Monday, October 16, 2006

The host remediation myth

We want to keep malware off our network. I've been working on a solution to make sure that hosts connecting to our network meet the following conditions:
1. Current on operating system updates
2. Running antivirus with current virus definitions
3. Aren't running "bad" software

Most solutions I've found work something like this:
1. After authenticating the user (that's an entirely different subject), prompt to install a remediation agent
2.a. if the agent is installed, run a scan for the good/bad stuff
2.b. if the agent isn't installed, run a custom security scan (usually nessus) to look for bad stuff
3.a. if the host passes the security check, let it on the network
3.b. if the host fails the check, give the user a chance to fix the problem (d/l update, virus defs, etc.) and re-run the check.
4. Schedule a scan for some time in the future

Is it just me, or does this not really solve the problem? This does a check at a moment in time to see if the host is clean. What if the user gets a worm via email while on the network? Waiting for the next remediation scan may take an hour, at best several minutes. This is plenty of time for that worm to propagate to other hosts on the network and cause problems.

I'd love a real-time remediation system. It may or may not require scans of the hosts connecting, but it would definitely keep an eye on the hosts' behavior while connected to the network. If any one misbehaved the system would immediately take action, i.e. put an ACL in to stop the behavior or quarantine the host to an isolated network. Most vendors I talked to said this was too automated and would be a headache to manage. I think it's because they didn't have a product to sell me that could do this.

Some argue that a network IDS/IPS is basically the same thing. Not focuses on network borders more than individual hosts. True, the signatures would probably be identical. I hope that switch vendors start using modern technology (ASICs and fast CPUs) to implement this at the access port. After a short period of fine-tuning the enforcement configuration, I think this would be one sweet network janitor.

I've found one company that does something similar, but haven't done a demo.

No comments: