Educause Security Discussion mailing list archives

Re: Endpoint Security/Policy Enforcement Products

From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 10 Mar 2005 14:57:38 -0500

We're using Perfigo here but, thus far, only for
a registration system. We have not yet implemented
the configuration management/network access control
piece although several universities have.

You might find the archives of the Perfigo list
useful:
http://listserv.muohio.edu/archives/perfigo.html

Perfigo has two sets of capabilities in the area under
discussion:

1) Nessus network scans. While nice when a client can't
be tolerated, network scanners are getting less and
less useful without custom desktop firewall rules. And
they can't touch a client for depth of inspection,
accuracy, and automation capabilities.

2) A client Perfigo called CleanMachines or SmartEnforcer.

The client can do some simple checks such as registry
values. My personal opinion on the way to use this is
to write WMI scripts that allow full functionality
including configuration management and post-infection
cleaning when necessary. The client would just call
the script and ensure it runs successfully.

Consider the cleanup scripts many wrote after blaster.
Modify the admission script to include Blaster removal,
force everyone to re-register, and all your machines
are automatically cleaned! Same potential for emergency
virus signature updates, spyware removal, firewall
configuration, etc. Taken a little further, you could
have it do firewall log inspection and intrusion
detection such as checking what programs are opening
ports and what programs are listed in the registry Run
entries.

Basically you can create/recreate what you may already
be using for desktop configuration management (netware/
domain login scripts, group policies, etc.) with added
network access control motivation. What you do or don't
do on student machines to manage your network is up to
you. :)

The functionality in these devices can by bypassed
and corrupted as someone else mentioned. But so can
almost anything else. What you have to ask yourself
is whether they provide a useful (not infallible)
solution to a problem. Are you better off with or
without it?

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

Current thread:

Endpoint Security/Policy Enforcement Products Penn, Blake (Mar 10)
- <Possible follow-ups>
- Re: Endpoint Security/Policy Enforcement Products Jon Moore (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products George Russ (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Jon Moore (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Gary Flynn (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Wayne J. Hauber (Mar 10)
- Re: Endpoint Security/Policy Enforcement Products Jamie A. Stapleton (Mar 10)