Educause Security Discussion mailing list archives
Re: Checking for AV software on students' machines
From: "Jason S. Cash" <cash () UDEL EDU>
Date: Thu, 10 Jun 2004 10:03:33 -0400
On Thu, 10 Jun 2004, Nathan Hall wrote:
Date: Thu, 10 Jun 2004 08:57:21 -0400 From: Nathan Hall <hallnk () ONEONTA EDU> Reply-To: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines Stephen Bernard wrote:It sounds like what is being said is, "as long as the external symptoms of a problem are hidden it isn't a problem". This is exactly why some network security practitioners take the tact that firewalls are a bad thing because they make system administrators complacent and leave end users naively vulnerable.I think that before we can judge how successful a solution is we must define the problem we are attempting to solve. Here at Oneonta our initial intent was to prevent rapidly spreading network worms (think Blaster, Nachi, Sasser). These worms generally spread by remote buffer overflows. If a host has a firewall configured in a way that prevents Nessus from detecting the vulnerability, the host will also be invulnerable to a worm exploiting that vulnerability. As our goal was to prevent the spread of worms, machines with an appropriately configured firewall do meet this goal. The potential for changes in firewall rules is one of the reasons we continue to scan the network for newly vulnerable hosts. We are now working on expanding our system to deal with other infection vectors, such as those you mention. There are a number of ways we are looking to deal with this: IDS/Honeypot - We have currently integrated Snort into our system. Machines with traffic matching a small set of signatures are automatically removed from the network. In the future we may also add one or more honeypots to detect hosts attempting to attack our network. Banner Scanning - We have created a small utility to scan for known banners on specific ports. Many recent viruses open listening ports and will respond with a known response upon connection or execution of a specific command. Integration of this tool with our system will allow us to identify some infected hosts and remove them from the network. Anti-Virus - This is why I originally posted to the list. We would like to be able to verify that all students are running an updated anti-virus solution. If everyone was running updated AV many potential infections would be prevented. This is the most appealing as it actually prevents the infection, as opposed to the two above, which are both reactive. While none of these solutions are perfect, they are all better than nothing. We expect that when combined they will provide us with a powerful tool to improve the security of our network.
I believe the cisco security agent (formally okena?) can check the status of a PC's anti-virus software, as well as perform fancy worm intervention tricks. There is significant cost associated with this system, as well as becoming a windows admin for however many thousands of dorm machines you support. If anyone is using this in a dorm environment I would love to hear about it, especially if it generates thousands of "unreal tournament runs slow because of your control software" trouble tickets. We have been using a homegrown system that keeps machines in a net 10 jail until registered, and registration involves automated lsass and dcom scans. For blaster, we used hundreds of /29 subnets to limit the spread of machines brought to campus already infected. Our best luck so far at keeping the network clean has been reactive netflow analysis. We collect netflow from core and border routers and grind it up in near real-time to find anomalies. This has worked very well for worms, scanners and spammers, but only after they start misbehaving. This also works for the smartbots that use port knocking and defeat traditional nessus scanning. Jason
Nathan -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stephen Bernard Sent: Wednesday, June 09, 2004 4:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Checking for AV software on students' machines Brian Eckman wrote: <snip>Yes, the Windows firewall (ICF) will block these types of scans. But that is a good thing. We are implementing a NetReg-based solution, and would be ecstatic if all of the dorm computers would pass the scan because they have their firewall on. I would call that "mission accomplished". Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSEDiscussionGroup discussion list can be found at http://www.educause.edu/cg/.It sounds like what is being said is, "as long as the external symptoms of a problem are hidden it isn't a problem". This is exactly why some network security practitioners take the tact that firewalls are a bad thing because they make system administrators complacent and leave end users naively vulnerable. The MS firewall surely won't prevent an end user from downloading a trojaned music file which then posts their keystrokes, personal information, or business files to an IRC channel. It doesn't provide application protections. There isn't any mechanism for disallowing the disabling of the firewall, especially when the average user logs in with Administrator privileges. It's very probable that malware exists or will come out that actually utilizes the personal firewall. The malware could re-configure the firewall so that it continues to block internal addresses from scanning it but allowing specific, encrypted (IPSEC) connections. Steve ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
/* Jason S. Cash IT/Network and Systems Services University of Delaware, Newark Delaware e:cash () udel edu v: 302-831-0461 */ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Checking for AV software on students' machines, (continued)
- Re: Checking for AV software on students' machines Gary Flynn (Jun 09)
- Re: Checking for AV software on students' machines Robert Ono (Jun 09)
- Re: Checking for AV software on students' machines Stephen Bernard (Jun 09)
- Re: Checking for AV software on students' machines Bill Frazier (Jun 10)
- Re: Checking for AV software on students' machines Nathan Hall (Jun 10)
- Re: Checking for AV software on students' machines Dunker, Mary (Jun 10)
- Re: Checking for AV software on students' machines Gibbs, Aaron M. (Jun 10)
- Re: Checking for AV software on students' machines Shawn Kohrman (Jun 10)
- Re: Checking for AV software on students' machines Ariel Silverstone (Jun 10)
- Re: Checking for AV software on students' machines Brian Eckman (Jun 10)
- Re: Checking for AV software on students' machines Jason S. Cash (Jun 10)
- Re: Checking for AV software on students' machines Steve Schuster (Jun 10)
- Re: Checking for AV software on students' machines Cal Frye (Jun 10)
- Re: Checking for AV software on students' machines Jason S. Cash (Jun 10)
- Re: Checking for AV software on students' machines Brian Kaye (Jun 10)