Two Approaches to Large Scale Two Approaches to Large Scale Computer Security Validation Computer Security Validation

and Registrationand RegistrationVASCANVASCAN

October 2005October 2005

Dan Veloce, George Mason University Dan Veloce, George Mason University dveloce@gmu.edudveloce@gmu.edu

Chris Faigle, University of Richmond Chris Faigle, University of Richmond cfaigle@richmond.educfaigle@richmond.edu

What is the problem? What is the problem?

It is difficult to secure computers that are not It is difficult to secure computers that are not under direct managementunder direct management

Many large organizations, especially Universities, Many large organizations, especially Universities, provide network connectivity for large numbers of provide network connectivity for large numbers of computers which are unmanaged and, in many computers which are unmanaged and, in many cases, owned by other entitiescases, owned by other entities

In this kind of environment, it can be helpful to In this kind of environment, it can be helpful to devise a system that allows such computers to devise a system that allows such computers to connect to the network after verifying that they connect to the network after verifying that they conform to a pre-defined security policyconform to a pre-defined security policy

Some Possible SolutionsSome Possible Solutions Install a manageable client on each computer and Install a manageable client on each computer and

continually monitor for policy compliancecontinually monitor for policy compliance

Verify policy compliance only at scheduled times Verify policy compliance only at scheduled times (e.g. back to school, midyear) or in the event of a (e.g. back to school, midyear) or in the event of a major security issuemajor security issue

We will look at two systems which follow the We will look at two systems which follow the second approach:second approach:– The MUST system from George Mason UniversityThe MUST system from George Mason University– The University of Richmond’s online registration The University of Richmond’s online registration

systemsystem

George Mason University

MUST

MUST ComponentsMUST Components

Network QuarantineNetwork Quarantine AuthenticationAuthentication Client Inspection & RemediationClient Inspection & Remediation RegistrationRegistration ReportingReporting

Quarantine is Essential!Quarantine is Essential!

Large influx of new computer systems into Large influx of new computer systems into Residence Hall networks at beginning of each Residence Hall networks at beginning of each semestersemester

Very dynamic environmentVery dynamic environment System administration deficiencies are prevalent!System administration deficiencies are prevalent!

– In many cases:In many cases:» Little or no OS patchingLittle or no OS patching

» Antivirus software absent or virus definitions outdatedAntivirus software absent or virus definitions outdated

» Infected computersInfected computers

Network QuarantineNetwork Quarantine

` ` ` `

IP Address 129.174.68.10Subnet Mask 255.255.255.0Gateway 129.174.68.1

IP Address 129.174.68.11Subnet Mask 255.255.255.0Gateway 129.174.68.1

IP Address 42.93.232.46Subnet Mask 255.255.255.252Gateway 42.93.232.45

IP Address 42.129.86.82Subnet Mask 255.255.255.252Gateway 42.129.86.81

Router/Security Gateway

Access SwitchAccess Switch

Traditional IP Subnet Point-to-point IP Quarantine(MUST Architecture)

AuthenticationAuthentication

User based authenticationUser based authentication– Verify the user’s identity via GMU LDAPVerify the user’s identity via GMU LDAP

Computer identificationComputer identification– Identify a computer via records kept within an Identify a computer via records kept within an

SQL databaseSQL database

RADIUS allows us to accomplish both RADIUS allows us to accomplish both goals in one step goals in one step

AuthenticationAuthentication

`

1

2

3

5

4

6

7

SSL/Web Authentication(Username, Password)

Client Computer

Access-Request(Username, Password,Calling-Station-ID)

NAS

RADIUS

LDAP Authentication

(Username, Password)

SQL Select

(Callin

g-Statio

n-ID)

Return

(Rights

Attribute)

Access-Accept(Rights)

University LDAP

SQL Database

Client ClassificationClient Classification Unknown computers are placed into the “Unknown” Unknown computers are placed into the “Unknown”

class and redirected to an ASP.NET web page which class and redirected to an ASP.NET web page which redirects computers based on operating system IDredirects computers based on operating system ID– Windows ME and newer Windows OSWindows ME and newer Windows OS

» MUST Update siteMUST Update site General computing security informationGeneral computing security information Disclaimers and SAV license agreementDisclaimers and SAV license agreement MUST Update Tool specs and downloadMUST Update Tool specs and download

– All other OSAll other OS» Alternate web pageAlternate web page

General computing security informationGeneral computing security information AV software downloads for supported platformsAV software downloads for supported platforms Registration linkRegistration link

Client InspectionClient Inspection MUST Update ToolMUST Update Tool

– Scans for and removes worms and virusesScans for and removes worms and viruses» Mitigates 41 virus/worm families via the Microsoft Malicious Software Mitigates 41 virus/worm families via the Microsoft Malicious Software

Removal Tool and custom worm detection routinesRemoval Tool and custom worm detection routines

– Checks system for the running instance of 48 antivirus software processes Checks system for the running instance of 48 antivirus software processes from 9 vendorsfrom 9 vendors

» Downloads and installs University standard package (with locked Downloads and installs University standard package (with locked configuration) when AV is absentconfiguration) when AV is absent

» If AV processes are present, prompts user removal of packages other than If AV processes are present, prompts user removal of packages other than University standardUniversity standard

– Configures nightly automatic Windows Update policy on supported Configures nightly automatic Windows Update policy on supported Windows platformsWindows platforms

– Reports application errors and other system issues to a centralized databaseReports application errors and other system issues to a centralized database

– Registers computers that pass all checks after giving users the option of Registers computers that pass all checks after giving users the option of remaining in the Protected (point-to-point NAT) space or moving to an remaining in the Protected (point-to-point NAT) space or moving to an Unprotected (University public IP addressed) space Unprotected (University public IP addressed) space

MUST Update ResourcesMUST Update Resources WMI (Windows Management Instrumentation) acts as a WMI (Windows Management Instrumentation) acts as a

repository of important system configuration information and is repository of important system configuration information and is present, by default, on all Windows ME and newer Windows present, by default, on all Windows ME and newer Windows systemssystems– Using WMI, we can-Using WMI, we can-

» Check running processesCheck running processes» Obtain system informationObtain system information» Manage system servicesManage system services» Read/Edit registryRead/Edit registry

Basic Windows APIsBasic Windows APIs – WinInet for data transfersWinInet for data transfers– Kernel32 and User32 for basic system functionsKernel32 and User32 for basic system functions

» Sleep FunctionSleep Function» Folder/File creation & removalFolder/File creation & removal

RegistrationRegistration It is useful to associate a user identity with a registered It is useful to associate a user identity with a registered

computercomputer– Check routine downloads an SSL page containing the username Check routine downloads an SSL page containing the username

associated with the authenticated user on the computer in questionassociated with the authenticated user on the computer in question

Upon passing all checks, the application passes 5 variables Upon passing all checks, the application passes 5 variables to the registration serverto the registration server– MAC addressMAC address– UsernameUsername– Operating System Operating System – Service Pack, if applicableService Pack, if applicable– Rights SelectionRights Selection

Application then spawns an IE browser that informs the Application then spawns an IE browser that informs the user of a successful registration and directs them to re-user of a successful registration and directs them to re-authenticate for full network access authenticate for full network access

Non-compliant SystemsNon-compliant Systems In about 5% of cases, Windows computers are not In about 5% of cases, Windows computers are not

registered because they fail one or more security registered because they fail one or more security checkschecks– Most likely scenario, Symantec AV fails to load Most likely scenario, Symantec AV fails to load

properly. This can be the result of previous malware properly. This can be the result of previous malware infection or an operating system probleminfection or an operating system problem

» An IE browser is automatically spawned pointing to a An IE browser is automatically spawned pointing to a remediation page which explains the problem, links to a copy remediation page which explains the problem, links to a copy of the Trend Micro Damage Cleanup Engine, and gives of the Trend Micro Damage Cleanup Engine, and gives instructions for running the DCEinstructions for running the DCE

– Other scenarios includeOther scenarios include» Computers infected with malware which requires manual Computers infected with malware which requires manual

intervention for complete removalintervention for complete removal» Computers with damaged Windows installations which are Computers with damaged Windows installations which are

unable to install the antivirus package, communicate via SSL, unable to install the antivirus package, communicate via SSL, or perform other basic functions or perform other basic functions

Reporting Reporting Central database which catalogs information reported by the Central database which catalogs information reported by the

MUST Update ToolMUST Update Tool– File download errorsFile download errors– Infected computers, including those which require manual Infected computers, including those which require manual

interventionintervention– If safety checks fail, factors that caused failureIf safety checks fail, factors that caused failure– Presence & type of non-compliant antivirus software foundPresence & type of non-compliant antivirus software found– Number of times the tool has runNumber of times the tool has run

ScaleScale

0

200

400

600

800

1000

1200

7/15/2005 8/15/2005 9/15/2005

Registered Computers

MUST v2 Implementation-7/15

Date

Early Arrivals-8/21

General Arrivals-8/25

University of Richmond

Online Registration

U of R - OverviewU of R - Overview

On both wired and wireless networks:On both wired and wireless networks:– Machines with unknown MAC addresses (i.e. not in our Machines with unknown MAC addresses (i.e. not in our

VMPS database) are put into a “Neverland” vlan with VMPS database) are put into a “Neverland” vlan with access to:access to:

» Anti-Virus server (Symantec Corp. AV)Anti-Virus server (Symantec Corp. AV)

» Anti-Virus install (Authentication required)Anti-Virus install (Authentication required)

» Windows Update locations (via SQUID Proxy)Windows Update locations (via SQUID Proxy)

» Active-Directory / DNS / DHCPActive-Directory / DNS / DHCP

– Note that we have a separate “Blackhole” vlan with all Note that we have a separate “Blackhole” vlan with all traffic dropped at the switch port for machines which traffic dropped at the switch port for machines which have been identified as a security riskhave been identified as a security risk

U of R – Overview IIU of R – Overview II

In the Neverland VLAN, the squid proxy redirects all port In the Neverland VLAN, the squid proxy redirects all port 80 http to our static computer registration start page80 http to our static computer registration start page

User must click through as automated processes hitting User must click through as automated processes hitting port 80 were running excessive PERLport 80 were running excessive PERL

User enters id and password and the process beginsUser enters id and password and the process begins Upon successful completion, the MAC address is Upon successful completion, the MAC address is

registered in VMPS along with the correct VLAN id for registered in VMPS along with the correct VLAN id for the userthe user

The address is then located on the equipment and the port The address is then located on the equipment and the port is downed and upped, causing a VMPS lookup and voila is downed and upped, causing a VMPS lookup and voila the port is put into the correct VLANthe port is put into the correct VLAN

U of R – Process DetailsU of R – Process Details So what happens in the process:So what happens in the process:

– 1. OS Determination1. OS Determination» Check browser stringCheck browser string» nmap –Onmap –O

– 2. If MS:2. If MS:» Turn on Automatic Updates standard and via policyTurn on Automatic Updates standard and via policy

3 am – download & install – don’t ask3 am – download & install – don’t ask User cannot turn off via control panel – must delete registry keysUser cannot turn off via control panel – must delete registry keys

» Open holes in the XP SP2 firewall for SAV trafficOpen holes in the XP SP2 firewall for SAV traffic Does not turn the firewall on or offDoes not turn the firewall on or off

» Verify SAV install, Virus def dates & Parent serverVerify SAV install, Virus def dates & Parent server» Scan for worm holes using NessusScan for worm holes using Nessus

– 3. If not MS:3. If not MS:» Pass without doing anything for nowPass without doing anything for now

U of R – MS Client SideU of R – MS Client Side For MS Boxes:For MS Boxes:

– Download UofRMachineCheck Active X control and instantiate itDownload UofRMachineCheck Active X control and instantiate it» Requires IE 5.5 or aboveRequires IE 5.5 or above» Requires JavaScriptRequires JavaScript» Requires the default IE settingsRequires the default IE settings

– The encryption (more obfuscation) uses the hidden field “keyring” to avoid The encryption (more obfuscation) uses the hidden field “keyring” to avoid replayreplay

– Calls each of the functions and finally gets the MachineStatus (see next slide) Calls each of the functions and finally gets the MachineStatus (see next slide) to retrieve the SAV state, the Automatic update state:to retrieve the SAV state, the Automatic update state:

» oMachineCheck.SetAUPolicyOn; // Set AU on by policyoMachineCheck.SetAUPolicyOn; // Set AU on by policy» oMachineCheck.SetAUOn; // Set AU on normallyoMachineCheck.SetAUOn; // Set AU on normally» oMachineCheck.OpenXPFirewallSAVCE; // Open the XP SP2 FirewalloMachineCheck.OpenXPFirewallSAVCE; // Open the XP SP2 Firewall» var GetMachineStatusEncryptedResult = var GetMachineStatusEncryptedResult =

oMachineCheck.GetMachineStatusEncrypted(key); // Get encrypted statusoMachineCheck.GetMachineStatusEncrypted(key); // Get encrypted status» main.urm.value = GetMachineStatusEncryptedResult; // Put result into form fieldmain.urm.value = GetMachineStatusEncryptedResult; // Put result into form field» main.submit();main.submit(); // Submit main form // Submit main form

U of R – Client NotesU of R – Client Notes

Note that the control is “Safe” in the sense that it:Note that the control is “Safe” in the sense that it:– Will only increase AU settingsWill only increase AU settings– Is hard-coded to return only certain registry settings – not scriptable and Is hard-coded to return only certain registry settings – not scriptable and

thus not a security holethus not a security hole Microsoft Visual C++ .dll in system32 via signed .cab file + .INFMicrosoft Visual C++ .dll in system32 via signed .cab file + .INF Instantiation:Instantiation:

– <object classid=\"clsid:9AC81071-4B2C-48DF-A245-C131DD64B7D2\"<object classid=\"clsid:9AC81071-4B2C-48DF-A245-C131DD64B7D2\" id=\"oMachineCheck\“id=\"oMachineCheck\“

CODEBASE=\"UofRMachineCheck.cab#Version=1,0,6,1\">CODEBASE=\"UofRMachineCheck.cab#Version=1,0,6,1\"> </object></object>

See sample code for exact mechanisms and for hard-learned See sample code for exact mechanisms and for hard-learned detection of successful instantiationdetection of successful instantiation

1.0.7.1 version detects MS Anti-Spyware beta – we do not use this 1.0.7.1 version detects MS Anti-Spyware beta – we do not use this check check

U of R – Server SideU of R – Server Side Standard PERL + Linux/Windows Decode executable:Standard PERL + Linux/Windows Decode executable:

– #Decode the message:#Decode the message:$DecodedMessage=`$LIBDIR/UofRMachineCheckDecode.exe $urmkey $urm 2>&1`;$DecodedMessage=`$LIBDIR/UofRMachineCheckDecode.exe $urmkey $urm 2>&1`;

– # Check for Failure:# Check for Failure:if($DecodedMessage=~/^-/) { if($DecodedMessage=~/^-/) {

$PAGE{BODY}=UofRMachineCheckHandleIssue($DecodedMessage); $PAGE{BODY}=UofRMachineCheckHandleIssue($DecodedMessage); &display_cpage(\%PAGE); }&display_cpage(\%PAGE); }

– # Now convert the decoded message to a hash:# Now convert the decoded message to a hash:%MachineInfo=UofRMachineCheckDecode::UofRMachineCheckDecodedToHash($Deco%MachineInfo=UofRMachineCheckDecode::UofRMachineCheckDecodedToHash($Deco

dedMessage); dedMessage);

– # Now check to see if the result key in the hash indicates failure:# Now check to see if the result key in the hash indicates failure:if(substr($MachineInfo{"Result"}, 0, 1) eq "-") {if(substr($MachineInfo{"Result"}, 0, 1) eq "-") {

$PAGE{BODY}=UofRMachineCheckHandleIssue($MachineInfo{"Result"});$PAGE{BODY}=UofRMachineCheckHandleIssue($MachineInfo{"Result"});&display_cpage(\%PAGE); }&display_cpage(\%PAGE); }

– # Now Check the Machine's compliance:# Now Check the Machine's compliance:$MachineCompliance = UofRMachineCheckCompliance(\%MachineInfo);$MachineCompliance = UofRMachineCheckCompliance(\%MachineInfo);

U of R – Machine Status OutputU of R – Machine Status Output 141.166.58.95 os= mswin141.166.58.95 os= mswin 141.166.58.95 urmkey= 175a2c8fbdad1adc141.166.58.95 urmkey= 175a2c8fbdad1adc urm= e1bedf695d40d014d7bbe0587d6bcb16c086806 … .6cd436b69dd15d79b801a1230dc1a82urm= e1bedf695d40d014d7bbe0587d6bcb16c086806 … .6cd436b69dd15d79b801a1230dc1a82 141.166.58.95 dcm= SAVCEHomeDirectory C:\Program Files\Symantec AntiVirus\141.166.58.95 dcm= SAVCEHomeDirectory C:\Program Files\Symantec AntiVirus\ SAVCEParent MOXYSAVCEParent MOXY SAVCEProductVersionMajor 10SAVCEProductVersionMajor 10 SAVCEProductVersionMinor 0SAVCEProductVersionMinor 0 SAVCEProductVersionPatch 1SAVCEProductVersionPatch 1 SAVCEProductVersionBuild 1000SAVCEProductVersionBuild 1000 SAVCEPatternFileDate 20050913SAVCEPatternFileDate 20050913 AUOptions 4AUOptions 4 AUState 2AUState 2 AUScheduledInstallDay 0AUScheduledInstallDay 0 AUScheduledInstallTime 3AUScheduledInstallTime 3 AUDisabled 0AUDisabled 0 AUPolicyOptions 4AUPolicyOptions 4 AUPolicyState 2AUPolicyState 2 AUPolicyScheduledInstallDay 0AUPolicyScheduledInstallDay 0 AUPolicyScheduledInstallTime 3AUPolicyScheduledInstallTime 3 AUPolicyDisabled 0AUPolicyDisabled 0

U of R – Machine Status Output IIU of R – Machine Status Output II 141.166.58.95 0;Compliant141.166.58.95 0;Compliant 141.166.58.95 (141.166.58.95) 00123fda2192141.166.58.95 (141.166.58.95) 00123fda2192 141.166.58.95 (141.166.58.95) NBLookup time 4141.166.58.95 (141.166.58.95) NBLookup time 4 ipaddr=141.166.58.95 hipaddr=141.166.58.95 (141.166.58.95) starting nessus ipaddr=141.166.58.95 hipaddr=141.166.58.95 (141.166.58.95) starting nessus

scansscans 141.166.58.95 (141.166.58.95) Nessus time 17141.166.58.95 (141.166.58.95) Nessus time 17 141.166.58.95 (141.166.58.95) Nessus Scan Report141.166.58.95 (141.166.58.95) Nessus Scan Report ------------------------------------ …… ------------------------------------------------------------------------------------------------------------ This file was generated by the Nessus Security ScannerThis file was generated by the Nessus Security Scanner

141.166.58.95 (141.166.58.95) student141.166.58.95 (141.166.58.95) student

141.166.58.95 Downing gry1a1 10037 2141.166.58.95 Downing gry1a1 10037 2 141.166.58.95 Upping gry1a1 10037 1141.166.58.95 Upping gry1a1 10037 1

Spare – U of R Registration FlowchartSpare – U of R Registration FlowchartUser opens

registration page and Logs in

Check machine type use nmap - if fail - have user claim

Windows?

Register ComputerPut MAC into Student

VLAN

Patched?[via Nessus]

SAVCEInstalled?

Created OK?Version OK?

Exit Page

Instruct user how to get patched, set

browser, install AV, etc. or instruct to see

help desk

No

Yes

No

Yes

NoYes

OK

University of RichmondRegistration - Fall 2004

v0.4 7/15/2004

Retry?

CreateMachineCheck Object

Yes

MachineCheck Object is asked for the

encrypted machine status

Status is decrypted, verified. Name/Value pairs put in Perl hash

Set Automatic Updates on by Policy

DefintionDates, etc OK?

All OK

Server(Windows/Unix)

Client(Windows)

Shared Code

MAC intoBlack Hole

Failure Exit Page

No

Yes

Not OK

Obfuscate Encrypt/Decrypt Library(Obfuscate.cpp)

UofRMachineCheckDLL

UofRMachineCheckDecode PM

UofRMachineCheckDecode EXE

Student?Faculty/Staff

registration pageNo

TestMachineCheckServer.htm

UofRMachineCheckValidateM

achine.pl

Drawbacks/IssuesDrawbacks/Issues 1. Relies on MAC addresses - enough said1. Relies on MAC addresses - enough said 2. Relies on OS Determination2. Relies on OS Determination

– Browser string can be changedBrowser string can be changed– Box can be completely firewalled and not respond –or- TCP Stack can be Box can be completely firewalled and not respond –or- TCP Stack can be

modifiedmodified 3. Does not continually monitor for issues3. Does not continually monitor for issues

– Can scan in the back-end for people who re-install OS-es, etc.Can scan in the back-end for people who re-install OS-es, etc.– We can dump the students out of the database and cause a re-registration at We can dump the students out of the database and cause a re-registration at

will if we add a scan or modify a requirementwill if we add a scan or modify a requirement» Best done in some rotation so as not to swamp registration page with 3000 students Best done in some rotation so as not to swamp registration page with 3000 students

at one timeat one time 4. Does not ensure that the machines are virus-free:4. Does not ensure that the machines are virus-free:

– U of R runs one full scan weekly on every system – scheduled from parent U of R runs one full scan weekly on every system – scheduled from parent serverserver

– Virus logger report that culls and e-mails logs: Virus logger report that culls and e-mails logs: http://is.richmond.edu/techsupport/security/Downloads.htmhttp://is.richmond.edu/techsupport/security/Downloads.htm

5. Deletion of registry keys means that you can turn off automatic updates5. Deletion of registry keys means that you can turn off automatic updates– No solutions here…No solutions here…

Drawbacks/IssuesDrawbacks/Issues 6. U of R only checks worm holes, not for other patches6. U of R only checks worm holes, not for other patches

– Could easily be modified to check for some via registry, but this is an Could easily be modified to check for some via registry, but this is an onerous process to keep up with (particularly with a compiled Active X onerous process to keep up with (particularly with a compiled Active X control) and I would rather make sure they are all patched automaticallycontrol) and I would rather make sure they are all patched automatically

7. Students can uninstall anti-virus7. Students can uninstall anti-virus– No solutions here…Back-end checking requiredNo solutions here…Back-end checking required

8. Students (Business, Continuing Studies) who cannot install 8. Students (Business, Continuing Studies) who cannot install University AV on work machinesUniversity AV on work machines– Manual registration – Also windows 98 has to be manually registered Manual registration – Also windows 98 has to be manually registered

since it cannot run SAV 10since it cannot run SAV 10 9. Guests / Speakers:9. Guests / Speakers:

– Guest VLAN for accounts to which we will only give Internet access to Guest VLAN for accounts to which we will only give Internet access to for a very limited time.for a very limited time.

10. Dial-up / VPN10. Dial-up / VPN– No solutions here…No solutions here…

ConclusionsConclusions

These systems work seamlessly in the vast These systems work seamlessly in the vast majority of casesmajority of cases– Enforce security policy at specific points in Enforce security policy at specific points in

timetime– Help to identify the endpoints within protected Help to identify the endpoints within protected

networks networks – Provide a framework to respond to a large scale Provide a framework to respond to a large scale

worm incident via automatic processesworm incident via automatic processes– Yield useful statistics which can aid in network, Yield useful statistics which can aid in network,

application, and resource planningapplication, and resource planning

ContactsContacts Dan VeloceDan Veloce

George Mason UniversityGeorge Mason Universitydveloce@gmu.edudveloce@gmu.edu

MUST System:MUST System:http://sandbox.ssgad.gmu.eduhttp://sandbox.ssgad.gmu.edu

Chris FaigleChris FaigleUniversity of RichmondUniversity of Richmondcfaigle@richmond.educfaigle@richmond.edu

U of R Machine Check: U of R Machine Check: http://is.richmond.edu/techsupport/security/Downloads.htmhttp://is.richmond.edu/techsupport/security/Downloads.htm

Questions?Questions?