Session G7How to Plan for and Use Endpoint

Security

How to Plan for and Use Endpoint Security

Session E3Ben Rothke, CISSP CISM

Wednesday, March 21, 2007

11:30AM - 1:00 PM

About Me Ben Rothke, CISSP CISM Senior Security Consultant – BT INS, Inc. Previously with AXA Equitable, ThruPoint, Baltimore

Technologies, Ernst & Young, Citibank. Have worked in the information technology sector

since 1988 and information security since 1994 Frequent writer and speaker Author of Computer Security: 20 Things Every

Employee Should Know (McGraw-Hill 2006)

AgendaThis session is: Why you need endpoint security Security risks of rogue devices Endpoint security solutions: The Big Three Universal product requirements

This session is not: Product review A monologue

– Feel free to ask a question, make a comment, etc.

Key Takeaway Points

Endpoint security is a powerful technology

Don’t underestimate the time and complexity it will take to deploy

Define your specific needs and requirements

Times have changed A few years ago, when you called and spoke

to someone in area code 212, you could reasonably assume that the person was indeed in New York City.

Today, when you call area code 212, the person might be in Manhattan; but can also be in Los Angeles, Moscow, Rio or anyplace in the world.

Endpoints are clearly changing, both in the physical world and in the digital world.

Digital endpoint security Perimeter of old was simply a router

or firewall Today, the endpoint is the perimeter

– In most organizations, with a laptop and DHCP, everyone gets in with zero validation.

– Old perimeter is dead Network perimeter weakness

– Remote access with 80% of enterprises using VPNs– Web-based extranet and partner connectivity– Some firewalls are so open, that all they do is

simply slow down traffic.– In some organizations, it’s hard to tell the

difference between a firewall and a router.

Glass houses had no rogues

In the mainframe era of glass houses and dumb terminals, there were simply no rogue devices

Networks were private, leased and closed– Everything around the IBM mainframes was

proprietary and closed. Today networks are made to be open Today rogue devices are a bane And endpoint security is becoming a crucial

aspect of an information security endeavor.

Security risks of rogue devices

The inability to control network admission exposes significant risk to an organization– Can be accidental or malicious in nature– Often leads to network downtime or exposure of

sensitive information Therefore, only allow authorized devices onto

the network With endpoint security, non-compliant

endpoints attempt connection, but are first quarantined– After inspection and remediation, only then are

they admitted– Endpoints are now starting to be secure

DefinitionWhile there is no single universal definition for endpoint security, a general definition is:

– Process of securing a host through a combination of policy management, configuration management, and desktop security software, such as anti-virus and anti-spyware.

– Sum total of the measures taken to implement security concerning endpoints.

– The use of a network access control system used to restrict network access only to systems that demonstrate adherence to a pre-defined corporate security policy

Endpoint security vs. NAC Endpoint security

– Securing the endpoint computing device NAC

– Prevents unauthorized access to network resources

– Eliminates intrusions onto the network via worms, spyware, viruses, malware, etc.

Significant overlap between the two– Industry and media are using them

synonymously– For the purposes of this talk, I will also

Why do we need endpoint security?

Viruses and worms continue to disrupt business Zero-day attacks make reactive solutions less effective Point technologies preserve host rather than network

availability and enterprise resiliency Non-compliant servers and desktops are difficult to

detect and contain Locating and isolating infected systems takes significant

time and is extremely resource intensive Users are often authenticated, but devices are not Non-compliant/unmanaged devices pose an

unacceptable risk– Often source of infection– Rogue assets untracked, invisible

Device compliance as important as user authentication

Worldwide NAC enforcement device revenue

Source: Infonetics Research June 2006

Endpoint threat sources Remote users Mobile users Regional, remote

and branch offices Non-compliant

laptops Interconnected

networks Distributed data Business

extranets

Guests Contractors Remote access Web services Wireless Mobile smart

devices VoIP phones and many more…

Endpoint threat activities Rogue wireless access Keystroke loggers Contractor with latest worm or virus

on their laptop Kiosks Backdoor listening for inbound

connections Spyware download via P2P IM and more…

Origination points Accessed by employees, consultants, customers, trading

partners From home office, hotel, branch office, client site, airport,

conference, restaurant, home, trains, planes, automobiles Using laptops running Windows, Linux, Mac OS/X; PDA running PocketPC, Symbian or PalmOS; mobile

phone, public kiosk Dial-up modem, hotel Ethernet, Wi-Fi, mobile carrier,

cable modem, DSL To connect with email, Web-based intranet, terminal

services, CRM, ERP, partner data Contrast this with the old dumb terminals

– One location, one hard connection.

Endpoint security benefits Manage zero-day threats Reduce incident

response cost Eliminate system

downtime Reduce hot fixes and

patching Lower recovery cost Comply with regulatory

requirements Single solution, multiple

security functions, low performance impact

Increased security of corporate resources

Ensures endpoints (laptops, PC, PDA, servers, etc.) conform to security policy

Proactively protects against worms, viruses, spyware and malware

Reduced risk of outbreak due to infected endpoints

Safe access to networks through VPN access

Controlled remediation and patching of unhealthy endpoints

Evolution of endpoint security

Today Static network access Every device is permitted Infected or unhealthy devices are

frequently the root of an outbreak

Tomorrow…but more realistically in 5+ years

Dynamic network access based on policies

Screen devices before granting access Infected or unhealthy devices treated

separately

Endpoint security deployment

Start thinking about endpoint security

Know what you want to inspect What policies do you want? Risk assessment

– Define in detail what are your risks– Not all risks are created equal– Not all endpoints are created equal

What is your security problem and how do you expect an endpoint security solution to solve it?

Questions you need to ask How do we enforce compliance with our

security policies in order to provide a safe and secure network environment for everyone?

How do we identify unmanaged desktops to deliver our security message?

How do we ensure all types of users have adequate awareness and training of security issues?

Budget and Staffing Ensure that you have adequate budget

and staff to support endpoint security– Endpoint projects take a lot of money

and manpower to deploy– Regardless of what the vendor tells you,

endpoint security costs a lot of $$$$– It is worth it, but it is in no way cheap

If you don’t have the budget and staff, don’t even think of deploying endpoint security.

Next steps Define very specific goals for endpoint

security Assessment of endpoint security

requirements and needs Decision making based on policy compliance Admission enforcement at the network

infrastructure level Quarantining/remediation of unhealthy

devices

Context of the endpoint device

Function Location Criticality Compliance state

What are your minimums? Define and evaluate what is necessary What is to be allowed? Obligatory compliance of all desktops to

minimum corporate security policy– Define minimum desktop requirements– Current OS patches– Latest Web browser– Latest anti-virus/spyware signatures and

definitions– Up-to-date personal firewall– Latest spyware signatures and definitions– Other security configurations

Exceptions– CEO and friends

Strategic endpoint security

Effective endpoint security requires a strategic approach that understands the need to optimize connectivity while also ensuring protection for all critical resources– This is not a trivial task

Endpoint security is not plug and play– deployments require a lot of initial TLC– can break many applications– cause others to crash

NAC - one-size does not fit all

Biggest mistake in NAC design– taking a one-size fits all approach

NAC policies must address– Who– What– Where– When– Why

NAC - one-size does not fit all

Second biggest mistake in NAC design– Inadequate piloting– First pilot groups should be with

users who are computer savvy– NAC policies take a lot of tweaking to

get them right Start small

– Don’t try a global deployment until you have a few successful localized deployments

Converged devices Devices such as notebooks, tablet PCs, PDAs,

smartphones, iPod, Zune and other types of mobile devices also need to be secured

They have increasing storage and performance capabilities

They travel outside the bounds of physical and logical perimeters – and they aren’t connected to the network at all times

These devices enter and leave your network many times over the course of the year– That leaves myriad opportunities to return

with malware

Converged devices These devices present a significant

potential for financial loss, legal liability and brand damage since they are unprotected

Many organizations have no idea if these devices are connected to their network or how many are connected

Endpoint security can offer protection against the threats that converged devices bring

Non-corporate owned devices

Consultants, contractors, hackers, employees and more will attempt to connect their own devices to the corporate network

Be it a corporate-owned device or privately-owned endpoint, they all must be controlled before being given access to the network

Endpoint security recommendations

An unsecured endpoint must not be allowed to connect to the network if doing so inappropriately increases the risk to the organization

Management must identify the state of the endpoints before they are allowed access to internal networks

CISO must be able to provide a level of assurance to management that information will be protected when it reaches the endpoint

Remediation plans must be created for remote endpoints

Endpoint security - not a silver bullet

While endpoint security is a hot topic with myriad hardware and software solutions, the reality is that:

– There are no standards– Many current solutions are proprietary– Still an immature solution– Not a lot of experts in the field – Solutions are costly and complex to implement– Not all solutions address post-admission control– The endpoint security market is still evolving, and its

noble objectives are still progressing. Many of which have yet to be achieved.

What about post-admission control?

Blocking access is easy– The hard part is finding a way to safely

conduct business when the unmanaged endpoint of a business partner or customer is not compliant

– Asking third-parties to install NAC software clients is often infeasible

NAC does not completely track and control the flow of confidential data

We must wait until the next generation of NAC/Endpoint security functionality

Endpoint Security Solutions - Big 3

Cisco Network Admission Control (NAC)

Microsoft Network Access Protection (NAP)

TCG Trusted Network Connect (TNC)

Other vendors in the space

Check Point Endforce StillSecure Symantec Juniper Configuresoft Lockdown Networks eEye Qualys Funk 3Com

Altiris ISS Citrix ConSentry Vernier Senforce McAfee Forescout InfoExpress Intel and many more….

Commonalities All of the solutions are basically attempting to perform

the same task They all use routers, switches, wireless access points,

software and security appliances to enforce endpoint security

Require security credentials from endpoint device Relays them to a policy server Policy servers evaluate credentials and make admission

control policy decision (permit, deny, quarantine or restrict)

Network access device enforces admission control policy decision

Commonality – Policy Server

The policy server is generally a RADIUS, Kerberos or 802.1x system and is the central point for establishing network access policies and is the primary mechanism for the endpoint security workflow

The policy server decides whether to allow an endpoint onto the network based on input from the baseline of the device

The server interfaces with other security configuration management functions that hold information such as OS updates, AV, patches, etc.

802.1x is not NAC

IEEE 802.1x – Standard for port-based network access control.– It is not NAC as the industry

knows it– Port-based authentication– Provides authentication to

devices connected to a LAN port

Cisco NAC API-level enforcement & quarantine

technology being built into Cisco network infrastructure

In production Multiple vendors in program NAC focuses on network infrastructure,

policy definition and management Built on a foundation of installed Cisco

devices

Cisco NAC NAC works via trusted modules that are

installed on Windows and Linux desktops (Cisco Trusted Agent - CTA) and implemented in Cisco routers and switches

CTA gathers device information and passes it via 802.1x to the Cisco Secure Access Control Server (ACS)

ACS communicates with the policy server to determine compliance and enforce network access via the Cisco switching infrastructure

Cisco NAC

NAC requires a Cisco infrastructure running a current version of IOS– 12.3(8)T or later

For enterprises running legacy Cisco devices, this will require an expensive hardware upgrade

For enterprises running older versions of IOS, this will require plans to upgrade

Cisco NAC

Benefits Shipping now Somewhat

mature Many

deployments Supports Linux

clients

Disadvantages Proprietary solution

– Full solution works only with Cisco 802.1x equipment and authentication server

Cisco switch-based Significant IOS

upgrade may be required

Requires software agent

Microsoft NAP Health assessment of host device API-level enforcement & quarantine

technology via the Windows OS Available in Vista Multiple vendors in program and

announcing support Built on a Windows foundation and uses

the Windows Quarantine Agent (QA)

NAP Components Administrators can use these technologies

separately or together to limit noncompliant computers.

NAP provides limited access enforcement components for the following technologies:– IPsec

• Health Registration Authority (HRA) and IPsec NAP Enforcement Client (EC)

– 802.1x authenticated network connections• NPS server and an EAPHost NAP EC component

– VPN• VPN NAP Enforcement Server (ES) component/VPN NAP

EC component – DHCP

• NAP ES component/DHCP NAP EC component

NAP characteristics Health Policy Validation

– When a user attempts to connect to the network, the computer’s health state is validated against the health policies as defined by the administrator.

Health Policy Compliance – Administrators can help ensure compliance with

health policies by choosing to automatically update noncompliant computers with the missing requirements through management software.

Limited Access– Administrators can protect network assets by

limiting the access of computers that do not comply with health policy requirements.

– Non-compliant computers will have their access limited as defined by the administrator.

Microsoft NAP Microsoft states that NAP is not designed

to secure a network from malicious users. It’s designed to help administrators

maintain the health of the computers on the network, which in turns helps maintain the network’s overall integrity.

Microsoft’s new platform to limit the access of connecting computers until they are compliant with system health requirements

Microsoft NAP QA gathers device information and

passes it to the Microsoft Network Policy Server (NPS)

NPS works with other devices (DHCP, IPsec, VPN, 802.1x and more) for policy compliance

Supported in Vista and Windows XP SP2

Microsoft NAP

Benefits Single policy

solution for Windows devices

Supported by many vendors

Disadvantages Just out of beta Only Vista and XP

support No Linux support Proprietary

Trusted Computing Group Creating TNC (Trusted Network Connect)

Standard Multiple API-level interfaces Broad approach to endpoint security Still in early stage of development Built on the assumption that every device has a

specialized piece of hardware to verify that the endpoint has not been compromised

Uses that hardware to monitor and enforce endpoint policies

Trusted Network Connect Trusted Network Connect is a set of open standards

– Mission is to develop and promote an open, vendor-neutral, industry standard specification for trusted computing building blocks and software interfaces across multiple platforms

Not all of the standards have been fully defined Little product support to date Key components of TNC are a RADIUS server and

802.1x authentication servers, in addition to a trusted hardware chip (TPM) and software on the endpoint device

Trusted Network Connect The TPM (Trusted Platform

Module) is used to authenticate the endpoint device

Once authenticated, the TPM passes control to a software agent, which checks the device for compliance

Trusted Network Connect

Benefits Provides security at

the hardware level Broad architecture Wide support from

laptop and other hardware vendors

Open specification

Disadvantages Requires

specialized TPM hardware

Standards are incomplete

Few major rollouts

References/Books NAP - www.microsoft.com/nap NAC -

www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html

TNC - www.trustedcomputinggroup.org/groups/network

www.endpointsecurity.org www.watchyourend.com Essential Trends and Dynamics of the

Endpoint Security Industry– www.zeltser.com/endpoint-security-trends

Books

Conclusions Endpoint security is a powerful

technology whose time has come. Don’t underestimate the time and

complexity it will take to deploy. Make sure you define your specific

needs and requirements and map those to your environment.

You will have to live with and support your decision, so make sure you make the right choice.

QA/Thanks for attending

Any questions? comments?

Please fill out your evaluation sheets

Ben Rothke CISSP, CISMBT PSBen.Rothke@bt.com