Trends in Wireless Technology
Download
Report
Transcript Trends in Wireless Technology
Two Approaches to Large Scale
Computer Security Validation
and Registration
VASCAN
October 2005
Dan Veloce, George Mason University [email protected]
Chris Faigle, University of Richmond [email protected]
What is the problem?
It is difficult to secure computers that are not
under direct management
Many large organizations, especially Universities,
provide network connectivity for large numbers of
computers which are unmanaged and, in many
cases, owned by other entities
In this kind of environment, it can be helpful to
devise a system that allows such computers to
connect to the network after verifying that they
conform to a pre-defined security policy
Some Possible Solutions
Install a manageable client on each computer and
continually monitor for policy compliance
Verify policy compliance only at scheduled times
(e.g. back to school, midyear) or in the event of a
major security issue
We will look at two systems which follow the
second approach:
– The MUST system from George Mason University
– The University of Richmond’s online registration
system
George Mason University
MUST
MUST Components
Network
Quarantine
Authentication
Client Inspection & Remediation
Registration
Reporting
Quarantine is Essential!
Large influx of new computer systems into
Residence Hall networks at beginning of each
semester
Very dynamic environment
System administration deficiencies are prevalent!
– In many cases:
» Little or no OS patching
» Antivirus software absent or virus definitions outdated
» Infected computers
Network Quarantine
Router/Security Gateway
Access Switch
Access Switch
`
IP Address 129.174.68.10
Subnet Mask 255.255.255.0
Gateway 129.174.68.1
`
IP Address 129.174.68.11
Subnet Mask 255.255.255.0
Gateway 129.174.68.1
Traditional IP Subnet
`
IP Address 42.93.232.46
Subnet Mask 255.255.255.252
Gateway 42.93.232.45
`
IP Address 42.129.86.82
Subnet Mask 255.255.255.252
Gateway 42.129.86.81
Point-to-point IP Quarantine
(MUST Architecture)
Authentication
User based authentication
– Verify the user’s identity via GMU LDAP
Computer identification
– Identify a computer via records kept within an
SQL database
RADIUS allows us to accomplish both
goals in one step
Authentication
Client
Computer
`
1
SSL/Web Authentication
(Username, Password)
n
tur ts
e
R igh
(R
Access-Accept
(Rights)
RADIUS
u
trib
t
A
6
te)
SQL
Database
)
-ID
n
o
ele tati
S
S
L gSQ a l l i n
(C
5
ct
7
2
NAS
Access-Request
(Username, Password,
Calling-Station-ID)
LD
( U AP
4
se A
rn ut 3
am he
e, nti
Pa ca
ss tion
wo
rd
)
University
LDAP
Client Classification
Unknown computers are placed into the “Unknown”
class and redirected to an ASP.NET web page which
redirects computers based on operating system ID
– Windows ME and newer Windows OS
» MUST Update site
General computing security information
Disclaimers and SAV license agreement
MUST Update Tool specs and download
– All other OS
» Alternate web page
General computing security information
AV software downloads for supported platforms
Registration link
Client Inspection
MUST Update Tool
– Scans for and removes worms and viruses
» Mitigates 41 virus/worm families via the Microsoft Malicious Software
Removal Tool and custom worm detection routines
– Checks system for the running instance of 48 antivirus software processes
from 9 vendors
» Downloads and installs University standard package (with locked
configuration) when AV is absent
» If AV processes are present, prompts user removal of packages other than
University standard
– Configures nightly automatic Windows Update policy on supported
Windows platforms
– Reports application errors and other system issues to a centralized database
– Registers computers that pass all checks after giving users the option of
remaining in the Protected (point-to-point NAT) space or moving to an
Unprotected (University public IP addressed) space
MUST Update Resources
WMI (Windows Management Instrumentation) acts as a
repository of important system configuration information and is
present, by default, on all Windows ME and newer Windows
systems
– Using WMI, we can» Check running processes
» Obtain system information
» Manage system services
» Read/Edit registry
Basic Windows APIs
– WinInet for data transfers
– Kernel32 and User32 for basic system functions
» Sleep Function
» Folder/File creation & removal
Registration
It is useful to associate a user identity with a registered
computer
– Check routine downloads an SSL page containing the username
associated with the authenticated user on the computer in question
Upon passing all checks, the application passes 5 variables
to the registration server
–
–
–
–
–
MAC address
Username
Operating System
Service Pack, if applicable
Rights Selection
Application then spawns an IE browser that informs the user
of a successful registration and directs them to reauthenticate for full network access
Non-compliant Systems
In about 5% of cases, Windows computers are not
registered because they fail one or more security
checks
– Most likely scenario, Symantec AV fails to load
properly. This can be the result of previous malware
infection or an operating system problem
» An IE browser is automatically spawned pointing to a
remediation page which explains the problem, links to a copy
of the Trend Micro Damage Cleanup Engine, and gives
instructions for running the DCE
– Other scenarios include
» Computers infected with malware which requires manual
intervention for complete removal
» Computers with damaged Windows installations which are
unable to install the antivirus package, communicate via SSL,
or perform other basic functions
Reporting
Central database which catalogs information reported by the
MUST Update Tool
– File download errors
– Infected computers, including those which require manual
intervention
– If safety checks fail, factors that caused failure
– Presence & type of non-compliant antivirus software found
– Number of times the tool has run
Scale
Registered Computers
1200
1000
800
600
MUST v2
General Arrivals-8/25
Implementation-7/15
400
Early Arrivals-8/21
200
0
7/15/2005
8/15/2005
9/15/2005
Date
University of Richmond
Online Registration
U of R - Overview
On both wired and wireless networks:
– Machines with unknown MAC addresses (i.e. not in our
VMPS database) are put into a “Neverland” vlan with
access to:
»
»
»
»
Anti-Virus server (Symantec Corp. AV)
Anti-Virus install (Authentication required)
Windows Update locations (via SQUID Proxy)
Active-Directory / DNS / DHCP
– Note that we have a separate “Blackhole” vlan with all
traffic dropped at the switch port for machines which
have been identified as a security risk
U of R – Overview II
In the Neverland VLAN, the squid proxy redirects all port
80 http to our static computer registration start page
User must click through as automated processes hitting
port 80 were running excessive PERL
User enters id and password and the process begins
Upon successful completion, the MAC address is
registered in VMPS along with the correct VLAN id for
the user
The address is then located on the equipment and the port
is downed and upped, causing a VMPS lookup and voila
the port is put into the correct VLAN
U of R – Process Details
So what happens in the process:
– 1. OS Determination
» Check browser string
» nmap –O
– 2. If MS:
» Turn on Automatic Updates standard and via policy
3 am – download & install – don’t ask
User cannot turn off via control panel – must delete registry keys
» Open holes in the XP SP2 firewall for SAV traffic
Does not turn the firewall on or off
» Verify SAV install, Virus def dates & Parent server
» Scan for worm holes using Nessus
– 3. If not MS:
» Pass without doing anything for now
U of R – MS Client Side
For MS Boxes:
– Download UofRMachineCheck Active X control and instantiate it
» Requires IE 5.5 or above
» Requires JavaScript
» Requires the default IE settings
– The encryption (more obfuscation) uses the hidden field “keyring” to avoid
replay
– Calls each of the functions and finally gets the MachineStatus (see next slide)
to retrieve the SAV state, the Automatic update state:
»
»
»
»
oMachineCheck.SetAUPolicyOn;
// Set AU on by policy
oMachineCheck.SetAUOn;
// Set AU on normally
oMachineCheck.OpenXPFirewallSAVCE;
// Open the XP SP2 Firewall
var GetMachineStatusEncryptedResult =
oMachineCheck.GetMachineStatusEncrypted(key); // Get encrypted status
» main.urm.value = GetMachineStatusEncryptedResult; // Put result into form field
» main.submit();
// Submit main form
U of R – Client Notes
Note that the control is “Safe” in the sense that it:
– Will only increase AU settings
– Is hard-coded to return only certain registry settings – not scriptable and
thus not a security hole
Microsoft Visual C++ .dll in system32 via signed .cab file + .INF
Instantiation:
– <object classid=\"clsid:9AC81071-4B2C-48DF-A245-C131DD64B7D2\"
id=\"oMachineCheck\“
CODEBASE=\"UofRMachineCheck.cab#Version=1,0,6,1\">
</object>
See sample code for exact mechanisms and for hard-learned
detection of successful instantiation
1.0.7.1 version detects MS Anti-Spyware beta – we do not use this
check
U of R – Server Side
Standard PERL + Linux/Windows Decode executable:
– #Decode the message:
$DecodedMessage=`$LIBDIR/UofRMachineCheckDecode.exe $urmkey $urm 2>&1`;
– # Check for Failure:
if($DecodedMessage=~/^-/)
{
$PAGE{BODY}=UofRMachineCheckHandleIssue($DecodedMessage);
&display_cpage(\%PAGE); }
– # Now convert the decoded message to a hash:
%MachineInfo=UofRMachineCheckDecode::UofRMachineCheckDecodedToHash($Deco
dedMessage);
– # Now check to see if the result key in the hash indicates failure:
if(substr($MachineInfo{"Result"}, 0, 1) eq "-") {
$PAGE{BODY}=UofRMachineCheckHandleIssue($MachineInfo{"Result"});
&display_cpage(\%PAGE);
}
– # Now Check the Machine's compliance:
$MachineCompliance = UofRMachineCheckCompliance(\%MachineInfo);
U of R – Machine Status Output
141.166.58.95 os= mswin
141.166.58.95 urmkey= 175a2c8fbdad1adc
urm= e1bedf695d40d014d7bbe0587d6bcb16c086806 … .6cd436b69dd15d79b801a1230dc1a82
141.166.58.95 dcm= SAVCEHomeDirectory C:\Program Files\Symantec AntiVirus\
SAVCEParent MOXY
SAVCEProductVersionMajor
10
SAVCEProductVersionMinor
0
SAVCEProductVersionPatch
1
SAVCEProductVersionBuild
1000
SAVCEPatternFileDate 20050913
AUOptions
4
AUState 2
AUScheduledInstallDay 0
AUScheduledInstallTime 3
AUDisabled
0
AUPolicyOptions 4
AUPolicyState 2
AUPolicyScheduledInstallDay 0
AUPolicyScheduledInstallTime 3
AUPolicyDisabled
0
U of R – Machine Status Output II
141.166.58.95 0;Compliant
141.166.58.95 (141.166.58.95) 00123fda2192
141.166.58.95 (141.166.58.95) NBLookup time 4
ipaddr=141.166.58.95 hipaddr=141.166.58.95 (141.166.58.95) starting nessus
scans
141.166.58.95 (141.166.58.95) Nessus time 17
141.166.58.95 (141.166.58.95) Nessus Scan Report
-----------------…
-----------------------------------------------------This file was generated by the Nessus Security Scanner
141.166.58.95 (141.166.58.95) student
141.166.58.95 Downing gry1a1 10037 2
141.166.58.95 Upping gry1a1 10037 1
Spare – U of R Registration Flowchart
User opens
registration page and
Logs in
University of Richmond
Registration - Fall 2004
v0.4 7/15/2004
Student?
No
Faculty/Staff
registration page
Server
(Windows/Unix)
Yes
Client
(Windows)
Check machine type
use nmap - if fail have user claim
Shared Code
Windows?
Yes
Yes
Patched?
[via Nessus]
No
Yes
No
UofRMachineCheck
Decode PM
UofRMachineCheck
DLL
UofRMachineCheck
Decode EXE
Obfuscate Encrypt/Decrypt Library
(Obfuscate.cpp)
UofRMachineCheckValidateMachine.pl
TestMachineCheckServer.htm
Create
MachineCheck Object
Created OK?
Version OK?
No
Yes
MAC into
Black Hole
Set Automatic
Updates on by Policy
MachineCheck Object
is asked for the
encrypted machine
status
Not OK
Instruct user how to
get patched, set
browser, install AV,
etc. or instruct to see
help desk
Status is decrypted,
verified. Name/Value
pairs put in Perl hash
Retry?
SAVCE
Installed?
No
OK
Failure Exit Page
Defintion
Dates, etc OK?
All OK
Register Computer
Put MAC into Student
VLAN
Exit Page
Drawbacks/Issues
1. Relies on MAC addresses - enough said
2. Relies on OS Determination
– Browser string can be changed
– Box can be completely firewalled and not respond –or- TCP Stack can be
modified
3. Does not continually monitor for issues
– Can scan in the back-end for people who re-install OS-es, etc.
– We can dump the students out of the database and cause a re-registration at
will if we add a scan or modify a requirement
» Best done in some rotation so as not to swamp registration page with 3000 students
at one time
4. Does not ensure that the machines are virus-free:
– U of R runs one full scan weekly on every system – scheduled from parent
server
– Virus logger report that culls and e-mails logs:
http://is.richmond.edu/techsupport/security/Downloads.htm
5. Deletion of registry keys means that you can turn off automatic updates
– No solutions here…
Drawbacks/Issues
6. U of R only checks worm holes, not for other patches
– Could easily be modified to check for some via registry, but this is an
onerous process to keep up with (particularly with a compiled Active X
control) and I would rather make sure they are all patched automatically
7. Students can uninstall anti-virus
– No solutions here…Back-end checking required
8. Students (Business, Continuing Studies) who cannot install
University AV on work machines
– Manual registration – Also windows 98 has to be manually registered
since it cannot run SAV 10
9. Guests / Speakers:
– Guest VLAN for accounts to which we will only give Internet access to
for a very limited time.
10. Dial-up / VPN
– No solutions here…
Conclusions
These systems work seamlessly in the vast
majority of cases
– Enforce security policy at specific points in
time
– Help to identify the endpoints within protected
networks
– Provide a framework to respond to a large scale
worm incident via automatic processes
– Yield useful statistics which can aid in network,
application, and resource planning
Contacts
Dan Veloce
George Mason University
[email protected]
MUST System:
http://sandbox.ssgad.gmu.edu
Chris Faigle
University of Richmond
[email protected]
U of R Machine Check:
http://is.richmond.edu/techsupport/security/Downloads.htm
Questions?