Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Mitigation for Common Threats in Higher Education Network Environment using Microsoft NAP
Windows Vista SecurityEnd-of-Class Problem: Executive Presentation
Business issuesSecurity AssessmentEngineering AssessmentOperations AssessmentConclusion
Team membersBarry Randall – U. IowaTom Neese – U. IowaAaron Howard – U. IowaAddam Schroll – PurdueMSFT: Barbara Chung
Thousands of unmanaged machinesHigh infection rateContinuing threat to resources and services
Lost time, services, reputation, resources
Distributed organization
Transient customers makes security a challengeIsolate and remediate hosts at connection time to address these threatsNeed to define the “Network Edge” with Policy, not Topology
UniversityNetwork
Healthy?Examine Host
Network Restriction(Isolate)Remediate
NO
YES
Typical Student PC(unmanaged)
Policy Validation(update continually)
Ongoing Compliance
Team membersAaron HowardAddam Schroll
Worms, Bots, DoS, Zero-Day, Remote Access Users, GuestsContinually these threats occur with varying severity
Increased support, ID theft, confidential data
Serious ongoing threats that continue to consume time and jeopardize network reliability and security
Not all threats can be measured with $$
Worms, Bots, Remote Access Users, GuestsNAP offers network access as an incentive to voluntarily comply with University PolicyRemediation servers allow client to help themselves to required software or patchesClient must meet current Policy requirements before joining networkResulting in Lower risk of wide spread infection
Zero Day VirusBy updating the System Health Policy, only servers with the latest definitions are allowed network access.
NAP does not protect against malicious users or compromised machines
Can a compromised machine trick the NAP agent by posing as healthy?
NAP will protect Vista and XP SP2, other devices will be allowed as exceptions
Exception management is a potential loophole for infected machines
Develop risk management strategyAvoid, Transfer, Mitigate, Accept
Improve host management with user educationImproved threat and vulnerability monitoring
Identify & communicate threats to campus
NAP is a compliance tool not a security toolImprove Network Security
Firewalls, IDS, IPS, Application inspection, deviation analysis
Team MembersBarry RandallTom Neese
Network Access dependent on AD and NAPCreate policy to define network edge
Change of Mindset – expect resistance
Evaluate enforcement methods & exemption methodsDHCP, DNS, 802.1x, IPSEC, RadiusUNIX, PDA, Game Box, Mac OSX, lab equipment
Create procedure to manage exceptionsCreate System Health Policy
May involve using the SHV API Can SHA perform all required checks?
Infrastructure RequirementsAD, DHCP, IPSEC and 802.1X
Client OS level – Vista or XP with SP2Agent (SHA) running on client
Unmanaged student PCsWindows Vista or XP SP2
Vendor or GuestsUser EducationHelp Desk Needs
Build Network Infrastructure for NAP – 1 to 2 yearsImplement 802.1XRestricted Network
Create Network Edge Policy – 6 monthsBuild NAP Infrastructure – 3 to 6 months
Network Policy ServerHealth Certificate ServerDHCP Server
Create Initial System Health Policy – 3 monthsEvaluate Exceptions – 3 to 6 monthsTrain Help Desk – 1 month
Shift to define network edge with policyExceptions
Will others adopt the SHA APIRequire custom code to manage
How to install SHA on Windows XP SP2Third party tool supportResources required to implement NAP
Team MembersTom NeeseBarry Randall
Staff to Develop and Maintain System Health PolicyHelp Desk staff time to help users navigate remediation processUser education on System Health CheckSupport for 24/7 network access needs
How to manage exceptionsJustify resources for a partial solutionContinual maintenance of policiesAdditional layer to troubleshootBuy-in from others on redefinition of Network EdgeEnforcement Strategy
Network Edge is continually changingNeed Policy (NAP) to protect University Network
NAP is built-in to Vista & Longhorn (low $$)Infrastructure costs could be high
Lowers risk of wide-spread network infectionNot a silver bullet, but another layer of security
Evaluate risk from unmanaged PCsSeparate by exceptionsCost to manage exceptions
RecommendationsAssess and upgrade network infrastructureAnalyze Risks vs. Cost to deploy NAPWatch for NAP support in other Operating Systems