9.2. Which Device Gets the Trust?

NAC vendors have responded to customer needs for endpoint security with a wide range of endpoint scanning functionality. Some solutions use agentless scans to check for known vulnerabilities, and other solutions include downloadable agents that take a more in-depth inventory of machine security. Before analyzing the advantages and tradeoffs between downloadable agents and agentless approaches, first, you need to focus on what you can look for on these machines.

9.2.1. Endpoint security applications

One of the most commonly used types of endpoint security policies are those that verify the presence, operation, and up-to-date nature of third-party endpoint security applications — ranging from personal firewall and antivirus applications to anti-spyware and disk encryption suites. Essentially, these types of policies ensure that endpoints connected to your network have the appropriate self-protection mechanisms in place. Not all NAC solutions are equal in their capabilities. Your NAC solution needs to do more than simply look at a registry setting or search for a file to ensure that the endpoint device has a certain antivirus package installed, for example. Your NAC solution should ensure that the endpoint device has active protection enabled.

9.2.1.1. Operating system

Operating system scans allow you to verify the operating system (OS), and potentially the service pack, of the incoming endpoint device.

This information can help you to verify which type(s) of additional endpoint security mechanisms you want to put in place. You might have a different endpoint security policy for a Windows XP SP2 device than you might have for a Windows CE or Macintosh OS device. Even within something like the Windows OS, you might have some differentiation — for example, you might have a different corporate standard personal firewall on Windows XP machines versus Windows Vista machines.

Ensure that a machine has appropriate service packs in place. If Microsoft introduces a new service pack for the OS that your company uses as a corporate standard, you may have reasons to not allow machines that have older service packs (or older versions of Windows) onto the network, ranging from security concerns to incompatibility with corporate applications.

9.2.1.2. Antivirus

Scanning for antivirus applications is one of the most common types of policy implemented for endpoint scanning in NAC environments. Organizations want to ensure that machines connecting to their networks have an appropriate level of protection, and most NAC deployments require the presence of an antivirus application when it comes to verifying endpoint integrity.

NAC can't simply scan the machine to ensure that it has an antivirus application installed — scanning for particular files or registry settings, for example, doesn't necessarily guarantee that the antivirus application is actively protecting the machine itself. Also, NAC may have problems looking at processes running in memory, even if you're verifying an MD5 checksum of the process, because modern antivirus applications may have several processes running at any given time. Without an in-depth knowledge of what each process does, it can be difficult to determine the processes that must be running for normal antivirus operation. Throughout normal operation, some processes might start at different times, making determining whether the AV is running a difficult task.

Most NAC vendors offer a solution that verifies not only that the machine has an antivirus application installed, but also that the application is running and up to date. Some of the available policies on the market include

• Verifying installation of a particular version or vendor of antivirus solution(s)

• Verifying that the system has real-time protection actively enabled

• Verifying that virus signatures are fully up to date or that they've been updated at some point in the recent past, depending on your policy

• Ensuring that the antivirus application has completed a successful full system scan in the recent past (within a number of days that you choose)

Depending on your organization's security policy, you might want to verify one or more of those attributes related to an antivirus application.

Your verification might vary, based on the user and machine in question. For instance, you might want to conduct a very specific scan when an employee comes onto the network with a company-owned and -managed machine, but when a contractor wants to access the network from an unmanaged machine, you might want to simply verify that the machine has an antivirus installed and running, instead of requiring a specific version or vendor.

9.2.1.3. Personal firewall

Organizations deploying NAC commonly check to ensure that a personal firewall is installed and enabled as an endpoint security measure. This scan ensures that the endpoint device has active protection enabled.

Make sure that you verify the personal firewall is actually running, not just that it's installed.

9.2.1.4. Disk encryption

With the number of highly-visible data-loss incidents in the news, disk encryption is becoming more popular by the day. These scans allow you to ensure that the sensitive data on a mobile device's hard disk is secured and encrypted.

9.2.1.5. Backup software

Scanning for appropriate backup software isn't necessarily a security mechanism, but it can help you verify, for example, that there is properly stored corporate data on a laptop in case the laptop is stolen, lost, or damaged.

9.2.1.6. Anti-spyware

NAC antispyware policies ensure that the machine has an anti-spyware application running and actively protecting the system, not only installed.

9.2.1.7. Peer-to-peer applications

Many organizations fear peer-to-peer applications because they can inadvertently download viruses or malware, and because the access could potentially allow an intruder to get into a machine. NAC products are increasingly beginning to scan for these types of applications so that you can verify their presence and, if necessary, shut them down before allowing the user to have full access onto the network.

You can most likely find a much more comprehensive list of policies for the Windows operating systems than you can for any non-Windows OS — including Macintosh, Linux distributions, and mobile platforms. Windows is the most heavily targeted OS and has the most known vulnerabilities. So, you find the largest selection of endpoint protection suites for Windows OSs. While other platforms gain or lose market share, you'll see an expansion or contraction in terms of the number of offerings for these devices. For example, the number of antivirus and personal firewall applications for Windows Mobile and Macintosh machines has increased significantly in recent years, mostly as a result of increased popularity of these systems, which leads to an increased likelihood that hackers will target these machines.

Figure 9-2 depicts a typical policy grid that you might enable on a group of devices in your network — managed devices, for example.

9.2.2. Operating system and application patches

In today's world, new application and operating system vulnerabilities are discovered on a daily, even hourly, basis. Hackers are increasingly motivated by profit, rather than by fun and glory, so exploitation of these vulnerabilities happens alarmingly fast. As a result, you absolutely must appropriately patch operating systems, middleware, applications, and so on as often as possible.

Virtualization and data center management technologies allow the administrator to easily take machines offline, patch them, and then bring them back online with minimal user disruption.

Outside the data center, however, it's an entirely different ball game because of all the different types of devices on the average corporate network. These devices are often mobile in nature, coming into the corporate network at different times throughout the day. More frighteningly, the devices also connect to other, potentially insecure, networks. These devices might hold intellectual property, customer information, or sensitive financial data, so you need to both

• Scan these machines when they come onto the network (to protect the network and network assets)

• Ensure, at least on a periodic basis, that NAC can patch the device to protect against known exploits, thereby protecting the data on that machine.

To help solve this problem, many NAC solutions offer a mechanism that checks the endpoint machine for required patches prior to allowing it on the network. Because available patches change on a continual basis, NAC servers implementing this type of scan typically include some sort of update mechanism that allows them to stay up to date and dynamically enforce policies that scan for new patches.

For example, Microsoft sticks to a monthly release schedule for their new patches on what they call Patch Tuesday. After Microsoft releases these new patches, most NAC vendors publish new patch scans as soon as possible. The NAC vendor dynamically updates the NAC server, and then NAC enforces those new policies for new sessions or for policy re-evaluations.

But what to scan for? A fully loaded system might have dozens, or even hundreds, of applications available to the user. Do you need to ensure that every single application is fully patched and up to date?

• Most patches are classified by severity, so you probably don't have to scan every single one.

• When these patches are released, you might determine that the potential impact of some high-severity vulnerabilities is higher than others, so you want to make sure that all devices have these corresponding patches installed.

  For example, in the retail marketplace, your customer relationship management (CRM) software might have a critical vulnerability that the vendor recently patched. You want to ensure that endpoint systems have this patch installed, but you don't really need to worry about whether your endpoint machines patched iTunes correctly.

If you go overboard with patch scanning, you might end up causing a bad end-user experience. Scanning for hundreds of patches on dozens of applications might take a long time to complete on an endpoint machine. During that time, the end user has to wait to get onto the network and do his or her job. Use caution — or, at the very least, assess performance implications — when you decide whether to implement scans for a large number of patches.

9.2.3. Machine identity: Who's on first?

Most organizations trust the machines that they own and manage more than foreign devices when it comes to accessing networks. Your organization can control the patch levels, software distribution, and (to some extent) who uses a managed device. As a result, you probably feel more comfortable providing access to sensitive corporate data from these machines.

If you find yourself in this boat, you might be looking for a programmatic way to identify your own machines versus others. You can make this identification easily enough when you can look at the PC and see your corporate asset tracking bar code or other physical identification, but your NAC solution may have problems differentiating between two seemingly identical Windows XP SP2 machines that have nearly the same installed software — only one of which is a corporate-managed laptop.

Over the years, we've seen customers use many different methods to accomplish this identification step, some of which are more secure than others. Because of the native, custom endpoint security scans that many NAC solutions provide, people have come up with these unsecured and easily bypassed tricks:

• Registry setting identification: Some administrators hide information in Windows registries to identify corporate assets. This information creates a method of security by obscurity — although end users can easily spoof this secret registry setting, the administrators assume that no one will likely come across this secret and identify it.

• Secret files: Similar to the registry setting, this scheme relies on security by obscurity, but instead of hiding information in the registry, the administrator hides a file somewhere in the file system where no one will likely find and delete it. The administrator then uses a custom scan to find this file and identify the machine.

• MAC address: This technique involves storing the MAC address(es) of a user's machine in the corporate directory or somewhere accessible by the NAC solution. When the user logs in, the NAC solution extracts the MAC address of the endpoint machine and compares that address to the one stored in the directory. If the addresses match, NAC considers the machine managed.

This approach raises two primary concerns: Users can easily copy or spoof MAC addresses (ask anyone who's cloned their machine's MAC address onto their home router to fool their ISP into thinking that they have only one system on their network). Most modern machines have multiple adapters, and therefore, multiple MAC addresses — so make sure that you have all these addresses categorized and available, if necessary. A machine that comes onto the network via a wired switch port has a different MAC address than that same machine connecting via your 802.11 wireless network.

9.2.4. Get your certificate

To move beyond these less secure options, many companies have begun using a more secure method of device identification — machine (or computer) certificates. If you're looking for a secure way to identify corporate assets, machine certificates might be your best bet.

Machine certificates are standard X.509 digital certificates, similar to what you might find on a Web server or for user identification (such as in a smart card or USB drive). The key distinction between machine certificates and user certificates, however, is that machine certificates are stored in the computer or machine on the endpoint device, and NAC uses them to identify the machine, not the user. So, for example, a Web browser doesn't present these certificates to the user as identification. NAC must have another mechanism in place to extract and validate the certificate.

Machine certificates use private key infrastructure (PKI), which is designed to protect against spoofing, man-in-the-middle type attacks, and other security concerns associated with authenticating a previously unknown third party. But many IT administrators don't feel comfortable with some of the PKI concepts and think that rolling out certificates can be difficult or costly. Vendors have made huge advances in certificate management tools so organizations can easily create, distribute, and manage certificates.

9.2.5. Known vulnerabilities

In many cases, you may not be able to have any type of software presence on a particular machine or device on the network:

• Some machines, such as printers, for example, can't have software added.

• Other machines might be outside of your organization's management control and completely locked down, making it impossible for you to install even simple Java or ActiveX dissolvable host-based scanning agents.

For these reasons, some NAC vendors allow remote vulnerability scanning — with no endpoint presence whatsoever. You can use two primary methods for remote vulnerability scanning:

• Some methods actually look at the PC itself — for example, scanning the Windows registry to determine which patches the device has installed.

• Other methods, such as Nessus and NMAP, take a more active approach by attempting various exploits against the endpoint device to determine how well it's patched.

Active scanning technologies may cause issues with different types of devices on corporate networks — particularly unmanaged devices, such as badge readers and HVAC systems. Take care when you plan a deployment that involves active scanning to ensure that you aren't inadvertently crashing sensitive network resources as a result of a scan.

Trusted Platform Module and the lying endpoint problem Any security technology has strong solutions, and then even stronger solutions. Although machine certificates are much more secure than some other possibilities, some security professionals still question whether the machine certificate really is secure. The lying endpoint problem goes beyond just verifying machine certificates because a compromised machine might also, for example, state that it's healthy when it really isn't. Luckily, most modern laptop and desktop computers are equipped with a special cryptographic processor known as the Trusted Platform Module (TPM). You can use TPMs, which the Trusted Computing Group (www.trustedcomputinggroup.org) devised and made popular, for many functions — ranging from disk encryption to machine authentication to machine integrity verification. Because the TPM is hardware-based, it doesn't have the same vulnerabilities that might cause harm to an operating system or the applications running on that OS. You can find a wealth of information on the Trusted Platform Module specification, systems containing TPM chips, and implementation of TPM for a wide range of secure operations online by doing a simple search on Google (www.google.com) or Wikipedia (www.wikipedia.org).

9.2.6. Custom policies

You might find yourself wanting to scan endpoint devices for certain applications, patches, or other types of information that the predefined list of applications provided by your vendor doesn't include. For example, instead of scanning for a known personal firewall, your organization might have implemented its own endpoint security application. Or you may want to scan for some endpoint security application that's available from an outside vendor, but for which your vendor hasn't yet provided a predefined policy. You don't have to stick with predefined parameters.

Many NAC vendors offer you the ability to create your own custom endpoint integrity policies, which allow you to scan for such attributes on a system as

• Presence or absence of certain files on the file system

• Whether a particular process is running on the endpoint

• The MD5 checksum of that process

• Particular registry settings

Taken in conjunction, these scans can provide you with

• A picture of whether a particular application is running on the system

• Customized information that you might find applicable to access control for your organization, as set forth in the corporate security policy

9.2.7. Third-party verification

Some NAC systems, by using either open standards or proprietary application programming interfaces (APIs), can provide an extensible mechanism that can use scan for additional types of endpoint security software that the native scans provided by the NAC vendor don't cover.

For example, your patch remediation system might have a client-side component that NAC needs to determine its operating system. Through these APIs, even if the NAC product doesn't have the ability to query the patch remediation client natively, NAC can still scan the client and use the results in the access control decision. In Chapter 13, we delve into NAC standards.