RE: CRIME Remote User System Validation

From: Buelna, Derek (derek.buelna@private)
Date: Fri Mar 05 2004 - 10:24:16 PST

  • Next message: Quinby, Kris (MED): "RE: CRIME Remote User System Validation"

    Thank you for your input. Yes, I agree there are a number of tools that provide some of this functionality but what I need is enforcement at the perimeter. Many of the ISS features are nice and the SUS server and HFNETCheck are also great tools. However, I believe that we all need the ability to make decisions at the perimeter. Before you allow in client x, the device should meet certain criterion including security patch levels, DAT files, no sniffer or quake installed perhaps, etc. This is the technology that I'm referring to as being in its infancy. The Microsoft solution appears to do exactly what I want - if a device doesn't meet certain requirements, then it isn't allowed in, but quarantined into a network where the user has the ability to get the software they need to get compliant. Implementing a Microsoft VPN solution scares the heck out of me though. I hear Cisco is working with McAfee and Symantec on an API related to admission control so hopefully we'll see more !
     products. 
    
    -Derek
    
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private]On Behalf Of
    Andrew Plato
    Sent: Thursday, March 04, 2004 6:23 PM
    To: Buelna, Derek; crime@private
    Subject: RE: CRIME Remote User System Validation
    
    
    I wouldn't say this type of thing is in its infancy. There are quite a
    few tools that can provide the types of things you want to accomplish.
    What doesn't exist, yet, is a single tool that can do all of those
    things. 
    
    Some of those features are included in RealSecure Desktop Protector.
    Anti-Virus DAT files can be checked. If they are older than a specific
    date, the user is prompted to update them and/or the firewall can block
    access to the corporate network. Little tricky to implement however. You
    can also do application level controls as well. All apps on the machine
    are hashed and any changes prompt the user. You can control all this
    centrally through Site Protector. 
    
    
    Patch levels can be easily assessed via MS tools. MS patches can be
    deployed via their SUS server. However its functionality is somewhat
    limited. Might want to look at Hf CheckNet or Patchlink for larger, more
    robust patch-deployment. You can easily audit patch levels with their
    baseline analyzer. There are other assessment tools that can accomplish
    the same thing. Eeye's Retina scanner can do some of that, and its fast
    as hell. 
    
    You might also want to look into Sygate's desktop solution. They have
    some unique features to their desktop firewall that can do some in-line
    filtering. Their product is a little cumbersome, however. But, I have a
    few clients who like it. 
    
    SSL VPNS are generally not going to reach to far into the OS. The whole
    idea behind an SSL VPN is that it has a very lightweight front end. What
    the SSL VPNS are doing is controlling access to specific applications
    via protocols. 
    
    There are quite a few options in this space. Ideally, you might want to
    put together a comprehensive desktop control / security program. 
    
    
    ___________________________________
    Andrew Plato, CISSP
    President/Principal Consultant
    Anitian Enterprise Security
    
    
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private] On Behalf
    Of Buelna, Derek
    Sent: March 04, 2004 5:21 PM
    To: crime@private
    Subject: CRIME Remote User System Validation
    
    I would like start a discussion in reference to the validation of remote
    users anti-virus DAT files, patch levels, installed software and so on.
    My understanding is that the technology associated with doing this type
    of thing is in it's infancy. Cisco is working on their admission
    control, Microsoft has their Quarantine server along with 2003 IAS, Zone
    Labs has a product and I've heard some talk of SSL based VPNs
    implementing some of this functionality but none of these really meet my
    needs. I suppose the Zone Labs product would work if it didn't
    constantly crash machines!
    
    The Quarantine thing pretty looks good except many of us are concerned
    with the security of an MS VPN solution and we've got non-Windows
    machines that need to connect. I assume that a bolt-on solution would be
    much more attractive for most of us.
    
    Your opinions, thoughts, advice, etc. would be very much appreciated!
    
    
    Derek A. Buelna, CISSP, CCIE
    Information Security
    XEROX Office Group
    
    > Any ideas or opinions expressed above do not necessarily reflect those
    of my employer.
    > 
    



    This archive was generated by hypermail 2b30 : Fri Mar 05 2004 - 11:13:17 PST