The Sys-Security Group

It sure was a matter of time until a major newspaper (Brad Stone for the New York Times) would pick up on the subject of trading vulnerabilities (article). Specifically selling vulnerabilities to companies, which provide some kind of a service around it.

On a recent blog post at Matasano (iDefense Underbids on Vista Vulnerabilities) I commented that: “No one guaranties the so-called 0-day is really is 0-day. The seller could have used it before, or sold it before, and still the knowledge of the existence of this vulnerability/exploit is not widely known”.

Theoretically speaking one can sell a vulnerability to multiple parties, and/or abuse it for other needs, without the buyer knowing that.

The market place for vulnerabilities does bring up interesting legal, and ethical questions regarding the actions of those companies who are buying these vulnerabilities and the source(s) they are buying these from.

Last Wednesday my wife gave birth to our first child. A baby girl we named Or (translation from Hebrew to English: Sun light).

There is nothing, which one can compare to the miracle of life. Being there alongside my wife during the pregnancy period from the time we found out she is pregnant to the birth of our child was certainly one of the most powerful experiences of my life.

Recently I have been answering several NAC RFIs/RFPs. To my surprise I have found that some important questions were missing from many of them.

I will highlight those questions I feel must be included in any RFI/RFP.

Question N.0: Definition
The first question is how does the vendor define NAC. A related question is what threats the NAC product is designed to mitigate.

Because NAC is such a hot concept, all kinds of products are using the term to get visibility. The answers to these questions will help you decide if the vendor’s products are focusing on the issues you are trying to resolve.

Question N.1: Pre-Requisites
The second question I find missing is: List your NAC solution’s prerequisites. The prerequisites are those tasks that must be performed and expenses that must be incurred in order for the solution to operate as advertised. A solution’s prerequisites would expose implementation issues, hidden costs (setup, operational, etc.), and the complexity associated with implementing the solution.

Here are specific detailed questions:

• Does the solution require network architecture changes?
• Does the solution rely on specialized networking gear? – i.e. networking equipment from the vendor itself or a third party vendor.
• Does the solution require the networking equipment to be upgraded or replaced?
• Does the solution require the installation of software agents?
• How are admission checks are performed?

The answers to these questions will enable you to calculate the total cost of ownership of the NAC deployment including labor, hardware (upgrades, replacements, number of appliances or servers needed, etc.), and complexity.

Question: Solution Architecture
You should ask a vendor to describe the architecture of its NAC solution. Requesting a general description of the NAC architecture and then asking specific questions regarding the various techniques, methods and technology would help you determine the strengths and weaknesses of the solution.

Question N.2: Element Detection
Another question I find missing is: Describe how your NAC solution performs element detection.

Element detection is a core feature that must be supported by a NAC solution. It is the ability to detect, in real-time, a new element attempting to be attached to the network. If a NAC solution cannot perform element detection in real-time then it can be easily defeated (i.e. you cannot defend against something you are not aware of its existence).

Questions that can be listed under this part of the RFP:

• How does the solution detect the presence of a new element?
• Does the solution use agents for element detection? – If the answer is yes then not everything can be detected. Elements on which you cannot install an agent will have to have their MAC addresses white-listed. This leaves you open to MAC spoofing-based attacks, where, for example, a white listed printer is detached and a laptop spoofing the MAC address of the printer is attached, all without the NAC system’s knowledge, or yours.
• Does the solution use the switch for element detection? – Not all switches support this feature. Relying solely on the switch capabilities to provide with information regarding new elements connecting to the switch is generally not a good thing.
• Is element detection performed in real-time? – If element detection is not being performed in real-time then there will be a time interval during which a malicious insider would be able to freely operate on the network without being detected.
• Does the element detection include hosts other then Microsoft Windows-based elements? – If not then a malicious insider using an OS other then a Microsoft Windows-based OS might be able to freely operate on the network without being blocked.
• How does the information regarding the elements residing on the network stays current?
• Does the solution utilize DHCP for element detection? – If answered yes, the there may be other elements operating on the network that may not make use of DHCP. Any element, which is configured with a static IP address, may not be detected by the NAC solution.
• Does the solution utilize 802.1x for element detection? – If so it means the networking equipment must support 802.1x, and there may be other pre-requisites such as agent software installed on elements. Again, you may need to white list non 802.1x compatible devices and expose your network to the risk of MAC spoofing-based attacks (see above for explanation of MAC spoofing)

Question N.3: Compliance & Compliance Checks
Questions that can be listed under this part of the RFP:

• What are the parameters that can be checked when an element is being admitted to the network?
• Does a software agent is required when performing compliance checks? If answered yes this would complicate the deployment of the NAC solution. As the number of systems that an agent should be installed on increases, so does the complexity of the deployment.
• What operating systems are supported with compliance checks?
• To what degree can the NAC solution assist the organization in meeting the requirements of compliance regimes like Sarbanes-Oxley, GLBA, PCI, and HIPA
• Can custom compliance checks can be defined?

Question N.4: Quarantine
Describe the quarantine mechanism the solution uses.

There are a variety of quarantine methods being used with varying strengths and weaknesses. You need to understand whether the quarantine method can be bypassed and whether a quarantined element can infect other quarantined elements.

Questions that can be listed under this part of the RFP:

• Does the quarantine method rely on specialized hardware or software?
• When an element is quarantined is it possible for it to become infected by other quarantined elements? You need to evaluate whether the quarantine area is shared between the quarantined elements. If so, they are able to infect and penetrate each other.
• When an element is quarantined is it possible for other quarantined elements to try to penetrate into it? An attacker might use a shared quarantine area as its entry point to the organization infecting quarantined elements with 0-day Malware. Once re-admitted to the network these elements may allow the attacker access to other parts of the network and to information it should not access.
• Is the quarantine performed at Layer-2 or Layer-3? Layer 3 is problematic because elements would still be able to interact with other devices on the local subnet. It would allow the local infection of quarantined elements by another quarantined element, and the ability of a quarantined element to directly attack another quarantined element trying to abuse a certain vulnerability to gain unauthorized access.
• Can the quarantine mechanism isolate virtual machines? – As virtualization becomes an integral part of the data center as well as R&D and QA environments this is an important feature to note.
• Can elements connected to a non-managed switch or to a hub be put into quarantine?

Question N.5: Enforcement
How does the NAC solution provide enforcement?

• How is enforcement performed?
• Is the enforcement is being done at Layer-2 or Layer 3? Layer 3 is problematic because elements would still be able to interact with other devices on the local subnet.
• Does the enforcement involve the networking gear? If so, how? – The answer to this question may unveil hidden costs, ways to circumvent the solution, etc.
• Does the enforcement depend on specialized hardware? If answered yes it may unveil hidden costs.
• Does the enforcement depend on specialized software?
• Can you enforce your NAC policy on individual virtual machines (specifically against virtual guests)?

Analyzing the vendor’s responses
The answers to the RFI/RFP questions would allow you to analyze the technology of the NAC solution, its time-to-value, and its total cost of ownership. All of which you must take into consideration when making a buying decision.

Analyze N.1: Technology
Evaluate the Security Strengths and Weaknesses of the Offered Solution
Learn whether the offered NAC solution meets your security requirements. Evaluate the weaknesses of the offered solution, and determine if the NAC solution may be easily bypassed.

Analyze N.2: Time to Value
One of the important aspects of deploying a NAC solution is how long will it take to deploy the solution throughout the enterprise? It is an important consideration when deploying a NAC solution.

Analyze N.3: Cost
Calculate the Total Cost of Ownership
You should calculate the total cost the implementation. For each NAC solution you evaluate, take into consideration the costs associated with deployment, as these may be much higher than the cost of the product. The overall cost should include the product, any networking gear upgrade and/or replacement, servers needed for the solution, and the cost of labor, which will be required to implement and manage the solution.

Conclusion: A NAC solution that provides you with a strong technology, a short time to value period, with a reasonable total cost of ownership should be the one you should choose.

In their latest newsletter the SANS organization states they are developing a new certification for Certified Malware Removal Experts.

I strongly suggest SANS to read Jesper M. Johansson’s short article on Microsoft TechNet titled “Help: I Got Hacked. Now What Do I Do?”

At the end of the day I am sure SANS will get to the obvious conclusion that the course of action would be to start from scratch

In my opinion a major mistake Apple is doing regarding the iPhone is not allowing 3rd parties to install their software on the iPhone.

Jobs had interviewed for the New York Times and said:

“We define everything that is on the phone…You don’t want your phone to be like a PC. The last thing you want is to have loaded three apps on your phone and then you go to make a call and it doesn’t work anymore. These are more like iPods than they are like computers.”

“These are devices that need to work, and you can’t do that if you load any software on them…That doesn’t mean there’s not going to be software to buy that you can load on them coming from us. It doesn’t mean we have to write it all, but it means it has to be more of a controlled environment.”

It seems Apple would try to either certify applications, or try to go their own way regarding applications on the iPhone.

In my opinion it will be a mistake. I understand their motives trying to make sure everything works as advertised, but, doesn’t this the job of the underlying operating system and the mechanisms they introduce with the phone? I believe it should be that way, rather then restricting their buyers.

Only days would tell, but it seems Apple made a cool phone, but nothing more then a cool phone.