Upload
scott-paul
View
233
Download
14
Tags:
Embed Size (px)
Citation preview
Two Approaches to Large Scale Two Approaches to Large Scale Computer Security Validation Computer Security Validation
and Registrationand RegistrationVASCANVASCAN
October 2005October 2005
Dan Veloce, George Mason University Dan Veloce, George Mason University [email protected]@gmu.edu
Chris Faigle, University of Richmond Chris Faigle, University of Richmond [email protected]@richmond.edu
What is the problem? What is the problem?
It is difficult to secure computers that are not It is difficult to secure computers that are not under direct managementunder direct management
Many large organizations, especially Universities, Many large organizations, especially Universities, provide network connectivity for large numbers of provide network connectivity for large numbers of computers which are unmanaged and, in many computers which are unmanaged and, in many cases, owned by other entitiescases, owned by other entities
In this kind of environment, it can be helpful to In this kind of environment, it can be helpful to devise a system that allows such computers to devise a system that allows such computers to connect to the network after verifying that they connect to the network after verifying that they conform to a pre-defined security policyconform to a pre-defined security policy
Some Possible SolutionsSome Possible Solutions Install a manageable client on each computer and Install a manageable client on each computer and
continually monitor for policy compliancecontinually monitor for policy compliance
Verify policy compliance only at scheduled times Verify policy compliance only at scheduled times (e.g. back to school, midyear) or in the event of a (e.g. back to school, midyear) or in the event of a major security issuemajor security issue
We will look at two systems which follow the We will look at two systems which follow the second approach:second approach:– The MUST system from George Mason UniversityThe MUST system from George Mason University– The University of Richmond’s online registration The University of Richmond’s online registration
systemsystem
George Mason University
MUST
MUST ComponentsMUST Components
Network QuarantineNetwork Quarantine AuthenticationAuthentication Client Inspection & RemediationClient Inspection & Remediation RegistrationRegistration ReportingReporting
Quarantine is Essential!Quarantine is Essential!
Large influx of new computer systems into Large influx of new computer systems into Residence Hall networks at beginning of each Residence Hall networks at beginning of each semestersemester
Very dynamic environmentVery dynamic environment System administration deficiencies are prevalent!System administration deficiencies are prevalent!
– In many cases:In many cases:» Little or no OS patchingLittle or no OS patching
» Antivirus software absent or virus definitions outdatedAntivirus software absent or virus definitions outdated
» Infected computersInfected computers
Network QuarantineNetwork Quarantine
` ` ` `
IP Address 129.174.68.10Subnet Mask 255.255.255.0Gateway 129.174.68.1
IP Address 129.174.68.11Subnet Mask 255.255.255.0Gateway 129.174.68.1
IP Address 42.93.232.46Subnet Mask 255.255.255.252Gateway 42.93.232.45
IP Address 42.129.86.82Subnet Mask 255.255.255.252Gateway 42.129.86.81
Router/Security Gateway
Access SwitchAccess Switch
Traditional IP Subnet Point-to-point IP Quarantine(MUST Architecture)
AuthenticationAuthentication
User based authenticationUser based authentication– Verify the user’s identity via GMU LDAPVerify the user’s identity via GMU LDAP
Computer identificationComputer identification– Identify a computer via records kept within an Identify a computer via records kept within an
SQL databaseSQL database
RADIUS allows us to accomplish both RADIUS allows us to accomplish both goals in one step goals in one step
AuthenticationAuthentication
`
1
2
3
5
4
6
7
SSL/Web Authentication(Username, Password)
Client Computer
Access-Request(Username, Password,Calling-Station-ID)
NAS
RADIUS
LDAP Authentication
(Username, Password)
SQL Select
(Callin
g-Statio
n-ID)
Return
(Rights
Attribute)
Access-Accept(Rights)
University LDAP
SQL Database
Client ClassificationClient Classification Unknown computers are placed into the “Unknown” Unknown computers are placed into the “Unknown”
class and redirected to an ASP.NET web page which class and redirected to an ASP.NET web page which redirects computers based on operating system IDredirects computers based on operating system ID– Windows ME and newer Windows OSWindows ME and newer Windows OS
» MUST Update siteMUST Update site General computing security informationGeneral computing security information Disclaimers and SAV license agreementDisclaimers and SAV license agreement MUST Update Tool specs and downloadMUST Update Tool specs and download
– All other OSAll other OS» Alternate web pageAlternate web page
General computing security informationGeneral computing security information AV software downloads for supported platformsAV software downloads for supported platforms Registration linkRegistration link
Client InspectionClient Inspection MUST Update ToolMUST Update Tool
– Scans for and removes worms and virusesScans for and removes worms and viruses» Mitigates 41 virus/worm families via the Microsoft Malicious Software Mitigates 41 virus/worm families via the Microsoft Malicious Software
Removal Tool and custom worm detection routinesRemoval Tool and custom worm detection routines
– Checks system for the running instance of 48 antivirus software processes Checks system for the running instance of 48 antivirus software processes from 9 vendorsfrom 9 vendors
» Downloads and installs University standard package (with locked Downloads and installs University standard package (with locked configuration) when AV is absentconfiguration) when AV is absent
» If AV processes are present, prompts user removal of packages other than If AV processes are present, prompts user removal of packages other than University standardUniversity standard
– Configures nightly automatic Windows Update policy on supported Configures nightly automatic Windows Update policy on supported Windows platformsWindows platforms
– Reports application errors and other system issues to a centralized databaseReports application errors and other system issues to a centralized database
– Registers computers that pass all checks after giving users the option of Registers computers that pass all checks after giving users the option of remaining in the Protected (point-to-point NAT) space or moving to an remaining in the Protected (point-to-point NAT) space or moving to an Unprotected (University public IP addressed) space Unprotected (University public IP addressed) space
MUST Update ResourcesMUST Update Resources WMI (Windows Management Instrumentation) acts as a WMI (Windows Management Instrumentation) acts as a
repository of important system configuration information and is repository of important system configuration information and is present, by default, on all Windows ME and newer Windows present, by default, on all Windows ME and newer Windows systemssystems– Using WMI, we can-Using WMI, we can-
» Check running processesCheck running processes» Obtain system informationObtain system information» Manage system servicesManage system services» Read/Edit registryRead/Edit registry
Basic Windows APIsBasic Windows APIs – WinInet for data transfersWinInet for data transfers– Kernel32 and User32 for basic system functionsKernel32 and User32 for basic system functions
» Sleep FunctionSleep Function» Folder/File creation & removalFolder/File creation & removal
RegistrationRegistration It is useful to associate a user identity with a registered It is useful to associate a user identity with a registered
computercomputer– Check routine downloads an SSL page containing the username Check routine downloads an SSL page containing the username
associated with the authenticated user on the computer in questionassociated with the authenticated user on the computer in question
Upon passing all checks, the application passes 5 variables Upon passing all checks, the application passes 5 variables to the registration serverto the registration server– MAC addressMAC address– UsernameUsername– Operating System Operating System – Service Pack, if applicableService Pack, if applicable– Rights SelectionRights Selection
Application then spawns an IE browser that informs the Application then spawns an IE browser that informs the user of a successful registration and directs them to re-user of a successful registration and directs them to re-authenticate for full network access authenticate for full network access
Non-compliant SystemsNon-compliant Systems In about 5% of cases, Windows computers are not In about 5% of cases, Windows computers are not
registered because they fail one or more security registered because they fail one or more security checkschecks– Most likely scenario, Symantec AV fails to load Most likely scenario, Symantec AV fails to load
properly. This can be the result of previous malware properly. This can be the result of previous malware infection or an operating system probleminfection or an operating system problem
» An IE browser is automatically spawned pointing to a An IE browser is automatically spawned pointing to a remediation page which explains the problem, links to a copy remediation page which explains the problem, links to a copy of the Trend Micro Damage Cleanup Engine, and gives of the Trend Micro Damage Cleanup Engine, and gives instructions for running the DCEinstructions for running the DCE
– Other scenarios includeOther scenarios include» Computers infected with malware which requires manual Computers infected with malware which requires manual
intervention for complete removalintervention for complete removal» Computers with damaged Windows installations which are Computers with damaged Windows installations which are
unable to install the antivirus package, communicate via SSL, unable to install the antivirus package, communicate via SSL, or perform other basic functions or perform other basic functions
Reporting Reporting Central database which catalogs information reported by the Central database which catalogs information reported by the
MUST Update ToolMUST Update Tool– File download errorsFile download errors– Infected computers, including those which require manual Infected computers, including those which require manual
interventionintervention– If safety checks fail, factors that caused failureIf safety checks fail, factors that caused failure– Presence & type of non-compliant antivirus software foundPresence & type of non-compliant antivirus software found– Number of times the tool has runNumber of times the tool has run
ScaleScale
0
200
400
600
800
1000
1200
7/15/2005 8/15/2005 9/15/2005
Registered Computers
MUST v2 Implementation-7/15
Date
Early Arrivals-8/21
General Arrivals-8/25
University of Richmond
Online Registration
U of R - OverviewU of R - Overview
On both wired and wireless networks:On both wired and wireless networks:– Machines with unknown MAC addresses (i.e. not in our Machines with unknown MAC addresses (i.e. not in our
VMPS database) are put into a “Neverland” vlan with VMPS database) are put into a “Neverland” vlan with access to:access to:
» Anti-Virus server (Symantec Corp. AV)Anti-Virus server (Symantec Corp. AV)
» Anti-Virus install (Authentication required)Anti-Virus install (Authentication required)
» Windows Update locations (via SQUID Proxy)Windows Update locations (via SQUID Proxy)
» Active-Directory / DNS / DHCPActive-Directory / DNS / DHCP
– Note that we have a separate “Blackhole” vlan with all Note that we have a separate “Blackhole” vlan with all traffic dropped at the switch port for machines which traffic dropped at the switch port for machines which have been identified as a security riskhave been identified as a security risk
U of R – Overview IIU of R – Overview II
In the Neverland VLAN, the squid proxy redirects all port In the Neverland VLAN, the squid proxy redirects all port 80 http to our static computer registration start page80 http to our static computer registration start page
User must click through as automated processes hitting User must click through as automated processes hitting port 80 were running excessive PERLport 80 were running excessive PERL
User enters id and password and the process beginsUser enters id and password and the process begins Upon successful completion, the MAC address is Upon successful completion, the MAC address is
registered in VMPS along with the correct VLAN id for registered in VMPS along with the correct VLAN id for the userthe user
The address is then located on the equipment and the port The address is then located on the equipment and the port is downed and upped, causing a VMPS lookup and voila is downed and upped, causing a VMPS lookup and voila the port is put into the correct VLANthe port is put into the correct VLAN
U of R – Process DetailsU of R – Process Details So what happens in the process:So what happens in the process:
– 1. OS Determination1. OS Determination» Check browser stringCheck browser string» nmap –Onmap –O
– 2. If MS:2. If MS:» Turn on Automatic Updates standard and via policyTurn on Automatic Updates standard and via policy
3 am – download & install – don’t ask3 am – download & install – don’t ask User cannot turn off via control panel – must delete registry keysUser cannot turn off via control panel – must delete registry keys
» Open holes in the XP SP2 firewall for SAV trafficOpen holes in the XP SP2 firewall for SAV traffic Does not turn the firewall on or offDoes not turn the firewall on or off
» Verify SAV install, Virus def dates & Parent serverVerify SAV install, Virus def dates & Parent server» Scan for worm holes using NessusScan for worm holes using Nessus
– 3. If not MS:3. If not MS:» Pass without doing anything for nowPass without doing anything for now
U of R – MS Client SideU of R – MS Client Side For MS Boxes:For MS Boxes:
– Download UofRMachineCheck Active X control and instantiate itDownload UofRMachineCheck Active X control and instantiate it» Requires IE 5.5 or aboveRequires IE 5.5 or above» Requires JavaScriptRequires JavaScript» Requires the default IE settingsRequires the default IE settings
– The encryption (more obfuscation) uses the hidden field “keyring” to avoid The encryption (more obfuscation) uses the hidden field “keyring” to avoid replayreplay
– Calls each of the functions and finally gets the MachineStatus (see next slide) Calls each of the functions and finally gets the MachineStatus (see next slide) to retrieve the SAV state, the Automatic update state:to retrieve the SAV state, the Automatic update state:
» oMachineCheck.SetAUPolicyOn; // Set AU on by policyoMachineCheck.SetAUPolicyOn; // Set AU on by policy» oMachineCheck.SetAUOn; // Set AU on normallyoMachineCheck.SetAUOn; // Set AU on normally» oMachineCheck.OpenXPFirewallSAVCE; // Open the XP SP2 FirewalloMachineCheck.OpenXPFirewallSAVCE; // Open the XP SP2 Firewall» var GetMachineStatusEncryptedResult = var GetMachineStatusEncryptedResult =
oMachineCheck.GetMachineStatusEncrypted(key); // Get encrypted statusoMachineCheck.GetMachineStatusEncrypted(key); // Get encrypted status» main.urm.value = GetMachineStatusEncryptedResult; // Put result into form fieldmain.urm.value = GetMachineStatusEncryptedResult; // Put result into form field» main.submit();main.submit(); // Submit main form // Submit main form
U of R – Client NotesU of R – Client Notes
Note that the control is “Safe” in the sense that it:Note that the control is “Safe” in the sense that it:– Will only increase AU settingsWill only increase AU settings– Is hard-coded to return only certain registry settings – not scriptable and Is hard-coded to return only certain registry settings – not scriptable and
thus not a security holethus not a security hole Microsoft Visual C++ .dll in system32 via signed .cab file + .INFMicrosoft Visual C++ .dll in system32 via signed .cab file + .INF Instantiation:Instantiation:
– <object classid=\"clsid:9AC81071-4B2C-48DF-A245-C131DD64B7D2\"<object classid=\"clsid:9AC81071-4B2C-48DF-A245-C131DD64B7D2\" id=\"oMachineCheck\“id=\"oMachineCheck\“
CODEBASE=\"UofRMachineCheck.cab#Version=1,0,6,1\">CODEBASE=\"UofRMachineCheck.cab#Version=1,0,6,1\"> </object></object>
See sample code for exact mechanisms and for hard-learned See sample code for exact mechanisms and for hard-learned detection of successful instantiationdetection of successful instantiation
1.0.7.1 version detects MS Anti-Spyware beta – we do not use this 1.0.7.1 version detects MS Anti-Spyware beta – we do not use this check check
U of R – Server SideU of R – Server Side Standard PERL + Linux/Windows Decode executable:Standard PERL + Linux/Windows Decode executable:
– #Decode the message:#Decode the message:$DecodedMessage=`$LIBDIR/UofRMachineCheckDecode.exe $urmkey $urm 2>&1`;$DecodedMessage=`$LIBDIR/UofRMachineCheckDecode.exe $urmkey $urm 2>&1`;
– # Check for Failure:# Check for Failure:if($DecodedMessage=~/^-/) { if($DecodedMessage=~/^-/) {
$PAGE{BODY}=UofRMachineCheckHandleIssue($DecodedMessage); $PAGE{BODY}=UofRMachineCheckHandleIssue($DecodedMessage); &display_cpage(\%PAGE); }&display_cpage(\%PAGE); }
– # Now convert the decoded message to a hash:# Now convert the decoded message to a hash:%MachineInfo=UofRMachineCheckDecode::UofRMachineCheckDecodedToHash($Deco%MachineInfo=UofRMachineCheckDecode::UofRMachineCheckDecodedToHash($Deco
dedMessage); dedMessage);
– # Now check to see if the result key in the hash indicates failure:# Now check to see if the result key in the hash indicates failure:if(substr($MachineInfo{"Result"}, 0, 1) eq "-") {if(substr($MachineInfo{"Result"}, 0, 1) eq "-") {
$PAGE{BODY}=UofRMachineCheckHandleIssue($MachineInfo{"Result"});$PAGE{BODY}=UofRMachineCheckHandleIssue($MachineInfo{"Result"});&display_cpage(\%PAGE); }&display_cpage(\%PAGE); }
– # Now Check the Machine's compliance:# Now Check the Machine's compliance:$MachineCompliance = UofRMachineCheckCompliance(\%MachineInfo);$MachineCompliance = UofRMachineCheckCompliance(\%MachineInfo);
U of R – Machine Status OutputU of R – Machine Status Output 141.166.58.95 os= mswin141.166.58.95 os= mswin 141.166.58.95 urmkey= 175a2c8fbdad1adc141.166.58.95 urmkey= 175a2c8fbdad1adc urm= e1bedf695d40d014d7bbe0587d6bcb16c086806 … .6cd436b69dd15d79b801a1230dc1a82urm= e1bedf695d40d014d7bbe0587d6bcb16c086806 … .6cd436b69dd15d79b801a1230dc1a82 141.166.58.95 dcm= SAVCEHomeDirectory C:\Program Files\Symantec AntiVirus\141.166.58.95 dcm= SAVCEHomeDirectory C:\Program Files\Symantec AntiVirus\ SAVCEParent MOXYSAVCEParent MOXY SAVCEProductVersionMajor 10SAVCEProductVersionMajor 10 SAVCEProductVersionMinor 0SAVCEProductVersionMinor 0 SAVCEProductVersionPatch 1SAVCEProductVersionPatch 1 SAVCEProductVersionBuild 1000SAVCEProductVersionBuild 1000 SAVCEPatternFileDate 20050913SAVCEPatternFileDate 20050913 AUOptions 4AUOptions 4 AUState 2AUState 2 AUScheduledInstallDay 0AUScheduledInstallDay 0 AUScheduledInstallTime 3AUScheduledInstallTime 3 AUDisabled 0AUDisabled 0 AUPolicyOptions 4AUPolicyOptions 4 AUPolicyState 2AUPolicyState 2 AUPolicyScheduledInstallDay 0AUPolicyScheduledInstallDay 0 AUPolicyScheduledInstallTime 3AUPolicyScheduledInstallTime 3 AUPolicyDisabled 0AUPolicyDisabled 0
U of R – Machine Status Output IIU of R – Machine Status Output II 141.166.58.95 0;Compliant141.166.58.95 0;Compliant 141.166.58.95 (141.166.58.95) 00123fda2192141.166.58.95 (141.166.58.95) 00123fda2192 141.166.58.95 (141.166.58.95) NBLookup time 4141.166.58.95 (141.166.58.95) NBLookup time 4 ipaddr=141.166.58.95 hipaddr=141.166.58.95 (141.166.58.95) starting nessus ipaddr=141.166.58.95 hipaddr=141.166.58.95 (141.166.58.95) starting nessus
scansscans 141.166.58.95 (141.166.58.95) Nessus time 17141.166.58.95 (141.166.58.95) Nessus time 17 141.166.58.95 (141.166.58.95) Nessus Scan Report141.166.58.95 (141.166.58.95) Nessus Scan Report ------------------------------------ …… ------------------------------------------------------------------------------------------------------------ This file was generated by the Nessus Security ScannerThis file was generated by the Nessus Security Scanner
141.166.58.95 (141.166.58.95) student141.166.58.95 (141.166.58.95) student
141.166.58.95 Downing gry1a1 10037 2141.166.58.95 Downing gry1a1 10037 2 141.166.58.95 Upping gry1a1 10037 1141.166.58.95 Upping gry1a1 10037 1
Spare – U of R Registration FlowchartSpare – U of R Registration FlowchartUser opens
registration page and Logs in
Check machine type use nmap - if fail - have user claim
Windows?
Register ComputerPut MAC into Student
VLAN
Patched?[via Nessus]
SAVCEInstalled?
Created OK?Version OK?
Exit Page
Instruct user how to get patched, set
browser, install AV, etc. or instruct to see
help desk
No
Yes
No
Yes
NoYes
OK
University of RichmondRegistration - Fall 2004
v0.4 7/15/2004
Retry?
CreateMachineCheck Object
Yes
MachineCheck Object is asked for the
encrypted machine status
Status is decrypted, verified. Name/Value pairs put in Perl hash
Set Automatic Updates on by Policy
DefintionDates, etc OK?
All OK
Server(Windows/Unix)
Client(Windows)
Shared Code
MAC intoBlack Hole
Failure Exit Page
No
Yes
Not OK
Obfuscate Encrypt/Decrypt Library(Obfuscate.cpp)
UofRMachineCheckDLL
UofRMachineCheckDecode PM
UofRMachineCheckDecode EXE
Student?Faculty/Staff
registration pageNo
TestMachineCheckServer.htm
UofRMachineCheckValidateM
achine.pl
Drawbacks/IssuesDrawbacks/Issues 1. Relies on MAC addresses - enough said1. Relies on MAC addresses - enough said 2. Relies on OS Determination2. Relies on OS Determination
– Browser string can be changedBrowser string can be changed– Box can be completely firewalled and not respond –or- TCP Stack can be Box can be completely firewalled and not respond –or- TCP Stack can be
modifiedmodified 3. Does not continually monitor for issues3. Does not continually monitor for issues
– Can scan in the back-end for people who re-install OS-es, etc.Can scan in the back-end for people who re-install OS-es, etc.– We can dump the students out of the database and cause a re-registration at We can dump the students out of the database and cause a re-registration at
will if we add a scan or modify a requirementwill if we add a scan or modify a requirement» Best done in some rotation so as not to swamp registration page with 3000 students Best done in some rotation so as not to swamp registration page with 3000 students
at one timeat one time 4. Does not ensure that the machines are virus-free:4. Does not ensure that the machines are virus-free:
– U of R runs one full scan weekly on every system – scheduled from parent U of R runs one full scan weekly on every system – scheduled from parent serverserver
– Virus logger report that culls and e-mails logs: Virus logger report that culls and e-mails logs: http://is.richmond.edu/techsupport/security/Downloads.htmhttp://is.richmond.edu/techsupport/security/Downloads.htm
5. Deletion of registry keys means that you can turn off automatic updates5. Deletion of registry keys means that you can turn off automatic updates– No solutions here…No solutions here…
Drawbacks/IssuesDrawbacks/Issues 6. U of R only checks worm holes, not for other patches6. U of R only checks worm holes, not for other patches
– Could easily be modified to check for some via registry, but this is an Could easily be modified to check for some via registry, but this is an onerous process to keep up with (particularly with a compiled Active X onerous process to keep up with (particularly with a compiled Active X control) and I would rather make sure they are all patched automaticallycontrol) and I would rather make sure they are all patched automatically
7. Students can uninstall anti-virus7. Students can uninstall anti-virus– No solutions here…Back-end checking requiredNo solutions here…Back-end checking required
8. Students (Business, Continuing Studies) who cannot install 8. Students (Business, Continuing Studies) who cannot install University AV on work machinesUniversity AV on work machines– Manual registration – Also windows 98 has to be manually registered Manual registration – Also windows 98 has to be manually registered
since it cannot run SAV 10since it cannot run SAV 10 9. Guests / Speakers:9. Guests / Speakers:
– Guest VLAN for accounts to which we will only give Internet access to Guest VLAN for accounts to which we will only give Internet access to for a very limited time.for a very limited time.
10. Dial-up / VPN10. Dial-up / VPN– No solutions here…No solutions here…
ConclusionsConclusions
These systems work seamlessly in the vast These systems work seamlessly in the vast majority of casesmajority of cases– Enforce security policy at specific points in Enforce security policy at specific points in
timetime– Help to identify the endpoints within protected Help to identify the endpoints within protected
networks networks – Provide a framework to respond to a large scale Provide a framework to respond to a large scale
worm incident via automatic processesworm incident via automatic processes– Yield useful statistics which can aid in network, Yield useful statistics which can aid in network,
application, and resource planningapplication, and resource planning
ContactsContacts Dan VeloceDan Veloce
George Mason UniversityGeorge Mason [email protected]@gmu.edu
MUST System:MUST System:http://sandbox.ssgad.gmu.eduhttp://sandbox.ssgad.gmu.edu
Chris FaigleChris FaigleUniversity of RichmondUniversity of [email protected]@richmond.edu
U of R Machine Check: U of R Machine Check: http://is.richmond.edu/techsupport/security/Downloads.htmhttp://is.richmond.edu/techsupport/security/Downloads.htm
Questions?Questions?