1

Improving Security Through Automated Policy Compliance

Christopher StevensDirector of Network and Technical Services

Lewis & Clark College

Educause Live! November 12, 2004

2

Campus Statistics

• 3260 Students1875 Undergraduate, 750 Law and 635 Graduate

• 2300 Active Student Computers80% PC, 20% Mac

3

Network Registration and Policy Enforcement at LC• Fall 2002 –Web based registration (Nomadix).

Wireless and Public Wired areas only.

• Fall 2003 – Blaster hits the residence hallsLike many campuses, we experienced 100s of infected machines which required hours of staff time to locate and patch infected computers. We needed a better solution.

• Fall 2004 – Perfigo gateway with “SmartEnforcer”.

4

Implementing Policy Enforcement

• Commercial vs. Open SourceSmall staff made supporting open source products more challenging. We also needed to implement a solution in a short amount of time.

• ProductsNetReg (Southwestern) – Open source network registration.BlueSocket – Gateway only (although they now offer BlueSecure as an IDS add-on product)Nomadix – Gateway only. Geared toward the hospitality market.Bradford Software (Campus Manager) – Users are moved into VLANs until they have registered. Also has a plug-in to Packetshaper that gives it some passive monitoring ability.Perfigo – Gateway with optional agent.

5

Implementing Policy Enforcement (Continued)

• Policy Detection – Active, Passive or Agent

Active – Determine policy compliance externally.Passive – Determine policy compliance by monitoring network

traffic.Agent – Client installed on workstation.

We originally wanted active detection but host-based firewalls made products such as Nessus less reliable. Ultimately decided that a local agent would provide the greatest ability to determine compliance. We are also looking to supplement the installed agent with Passive monitoring (via ISS RealSecure).

6

Implementing Policy Enforcement (Continued)• Isolation/Segregation

Once a computer has been found to be out of compliance, we assign that user a Temporary Role. However, there may be better ways to contain these users (i.e. segment using “/30” IP subnets, moving VLAN ports, etc).

• Detection IntervalCurrently we can only verify compliance when a user logs into the network (which could be once a semester). Ideally we would like to check on a daily or weekly basis.

• RemediationWe wanted users to be as self-sufficient as possible so we provide step by step instructions about each failed policy.

7

Sample PC Walkthrough

8

Web Registration Login Page

9

SmartEnforcer Web Download Page

10

SmartEnforcer Client Login

11

SmartEnforcer Policy Evaluation

12

SmartEnforcer Failed Policy

13

SmartEnforcer Windows Update Policy

14

SmartEnforcer Windows Update Webpage

15

SmartEnforcer Antivirus Policy

16

SmartEnforcer Antivirus Webpage

17

SmartEnforcer Antivirus Updates Webpage

18

SmartEnforcer Success

19

How is it working?

• No worms or viruses on the student network (yet)Knock on wood – we have not had any outbreaks since we started.

• Reduced End User Support85% of our users were able to install the client and other software updates on their own. We also reduced our time in the residence halls from 4 weeks to 1 week.However, we ended up touching the remaining 15% (~300 computers). Most were problems related to spyware interfering with windows updates.

• Surprisingly Few ComplaintsMost undergraduate students don’t mind having the software installed. We get more complaints from graduate and law students.

20

Future

• “RemoteEnforcer”Instead of students coming to campus and trying to download all the windows updates and virus definitions at once, they can check and see if they meet all the policy requirements from home.

• Real Time Policy EnforcementCurrently, we can only check to see if a user has the necessary updates when they login. However, there is a new PC client that will check for policies on a schedule that we can set.

• Integration with CiscoWith the purchase of Perfigo in October, Cisco will integrate the SmartEnforcer client with their “Self-Defending Network” suite.

21

Questions?

Please contact me at cstevens@lclark.edu

Additional information can also be found at:http://www.lclark.edu/~infotech/NETWORK/sefaq.html