Transcript Endpoint Host machine integrity based

Training
Endpoint Security
© 2005,2006 NeoAccel Inc.
Helen of Troy
Troy had the strongest walls and
hence it was impossible to
break into the city
Trojans were led by Hector, best
of many sons of Priam !
Trojans had employed
defending parameters to
protect enemies to break the
gate and wall !
© 2005,2006 NeoAccel Inc.
Troy and Trojans
The only point of access into the city was through the
“Gate”
Greeks fought for
10 years, but
could not get
through the Troy
defense !
© 2005,2006 NeoAccel Inc.
Break into perimeter security
Trojan
Horse !!!
Sinon mislead Trojans by
telling them Odysseus
is his enemy now.
© 2005,2006 NeoAccel Inc.
Come to 21st Century
Perimeter Security
Managed LAN
hosts
accessing
managed
server and
resources
Access to only
known
services
© 2005,2006 NeoAccel Inc.
Corporate
Network
24X7
managed
control and
corporate
policy
compliance
A Hole in Perimeter Security
Remote
Access Server,
right there
sitting in your
LAN, providing
access to your
managed
resources
Unmanaged or
out of control
access point
Corporate
Network
Remote
access to
authorized
users
© 2005,2006 NeoAccel Inc.
What’s the security risk?
“We have strong authentication mechanisms. Only
authorized users can access the network. What’s
the security risk?”
User may be authorized, but the medium of access’The host machine’ may not be!
An authentic authorized user will run only authorized
applications, but other hidden programs like virus,
trojans, spy-wares are free birds !
They can access what the user should not be
accessing.
© 2005,2006 NeoAccel Inc.
Example…
Just Authentication is not enough for secure remote
access.
Showing your passport at airport
An authorized user, knowingly or unknowingly, may
lead to a security breach
Of course you are carrying a passport, you need to
get through security check
© 2005,2006 NeoAccel Inc.
Then what!
Need a mechanism to deploy effective Endpoint
Security Policy Management and Compliance
NeoAccel SSL VPN-Plus has this feature and we call it
EndPoint Security (EPS)
© 2005,2006 NeoAccel Inc.
End Point Security: Introduction
EPS is meant for user’s machine’s security, hence
securing corporate network
EPS checks if the user’s machine complies to corporate
policies and can be allowed to connect to corporate
network
e.g. It should have
Anti Virus Software
running,
Firewall running,
Latest security patches,
Etc.
© 2005,2006 NeoAccel Inc.
Your luggage is checked
on airport for
Explosives,
Sharp objects,
Your health status is
also checked
End Point Security: Introduction
EPS scans user’s machine and decides the trust
(security) level (or zone) of your machine and you are
provided access based on the zone your machine fall
into.
EPS is authorization of your machine. Trust level set by
your identity is always overridden by Trust level of
your machine.
© 2005,2006 NeoAccel Inc.
SSL VPN-Plus: Endpoint Security
Check for Antivirus
Scan
machine
for
User
logshost
in using
NeoAccel
required
software
and
SSL VPN-Plus
Client
Check
for Firewall
cleanliness
Check for Key loggers
Check for Browser Security
Settings
Check for Anti-Spy Wares
Check for IP-forwarding &
network bridging
Check for OS Patches
Depending upon security
level, Gateway decides
how much access to be
given to remote user.
Remote desktop
Check for customized
files/process/service/port
Check for Desktop Search
engine
Web-mail
(http)
File sharing
FTP
Remote user
Real time End-point security
checks keeps the host safe.
Next
© 2005,2006 NeoAccel Inc.
NeoAccel
Security level of host
machine is calculated and
is sent to gateway.
SSL VPN Plus
Gateway
Private network
resources
System Architecture
Level 1Input to
Endpoint host integrity based
Gateway
authorization mechanism.
Highest priority
Endpoint Security Zone Definition
File
Zone name, Zone Trust Level,
Associated EPS policy list, Associated
ACL list
Endpoint Security Policy
Database
Rules to scan host machine
EPS policy
and Zone
levels
Access
Control
NeoAccel Management Server
Policy
Database
Level 2User identity based
authorization mechanism.
Lower priority
© 2005,2006 NeoAccel Inc.
Group Definition File
User information database
Group name, Group ID, Associated
Users, Associated ACL list,
Authentication server type and
address
Group, password (if local
database)
Input to Gateway
Endpoint
security
Client
DAT file
Input to
Client
through
gateway
Level 1 Authorization
Endpoint Host machine integrity based
Access Control Policy
Database
Endpoint Security Zone
Definition File
Endpoint security
Client DAT file
Zone name, Zone Trust
Level, Associated EPS
policy list, Associated ACL
list
EPS policy and Zone
levels
Login
User
Apply Access
control over
this
connection
Query Access
Control Policies
for current zone
level.
If new version
DAT file is
available, send
EPS DAT file.
TCP & SSL Handshake
NeoAccel Gateway
Module
NeoAccel Client
Application
Login challenge
Client
If
upgraded
Sends
handshake
Gateway protocol Start
Security
Client
client
is level of
Queries Current
machine
information:
available,
Security level of
Client Version
gateway
sends
host machine
EPS DAT Version
upgrade
notification
Update DAT file
from gateway
Host Scanning DAT
file
© 2005,2006 NeoAccel Inc.
Scan the host
and calculate
security level
Host Scanning
Engine
Read rules
to execute
EPS: Features
• Two level of authorization
– Level 1: Trust level of machine
– Level 2: Identification of user
•
•
•
•
•
•
•
•
•
•
•
Endpoint Security Policy Management Capabilities
Can create 40 security zone profiles
Most intuitive and easiest interface to create EPS policies
Check for system security settings and status and security software
or custom policies
Browser cache cleanup, visited URL cleanup, cookies cleanup,
downloaded program files, Java cache
Blocks printing, copy-paste, saving file from browser to disk
Factory default rules and policies for quick deployment
Fine grained custom policy creation UI
Auto update of EPS policies
Support on windows and Linux
Timely updates for EPS policy database with release of new
software and service packs
© 2005,2006 NeoAccel Inc.
EPS: Features…contd
• Option to specify information for users to troubleshoot or
raise security level of machine
• Automatic enabling of certain mandatory services
• Sense presence/absence of specified
applications/processes
– Notify user to install required applications
– Blocks black listed applications
• Real time scanning
• On the fly updating of ACLs in case change in security
zone is detected
• Provides architecture for Endpoint Vulnerability Checking
for administrators
• Completely transparent to user
© 2005,2006 NeoAccel Inc.
EPS Policy Definition Screen
Endpoint Security policies
EPS policies can be
added/modified/deleted
from here
© 2005,2006 NeoAccel Inc.
EPS Policy as set of EPS policies
Creating an EPS policy as a
set of already existing EPS
policies
© 2005,2006 NeoAccel Inc.
EPS Policy as set of new rules
Add
process/files/port/registry
base rules
© 2005,2006 NeoAccel Inc.
EPS Zone Creation screen
Lower the security level,
more stringent will be the
EPS policies
Associate EPS policies. a
machine will fall in this
zone if all the checked
policies are satisfied
Associate Access Control
Policies which will be
applied to connections
from host machine falling
in this zone
© 2005,2006 NeoAccel Inc.
EPS: Custom Policies
•
Can create custom policies for
– Files
• Modification time
• Size
• Version (binaries)
– Process
• Existence
• Owner
• Status
– Registry
• Values
• Existence
– Open ports
• State; open/close/listen
– Service
• State
– Digital signatures
• Existence based on parameters; CN, private key
• Validity
– Loaded drivers
– Key loggers
© 2005,2006 NeoAccel Inc.
EPS: Factory defined policies
• Policies exist for
– System security settings:
•
•
•
•
Browser type and version
Browser security level
IP forwarding
Bridging
– System status
•
•
•
•
OS version
Service packs
Security patches
Auto-update service status
– Security software:
•
•
•
•
•
© 2005,2006 NeoAccel Inc.
Anti virus; TrendMicro, AVG, McAfee, Symantec, Sophos, Alladin
Firewall; McAfee, TrendMicro, AVG, Zone alarm
Anti-spyware; Microsoft, McAfee, AVG, TrendMicro
Desktop Search Engines; Google
And many more…
EPS: Cache Cleanup
• Complete system monitoring to track the
application cache or files saved from
private network to local machine. Either
the user is disallowed to save the data or
is cleaned after logout based upon type of
data stored.
• This feature is normally not present for full
access clients or is implemented using
third party secure desktop products.
© 2005,2006 NeoAccel Inc.
Scanning Status
This dialog may appear at the time of
login (before authentication).
The dialog shows that client machine
does not satisfies all security policies.
User should enable the policies that
has failed to get maximum access
rights.
Enable Windows firewall for each
physical adapter to pass endpoint
security check.
Next
© 2005,2006 NeoAccel Inc.
Virtual Keyboards
Virtual Keyboard to mitigate Key-logger
threats.
Though OS take care of not displaying
password in plain text but it is still
hack-able. SSL VPN-Plus Client never
passes password to OS GUI. Hence
mitigate threat from password
crackers.
Next
© 2005,2006 NeoAccel Inc.