To cyber thieves, endpoint devices are a tempting target. Such devices can be a treasure trove of sensitive information in their own right, but they are also the gateway to bigger targets like network servers, databases and applications. In this article, security experts Faycal Daira and Bob Foley offer even more of their best practices for endpoint protection. Last week we looked at antivirus, device control, and host-IPS and behavioral protections. This week we cover location awareness, network access control and application control.
Faycal Daira, CTO of SkyRecon Systems, and Bob Foley, president of Matrix Global Partners spend their working days helping their customers tackle the tough job of keeping millions of endpoints protected. Last week, Daira and Foley gave us their best practice tips on endpoint security using antivirus, device control, host-IPS and behavioral protections. This week, we dig a little deeper and see how you can apply location awareness, network access control, and application control to keep your endpoints -- and ultimately your network -- safe.
Best practices for application control
Cyber thieves will take advantage of the areas of your operating system that change frequently to support legitimate applications. Therefore, you must secure the windows registry to prevent the auto-load of malware:
* AutoRun keys
* Internet explorer ActiveX and module
* Injection of DLL in the system (winlogon, etc.)
* Windows services
Prevent applications from copying executables or scripts to network shares. This will prevent worms from spreading inside the corporate network.
Prevent "Print Screen" and "Copy/Paste" capabilities within sensitive applications such as financial application and health record applications.
Enforce a rule that only allows specific applications to save files on a remote server.
Best practices for location awareness
The level of security must not only be based on the user that is currently logged in, but also on the location from which he is connecting and the context of his connection. This includes the type of connection, the level of security with the connection, and so on.
In the case of a laptop, the machine should possess three different policy levels depending upon its location: inside the corporate network, outside the corporate network, or connected to the Internet through a VPN. Other connection types may be blocked, such as attempting to connect to the Internet through an unsecured Wi-Fi connection that is not going through the corporate VPN.
To be able to determine the location, you need a solution that can detect the network interfaces that are activated (this is mandatory for VPN Control); can collect the IP information for the machine (IP address, DNS, etc…); and can use the local and network Active Directory information to determine the machines type, role, groups and so forth. It is dangerous to use a simple server presence to test the machine's location because if the server goes offline the location will no longer be valid and all your workstations will be operating under a false policy as if they were not connected to the corporate network.
Here is an example of how location settings will match most companies:
* Location inside: With the LAN interface only activated, check that the workstation is authenticated with LDAP
* Location VPN: With the VPN interface activated and the right IP address from the VPN subnet.
* Location Outside: neither inside nor VPN.
With these three locations identified, the following policies can be applied:
* Policy inside: White list network interface to only allow the LAN interface. This prevents any unexpected (potentially malicious or otherwise insecure) bridge across another network interface.
* Policy VPN: Limit network incoming/outgoing connections to the minimum required. This helps with security, of course, but also helps to save on VPN bandwidth.
* Policy outside: The network connection should be available for a limited time and only for purposes of establishing a VPN connection. The scenario of a user connected through a hotspot must first be tested. Then, the user should be allowed a window of opportunity (a good amount of time is three minutes) where they can open a Web connection (http/https) in order to pay for and authenticate to the hotspot portal (such as that of their hotel). Once authenticated to the hotspot, the VPN connection can be established.
Best practices for network access control
In order to put the basic NAC capabilities in place, 802.1x is the core layer that will prevent unauthorized workstations from connecting to the corporate network. The easiest way to accomplish this for a Windows-based environment is through Microsoft Active Directory and its built-in OS supplicant that is fully operational beginning with Windows XP SP2.
With 802.1x in place, the next step is to implement a network-based NAC implementation such as Cisco's NAC, Microsoft's NAP or Juniper's UAC. This will provide the necessary mechanisms to establish a workstation with in a VLAN based on its status (clean, quarantined, guest system, etc.).
Finally, an endpoint protection technology compatible with your NAC implementation rounds out the NAC capabilities as the endpoint agent will provide the in-depth health status of the workstation in addition to helping with the quarantining, cleansing/repair, and control of the workstation.
Here are the controls required to ensure a good level of NAC-based security policy:
* Check that the workstation has all of the patches for the operating system and applications that could introduce vulnerabilities into the network environment (Microsoft Office, Adobe Acrobat and Flash, etc.)
* Check that the antivirus status and signatures are up to date and that the system has performed routine scans with the latest signatures.
* Check for the deployment/management (or lack or misconfiguration) of software installed and running (Microsoft SMS, Landesk, Altiris, etc.).
If a workstation fails on any one or all of the above checks, it should be placed in quarantine. While in quarantine, it should be limited to:
* Receiving a notification explaining the status of the workstation to the user and the administrators should be notified by e-mail.
* If 802.1x is available, the workstation should be placed within a dedicated quarantine virtual LAN.
* It should be limited to "Read-only" on USB and other removable devices (that could be used to gain access via a wireless network, for example).
* Network connections must be restricted to only allow for remediation activities, updates (items such as patches and signatures updates), and notifications (such as the e-mail gateway).
* E-mail and Web browser applications should deny access to any files being downloaded, opened or uploaded in order to prevent worm spreading but allow the employee to work with his mail.
* The endpoint protection product should provide automatic remediation, repairing and cleaning of the workstation without any administrator interaction, automatically moving the workstation from the quarantine VLAN to the production VLAN once complete.
In selecting an endpoint protection solution, the NAC health check should be fast -- less than a minute. Additionally, the endpoint protection's NAC capabilities should load immediately after the system is loaded. Finally, the endpoint protection product should provide the same NAC-level of protections for the endpoint even when the endpoint is not connected to a corporate network or VLAN.
Many thanks to Faycal Daira and Bob Foley for the advice above. Hopefully they've given you some good tips on how to protect your own environment.