The reason the machine in the previous example was open to exploitation is because it was vulnerable. The machine was vulnerable because of the following:
It did not receive and have installed the MS06-055 patch.
Though vulnerable, the system wasn’t restricted and was able to get itself into trouble.
There weren’t sufficient security technologies in place on the device to protect it while the system waited to receive the patch.
The absolute best way to protect against exploits is to entirely remove the vulnerability. This is different from relying on security software (such as antivirus software) to stop each individual exploit as it becomes available. This is one of the critical reasons why patching is so important. By installing a patch, the entire vulnerability is removed.
Having not received the MS06-055 patch is the reason behind why the machine was compromised. If the system had this patch, it wouldn’t matter how many different exploits tried to take advantage of that vulnerability; they would have failed. The inability to patch devices while they are mobile is one of the biggest security deficiencies that companies have. I see this every single day. LAN-based NAC and LAN-based patching systems do nothing to address this problem.
Think back to the example mentioned in Chapter 2, the one related to the Fortune 500 company I worked with late last year. They had a LAN-based
144 Chapter 5 ■ Understanding the Need for Mobile NAC
patching solution in place, such as WUSS, SMS, or Altiris. They stated that it didn’t matter if they could patch while devices were mobile; their users would either physically come back to the LAN on a routine basis, or certainly VPN back into the corporate network to receive the patches. As you’ll recall, that company was mistaken, as their systems had the following deficiencies:
Six Critical Microsoft patches were missing. One Important Microsoft patch was missing.
Some missing Critical patches were new, and some were a few years old.
The antivirus definition files were out of date.
The systems had four SANS Top Ten Security Vulnerabilities, which are more than just missing patches.
N O T E LAN-based systems are not effective at patching mobile devices, period! I
see thisevery single timeI run a vulnerability assessment for companies that only
have these types of solutions.
While the patching part is important, so is the quarantining. With LAN-based NAC, the concept of quarantining exists so that devices with insufficient security postures are unable to access data, infect other resources, and get themselves into more trouble. The need for this important concept doesn’t change simply because a laptop isn’t on the LAN.
If the victim in the previous example were restricted, then he or she wouldn’t have been exploited. Because the security posture was deficient, the victim shouldn’t have been able to surf the Internet freely; the victim should have been restricted. This restriction could have taken place at two different layers:
Layer 7 (Application Layer)— Since there was a huge security defi- ciency in Internet Explorer, the user should have been restricted from using Internet Explorer until the patch was installed.
Layer 3 (Network Layer)— Because of the critical deficiency, the system should have only been able to go to networks and subnets that the com- pany felt appropriate while in a deficient state.
This restriction and quarantining would have stopped the victim from being exploited. The laptop would only have been able to use Internet Explorer and get to the malicious web page if it had received the missing patch. Once patched, it wouldn’t have mattered if the user viewed the page because the user was no longer vulnerable to any exploits relating to this vulnerability. Figure 5-12 illustrates the Layer 3 and Layer 7 restriction.
In addition to patching and restricting, it is still important to used lay- ered security. Having an enterprise-grade personal firewall with intrusion
Mobile NAC and Direct Attacks 145
Vulnerable Laptop Missing Critical Internet Explorer Patch
Layer 7 : I will prevent you from using Internet Explorer until you receive the
critical security patch.
Layer 3: I will control where you can go. Because you are deficient, you can only access specific servers to
receive the IE patch.
Remediation Servers Internet
Figure 5-12 Layer 3 and 7 restriction
prevention capabilities and zero day protection also would have help- ed prevent this attack. As discussed earlier, zero day protection protects against attacks that aren’t yet known. So, if a Microsoft patch wasn’t avail- able yet or if a vulnerability wasn’t yet known, zero day protection could help.
There are a couple of very good enterprise-grade personal firewalls on the market today. These differ vastly from the firewall that comes with Windows XP SP2. In fact, if the Windows XP SP2 firewall were running in the previous example, the victim still would have been hacked. That firewall is very simple and has basic functionality.
On the other hand, if IBM’s Proventia client was running, the attack would have been stopped. That is because this firewall has advanced functional- ity and is more suitable for enterprises. (Proventia is the latest version of BlackICE and Real Secure Desktop Protector.) Figure 5-13 shows the Proventia client stopping the attack from taking place.
So, of these three ways to stop the attack from happening, which one is the best? The answer truly is that you must have all three. Nothing will catch everything, and layered security is important.
The big point to understand about this attack is that LAN-based NAC would have never been in the picture. Ask yourself these questions as they pertain to your own environment:
Do my laptops leave the corporate LAN?
Do my laptops work with data when they are outside of the LAN? Do my mobile laptops surf the Internet?
Can I patch mobile laptops while they are mobile? Can I restrict mobile laptops while they are mobile?
146 Chapter 5 ■ Understanding the Need for Mobile NAC
Figure 5-13 Proventia client stopping the attack from taking place
As you answer these questions, relate your answers to what you now know about Mobile NAC and LAN-based NAC. It should be clear to you how important Mobile NAC is in the overall security strategy.
N O T E Enabling mobility can put the LAN at risk and, at the same time, LAN-based NAC solutions alone cannot sufficiently secure the LAN from mobile devices.