatures and definitions Other security configurations

17

Strategic endpoint security

Effective endpoint security requires a

strategic approach that understands the need to optimize connectivity while also ensuring protection for all critical resources

This is not a trivial task Endpoint security is not plug and play

18

Converged devices

Devices such as notebooks, tablet PCs, PDAs,

smartphones and other types of mobile devices also need to be secured

They have increasing storage and performance

capabilities

They travel outside the bounds of physical and logical

perimeters and they arent connected to the network at all times

These devices enter and leave your network many

times over the course of the year That leaves myriad opportunities to return with malware

19

Converged devices
The Bad These devices present a significant potential for financial loss, legal liability and brand damage since they are unprotected The Ugly Many organizations have no idea if these devices are connected to their network or how many are connected The Good Endpoint security can offer protection against the threats that converged devices bring

20

Non-corporate owned devices

Consultants, contractors, hackers,

employees and more will attempt to connect their own devices to the corporate network

Be it a corporate-owned device or
privately-owned endpoint, they all must be controlled before being given access to the network

21

Legal issues

There may be regulatory

and legal issues that have a local impact

Your organization must be aware of them and fully

comply with them

If the logs are going to be used as evidence, they

must be appropriately secured

Get legal counsel involved

22

Basic endpoint security recommendations

An unsecured endpoint must not be allowed to

connect to the network if doing so inappropriately increases the risk to the organization

Management must identify the state of the

endpoints before they are allowed access to internal networks

CISO must be able to provide a level of assurance

to management that information will be protected when it reaches the endpoint

Remediation plans must be created for remote

endpoints

23

Endpoint security is not a silver bullet While endpoint security is a hot topic with myriad hardware and software solutions, the reality is that:

There are no standards Many current solutions are proprietary

It is still somewhat of an immature solution There are not a lot of experts in the field Solutions are costly and complex to implement

24

The Big 3 Endpoint Security Solutions

Cisco Network Admission Control (NAC) Microsoft Network Access Protection

(NAP)

TCG Trusted Network Connect (TNC)

25

Other vendors in the space

Check Point Endforce StillSecure Symantec Juniper Configuresoft Lockdown Networks eEye Qualys Funk 3Com

Altiris ISS Citrix ConSentry Vernier Senforce McAfee Forescout InfoExpress Intel and many more.

26

Commonalities

All of the solutions are basically attempting to perform the same task They all use routers, switches, wireless access points, software and security appliances to enforce endpoint security Requires security credentials from endpoint devices Relays them to a policy server

Policy servers evaluate credentials and make admission control policy decision (permit, deny, quarantine or restrict)
Network access device enforces admission control policy decision

27

Commonality Policy Server

The policy server is generally a RADIUS, Kerberos

or 802.1x system and is the central point for establishing network access policies and is the primary mechanism for the endpoint security workflow The policy server decides whether to allow an endpoint onto the network based on input from the baseline of the device The server interfaces with other security configuration management functions that hold information such as OS updates, AV, patches, etc.

28

Cisco NAC

API-level enforcement & quarantine

technology being built into Cisco network infrastructure

Viable product in production Multiple vendors in program NAC focuses on network infrastructure,
policy definition and management

Built on a foundation of installed Cisco

devices

29

Cisco NAC

NAC works via trusted modules that are installed on Windows and Linux desktops (Cisco Trusted Agent - CTA) and implemented in Cisco routers and switches The CTA gathers device information and passes it via 802.1x to the Cisco Secure Access Control Server (ACS) The ACS communicates with the policy server to determine compliance and enforce network access via the Cisco switching infrastructure

30

Cisco NAC

NAC requires a Cisco infrastructure

running a current version of IOS
12.3(8)T or later

For enterprises running legacy Cisco

devices, this will require an expensive hardware upgrade

For enterprises running older versions of

IOS, this will require plans to upgrade

31

Cisco NAC

Benefits Shipping now Somewhat mature Many deployments Supports Linux clients

Disadvantages Proprietary solution Full solution works only with

Cisco switch-based Significant IOS upgrade

Cisco 802.1x equipment and authentication server

may be required Requires software agent

32

Microsoft NAP

Health assessment of host device API-level enforcement & quarantine

technology via the Windows OS

Available in Vista Multiple vendors in program and

announcing support

Built on a Windows foundation and uses

the Windows Quarantine Agent (QA)

33

Microsoft NAP

QA gathers device information and passes

it to the Microsoft Network Policy Server (NPS)

The NPS works with other devices (DHCP,

IPsec, VPN, 802.1x and more) for policy compliance

Only supported in Vista and Windows XP

SP2

34

Microsoft NAP
Benefits Disadvantages

Single policy solution

for Windows devices

Still in beta
development

Supported by many
vendors

Only Vista and XP

support

No Linux support No large scale

deployments to date

35

Trusted Computing Group

Creating TNC (Trusted Network Connect) Standard Multiple API-level interfaces Broad approach to endpoint security Still in early stage of development Built on the assumption that every device has a specialized piece of hardware to verify that the endpoint has not been compromised endpoint policies

Uses that hardware to monitor and enforce

36

Trusted Network Connect

Trusted Network Connect is a set of open

standards
Mission is to develop and promote an open, vendor-neutral,
industry standard specification for trusted computing building blocks and software interfaces across multiple platforms

Not all of the standards have been fully defined Little product support to date Key components of TNC are a RADIUS server and
802.1x authentication servers, in addition to a trusted hardware chip (TPM) and software on the endpoint device

37

Trusted Network Connect

The TPM (Trusted Platform Module) is

used to authenticate the endpoint device

Once authenticated, the TPM passes

control to a software agent, which checks the device for compliance

38

Trusted Network Connect

Benefits Disadvantages

Provides security at
the hardware level

Requires specialized
TPM hardware

Broad architecture Wide support from

laptop and other hardware vendors

Standards are
incomplete

Few major rollouts

39

Client-based solutions
Advantages Disadvantages Another piece of software to install and manage Inherent trust problem with the suspect device validating itself Can possibly be deleted or disabled by an end user or administrator

Local access to suspect resources Can perform a much deeper scan of the device Piggyback on local processing power Generally the best solution for managed PCs on a LAN or wireless LAN, or an IPsec VPN or dial-in remote access server

40

Client-free solutions
Advantages

Disadvantages

Policy and trust mechanisms in the network vs on the client Piggybacks on Windows management mechanisms for remote access to local resource information Doesnt require more client software to install and manage

Requires some form of

managed desktops

Assumes new
networking intelligence installed in the infrastructure

41

Universal product requirements

Ability to define a granular set of security

policies
Your organization may have many different policy
requirements. The product must support any number and variety of policies.

Ability to detect every device connecting

to the network
Ensure that it can detect any device, irrelevant of its
hardware manufacturer or software creator.

42

Universal product requirements

Assess the devices level of compliance

Scan must take place before network access Must support post admission checks (Web browser, client software, etc.) Complete quarantining of device

Enforce policy

Remediate non-compliant devices

Ability to push signatures, patches, etc., so system can be brought up to date

43

Conclusions

Endpoint security is a powerful

technology whose time has come Dont underestimate the time and complexity it will take to deploy Make sure you define your specific needs and requirements and map those to your environment You will have to live with and support your decision, so make sure you make the right choice

44

Identity and Access Management Security School

Also in this lesson Podcast: Endpoint enforcement: Smart policies to control the endpoint explosion Article: Keeping pace with emerging endpoint security technologies

searchsecurity.com/iamschool
45