Network Jail Technologies Dissected

The increase in computer worms and malware infections has driven companies to seek out the ability to quarantine "un-trusted" systems. The definition of an un-trusted machine varies, but for the most part companies are concerned with systems that are not up-to-date on patches and anti-virus signatures. These are the systems that companies wish to detect when they connect to the corporate network, and once detected they would be placed into a "network jail". There are several products on the market today that provide such functionality. On the surface these technologies can help protect networks, but in many cases these technologies are being asked to do more than what they were initially designed for. Also, while comparing marketing material and case studies for the top vendors of jailing technologies against the technical functionality of the systems, a few important benefits and misconceptions arose.

Network Jailing Technology Defined
The general idea of "network jailing" is that if a machine does not strictly adhere to a corporate-defined security policy, it will be declined full network access until it meets that specific policy. The policy could include virus scan definitions, patch levels, or general corporate requirements. These policies are typically enforced by a security agent running on the host, but may also be verified with a remote scan. A scanner is the most important part of the jailing process, as it separates compliant hosts from non-compliant ones.

A scan is performed against a machine resulting in a "vulnerable" or "not vulnerable" report being sent to a network access system. Based upon the policy that has been created for the organization, the jailing management engine can then make the decision whether the vulnerability level is high enough to cease network connectivity with this particular host. It should be noted that the policy can be based upon multiple factors: severity of the vulnerabilities detected, which mitigating factors are present, the authenticated user's privileges, and the present network threat level. The classifications from the security agent are usually broken down as follows:

1. Compliant System
These are fully-compliant machines from the perspective of the scanner. A compliant system has been scanned and has been found with no security policy violations. The host is authorized for full network access.

2. Non-Compliant System
These are hosts that have been scanned but may be missing one or more updates or required configurations. A non-compliant system has been scanned has been found with one or more significant policy violations. Depending on the jailing manger, the host may be jailed in a virtual LAN until all vulnerabilities have been remedied.

3. No Report
The vulnerability scan failed or there was not a security agent installed. These may also include OS platforms that are unable to install a security-agent. A "no report" host is denied full network access and will be jailed until a "compliant" report is produced.

Benefits of Jailing Technology
The best application for jailing technology is perimeter protection. This is performed successfully by using lightweight clients to enforce compliance on mobile devices during the time that they are disconnected from the internal enterprise network. However, if the machine has not been connected to the Internet following a patch release, once connected to the corporate network -- or via a remote connection such as VPN -- the machine will receive the patch prior to receiving normal access. This is especially beneficial if an exploit for a vulnerability, such as a worm, has been released and has infected the host. The machine is quarantined from network connectivity until deemed "compliant".

A good jailing system has a decision engine that allows for multiple variables. Jailing decisions typically take into consideration user type, device type, network security ratings, as well as other important variables for determining security and access. This allows for administrators to create finely tuned policies to maximize availability while minimizing vulnerability. For instance, a policy may allow for machines to be without a certain patch within two days of the rollout of that patch, because this period has the least amount of risk for a working exploit that takes advantage of the vulnerability being patched.

If a well-tuned corporate jailing policy has been established, a jailing system will offer a persistent addition to LAN perimeter security. However, a few misconceptions on this technology still remain.

Jailing Technology Misconceptions
Misconception 1: Compliance != Good Intentions
Jailing systems are not positioned to stop a determined attacker. A typical misconception is that a machine must be vulnerable to an attack in order to launch it. In fact, an attacking computer will typically have vendor-supplied patches applied to it. Any machine can send the necessary packets to another machine in order to exploit it regardless of patch level or platform. Although this machine may be "compliant", the user that has now been authorized full access has just passed through the jail decision engine with no alterations.

An excellent example of the risk of allowing compliant machines full run of the network is last year's Sasser worm. A machine that became infected with Sasser that was later patched would remain infected until it had been disinfected. Thus, the patched machine would satisfy the jailing policy, but would attempt to infect other machines once being allowed into the network.

Misconception 2: Jailing Replaces Other Security Technologies
Although beneficial, jailing systems have a niche and do not overlap other network security technologies enough to be able to replace them. As mentioned above, this technology is not intended to stop attackers. This technology is also not intended as a patch management system. The intention is to provide a lightweight network admission system based on the present state of machines. Although some lightweight jailing clients may offer some inherent protection, all other best-practice security infrastructure should remain intact while the jailing system offers a new layer of protection for the perimeter.

Misconception 3: Jailing Systems Offer Simple Deployment and Maintenance
The three most important parts of an enterprise network are confidentiality, availability, and integrity. Jailing inherently detracts from availability. There is a conscious effort being made to deny network access until a scan is performed, results are computed, a jailing decision is determined, and the host is potentially updated. For dialup and VPN users, which represent a large share of perimeter users, this can be a very time-consuming process that is initiated upon every logon. This is somewhat alleviated by the use of a lightweight host-based client that can perform persistent scans and report to the network immediately upon connection instead of waiting for a remote scan to be performed. However, the fact remains that availability will negatively affected for every perimeter user. This impact is directly affected by the size of the perimeter network, and a large jailing system deployment can interfere with other network traffic (especially if using remote scanning) and frustrate users that are being denied access until their computer is deemed "compliant". This can be somewhat alleviated using a well-tuned jailing security policy.

Misconception 4: All Non-Compliant Machines Should Be Denied Access
A machine that has been deemed non-compliant may not be vulnerable to most attacks. This can be due to mitigating factors such as a host-based intrusion prevention system or disabled services. Such machines should be allowed network access to improve business continuity, and should be placed in order of patch precedence to receive their compliance-issue updates while idle (see last month's VERSA article on prioritizing patches). Also, certain settings found on a host that violate the compliance policy may be necessary for certain custom applications or services to run. Ultimately such exceptions should all be built into the compliance policy, but the policy can become increasingly complicated as more users are required to comply with the jailing system.

Misconception 5: Any Machine Granted Access is Impenetrable
Machines that have passed the jailing system and have been given network access should not be considered any less vulnerable than they had been prior to the deployment of the jailing technology. As an example, certain worms have been shown to create registry keys that would fool most remote vulnerability scanning engines into believing they have been patched. This scenario may allow for a jailing system bypass, and is an example of how a lightweight host-based scanning agent with perpetual and correlated scans would prove to be more effective.

Conclusions
When looking at jailing systems, identify those vendors with a solid vulnerability scanner, as compliance reporting is the most important piece of the jailing system. Also, lightweight agent-based scanners have proven to be the most efficient at maintaining network availability while increasing thoroughness of the scan itself.

Network jailing technology can offer a significant benefit to large enterprises, especially those with mobile users. A jailing system will help enhance perimeter security by enforcing defined policies, but as most security technologies, is not the "silver bullet" for perimeter security. This new technology will help to stop automated attacks such as worms, and will help to enforce a company policy for the mobile infrastructure; however, it is still unable to protect from a moderately crafty attacker.

Source: Andre Derek Protas, Research Engineer, eEye Digital Security

News.com: Critical Windows Patch May Wreak PC Havoc
"The flaw, tagged 'critical' by Microsoft, lies in a Windows component for transaction processing called the Microsoft Distributed Transaction Coordinator, or MSDTC. Installing the patch can cause serious problems, Microsoft said in an advisory posted to its Web site Friday. The patch could lock users out of their PC, prevent the Windows Firewall from starting, block certain applications from running or installing, and empty the network connections folder, among other things, the software maker said." Full Article

The Age: Security is Not a PR Problem
"In January 2002, Microsoft announced what it called a Trustworthy Computing Initiative. The term was trademarked, a paper published and everyone was made to feel that the company would be taking steps to improve the abysmal security of its products. Three years on, it doesn't look like too much has changed." Full Article

News.com: Nessus Security Tool Closes Its Source
"The source code of one of the world's most popular free security tools will no longer be available to all, its creator has announced, saying the software's open-source license was fueling competition." Full Article

NewsFactor: Spyware Spreads Despite Security Efforts
"Spyware writers understand that their model is under siege, and to survive they're employing every tactic that they can,' said Michael Scott, community education specialist for the Utah Attorney General's Office. 'They know there's legislation out there. They know the federal government is looking at this." Full Article

Q: I see that Retina allows me to scan using multiple credentials. If I scan a range that contains both Windows and Linux machines, and multi-select credentials for Windows and Linux, will it scan each OS with the appropriate credentials?

A: If possible, you should create an address group for the Windows systems and another for the Linux systems. Then, associate Windows credentials with the Windows address group and Linux credentials with the Linux group.

If this difficult to accomplish in your environment, it would be best to provide one or more administrator-level credentials for Windows and root credentials for Linux. Retina will try the first set of credentials, and if those are not admin-level for the machine being scanned, it will try the next set. If those credentials suffice it will use them for scanning that machine. On next machine it will start the process of selecting the best credentials again. If none of the credentials allow for administrator access, Retina will perform a null session scan.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

eEye Makes Available Free MSDTC Scanner
eEye Digital Security has discovered a critical vulnerability in the Microsoft Distributed Transaction Coordinator (MSDTC) service that would allow an anonymous attacker to take complete control over an affected system. The Retina MSDTC Scanner is available free of charge to help organizations (that depend on DTC stuff) identify vulnerable assets. Full Article

eEye Releases Retina® Version 5.4
Enhancements to Retina Network Security Scanner include: increased alerting capabilities, additional scan configuration capabilities, and extended enterprise reporting features. To learn more about Retina and download a trial, visit: Full Article

eEye Products Nominated for 2006 SC Magazine Awards
eEye's Retina (Best Security Solution, Best Vulnerability Assessment), Blink® (Best New Security Solution, Best Endpoint Security Solution, Best Intrusion Prevention, Best Anti-Worm), and Iris® (Best Computer Forensics) are among the nominees this year. The awards were developed to reflect professional achievement, as well as technical excellence around the world. We encourage you to help our products receive the recognition they deserve by casting your vote today! Full Article

Microsoft Consults Ethical Hackers at Blue Hat
For the second year in a row, Microsoft Corp. invited a small number of hackers onto its campus to crack the company's products for all to see. Blue Hat V2 was held on Thursday and Friday and teamed noted 'white hat' hackers with Microsoft employees to break into and expose security weaknesses in the company's products. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.