Defending Laptops with Defending Laptops with MinUWet MinUWet By Erick By Erick Engelke Engelke
Dec 18, 2015
Defending Laptops with MinUWetDefending Laptops with MinUWet
By Erick EngelkeBy Erick Engelke
Laptops and our future?Laptops and our future? laptops now outsell desktops laptops now outsell desktops
we expect continued growth of laptopswe expect continued growth of laptops
laptops present new opportunities for learning and laptops present new opportunities for learning and budgets, but also new IT staff challengesbudgets, but also new IT staff challenges
laptop security issues are time-consuming for stafflaptop security issues are time-consuming for staff
outdated antivirus definitions and OS updates need outdated antivirus definitions and OS updates need Internet connectivity to be updatedInternet connectivity to be updated
Solution:Solution:
We need a strategy which We need a strategy which encouragesencourages responsible client laptop managementresponsible client laptop management
Possible SolutionsPossible Solutions
Cisco NAC (Network Admission Control) - Cisco NAC (Network Admission Control) - forklift upgradeforklift upgrade
Microsoft… NAP (Network Access Microsoft… NAP (Network Access Protection) vapourware due with Vista serverProtection) vapourware due with Vista server
UToronto Endpoint Security Policy (see UToronto Endpoint Security Policy (see Managing Self-Managed ComputersManaging Self-Managed Computers at this at this conference) (just learned about it this May)conference) (just learned about it this May)
Continuum of SecurityContinuum of Security
none - anarchynone - anarchy
available but optionalavailable but optional
encouraged / accessibleencouraged / accessible
heavily enforcedheavily enforced
Accessible Security?Accessible Security?
make technology simple to conceptualize make technology simple to conceptualize though not necessarily understandthough not necessarily understand
it becomes part of the cultureit becomes part of the culture
examples:examples: privacy of PIN numbers on debit cardsprivacy of PIN numbers on debit cards security of SSL web sitessecurity of SSL web sites
eventual tolerance by userseventual tolerance by users
How to Encourage SecurityHow to Encourage Security EducateEducate Reward Reward
RemindRemind NagNag EmbarrassEmbarrass PunishPunish
or
Possible Education PointsPossible Education Points
1. secure your computer1. secure your computer Antivirus, Workstation Firewall, Updates, …Antivirus, Workstation Firewall, Updates, …
2. secure your applications2. secure your applications MyWaterloo, SSH, Secure IMAP, VPNMyWaterloo, SSH, Secure IMAP, VPN
3. secure yourself3. secure yourself best practices, (strong secret passwords), avoid probable best practices, (strong secret passwords), avoid probable
malwaremalware
users can conceptualize these points, but will they act ? users can conceptualize these points, but will they act ?
MinUWet MinUWet Setting minimum standardsSetting minimum standards
NAA NAA detectsdetects OS at login screen OS at login screen
highly vulnerable OS’s must endure a scan highly vulnerable OS’s must endure a scan using using MinUWetMinUWet (currently only MS Windows) (currently only MS Windows) Antivirus enabled and up-to-date? Freshen!Antivirus enabled and up-to-date? Freshen! OS getting patches?OS getting patches?
MinUWet MinUWet Setting minimum standards Setting minimum standards
(cont.)(cont.) NAA NAA detectsdetects OS at login screen OS at login screen
highly vulnerable OS’s must endure a scan using highly vulnerable OS’s must endure a scan using MinUWetMinUWet(currently only MS Windows)(currently only MS Windows) Antivirus enabled and up-to-date? Freshen!Antivirus enabled and up-to-date? Freshen! OS getting patches?OS getting patches?
HTTP always allowed, download patchesHTTP always allowed, download patches
pass test… get additional or pass test… get additional or “premium”“premium” network network accessaccess
MinUWet MinUWet Setting minimum standards Setting minimum standards
(cont)(cont) only test once per week, cache resultsonly test once per week, cache results
other OS’s are not affectedother OS’s are not affected
users who do not wish to participate or fail are users who do not wish to participate or fail are granted web-only accessgranted web-only access
web only access is sufficient for AV and OS updatesweb only access is sufficient for AV and OS updates
will still do existing security scans and SNORT will still do existing security scans and SNORT complementary solutions add more securitycomplementary solutions add more security
Some MinUWet FactsSome MinUWet Facts
idea is similar to Cisco NAC and MS NAPidea is similar to Cisco NAC and MS NAP
MinUWet is compatible with all existing hardware and safe with MinUWet is compatible with all existing hardware and safe with non-MS OSs (challenging, many PDAs claim to be Windows).non-MS OSs (challenging, many PDAs claim to be Windows).
local expertise, we can adapt itlocal expertise, we can adapt it
Cisco and MS solutions are stronger but more difficult to run Cisco and MS solutions are stronger but more difficult to run and inflexibleand inflexible
MinUWet doesn’t have to be hack-proof, it just has to be better MinUWet doesn’t have to be hack-proof, it just has to be better than today’s mess!than today’s mess!
MinUWet - retired upon better optionsMinUWet - retired upon better options
Statistics from Two Week Statistics from Two Week Engineering TrialEngineering Trial
6486 NAA Windows sessions 6486 NAA Windows sessions 3161 or 49% of sessions ran MinUWet3161 or 49% of sessions ran MinUWet
628 distinct users ran MinUWet628 distinct users ran MinUWet 168 or 26% of them failed the test initially168 or 26% of them failed the test initially
75 or 45% of those who failed later passed.75 or 45% of those who failed later passed. this indicate users upgraded their systemsthis indicate users upgraded their systems
zero security threats observed (snort)zero security threats observed (snort)
Campus-wide RolloutCampus-wide Rollout March 2March 2ndnd
““help desks” co-ordinate information sharinghelp desks” co-ordinate information sharing
March 3March 3rdrd – – appears in daily newsletterappears in daily newsletter brief message appears at each wireless user loginbrief message appears at each wireless user login both messages point to a web site where users both messages point to a web site where users
can learn more and test their laptops (can learn more and test their laptops (http://minuwet.uwaterloo.cahttp://minuwet.uwaterloo.ca))
Two Weeks Later: March 16Two Weeks Later: March 16th th
MinUWet goes live and enforces user securityMinUWet goes live and enforces user security
Adding MemoryAdding Memory
Users didn’t like testing Users didn’t like testing every timeevery time
we subsequently added we subsequently added memory -memory - computers computers need only validate once per weekneed only validate once per week
2/3rds of 2/3rds of passes passes are typically are typically pre-approvedpre-approved
How it WorksHow it WorksClient SystemClient System
user logs in using browseruser logs in using browser browser Identifies OSbrowser Identifies OS
download MinUWetdownload MinUWet run MinUWetrun MinUWet collect statscollect stats transmit statstransmit stats
displays decisiondisplays decision
Web serverWeb server
logs user inlogs user in checks OS against listchecks OS against list looks for prior pass looks for prior pass sets routing rulessets routing rules informs user of statusinforms user of status
makes decisionmakes decision changes router settingschanges router settings
What we did right…What we did right…
MinUWet is not too strictMinUWet is not too strict not testing for absolute latest patch, look for trendnot testing for absolute latest patch, look for trend users can still download the patches they needusers can still download the patches they need Web access granted until user demonstrates Web access granted until user demonstrates
compromised/vulnerable systemcompromised/vulnerable system one week between tests, good compromise of one week between tests, good compromise of
security versus annoyancesecurity versus annoyance
MinUWet is still strictMinUWet is still strict Not a one-time deal, we catch computers that fall Not a one-time deal, we catch computers that fall
out of scope for patchesout of scope for patches
FutureFuture
move to a shared database to store notes of problem move to a shared database to store notes of problem usersusers
adopt a self-remediation system – some prefer adopt a self-remediation system – some prefer human contact, others want automation. human contact, others want automation.
wider deployment, grad student offices, maybe wider deployment, grad student offices, maybe residencesresidences
eventual retirement when vendor product is bettereventual retirement when vendor product is better
Thank youThank you