Educause Security Discussion mailing list archives

Re: Endpoint Security/Policy Enforcement Products

From: Jon Moore <jonm () ISC UPENN EDU>
Date: Thu, 10 Mar 2005 14:41:47 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Mar 10, 2005, at 2:21 PM, George Russ wrote:

The agents I have worked with only have one purpose and that is to
allow the
master server access to the PC they do not report or send back any
information so for this product and most others the agent could not be
compromised to send improper results.  The master server looks in the
registry for exact keys identifying products which it has listed as
allowed
or not-allowed.  It also looks at running services to detect proper
software
is running some can even look for file names and folders.


But this requires code *somewhere* on the PC to run on behalf of the
master. *Something* is providing external access to the registry and/or
process table, and that something can be compromised and thus forged.

There is no magic application for ensuring a device is 100% safe to
allow on
the network.  But at this point I would settle for having 50% of them
"safe"
with current patches.  Applications to ensure all computers are
authorized
and to a certain extent "clean" before they are connected to the
network
will become common place in the near future. I know most colleges are
headed
this way in some form or another.


I agree here, and in fact, as you noted, you are probably going to do
much better than 50% in practice, given that no one has observed "in
the wild" a trojan for current products like the ones I describe. My
point is just that administrators should keep the possibility of
trojans like these in the backs of their heads. If most colleges are
headed this way, then crackers will have more motivation to write such
malware (and malware that disables anti-virus programs already
exist...).

Don't get me wrong; I think these products are very helpful and useful.
I just think it's important that people know exactly what they provide
and what the risks are.

Jon
- --
Jon Moore
ISC Networking & Telecommunications
University of Pennsylvania

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCMKMFx8TaElR3qMMRAqp/AJ9J6cUSjx/hmWxfZ3D8WICjNfLaDACeJQp1
oojFzMozVCXM7rPyBCP1PzU=
=pxTO
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Endpoint Security/Policy Enforcement Products Penn, Blake (Mar 10)
- <Possible follow-ups>
- Re: Endpoint Security/Policy Enforcement Products Jon Moore (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products George Russ (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Jon Moore (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Gary Flynn (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Wayne J. Hauber (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Jamie A. Stapleton (Mar 10)