Policy Enforcement over Web?
Results 1 to 10 of 10

Thread: Policy Enforcement over Web?

  1. #1
    Junior Member
    Join Date
    Apr 2005
    Posts
    5

    Question Policy Enforcement over Web?

    I'm looking for some suggestions on how to handle a certain security problem.

    Let's say that I have a SSL website, that will allow a user to first authenticate with two-factor authentication before proceeding to use an ActiveX control to securely connect to Terminal Services from across the web.

    The problem is, I have no way of verifying that a user's computer has any antivirus or antispyware software on it, nor a way to verify that they do not have a keylogger or anything else on there.

    Can any of you guys think of a good way to enforce a policy, such as to require up-to-date antivirus, or perhaps just a mechanism to do a simple trojan scan before allowing them to proceed to the point where they can authenticate and connect?

    I've seen agents out there, but I hate to get in the business of installing and managing software on someone's home computer.

    Thanks,
    Mike

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    This is the "new wave" in networking, (or at least, one of them).... Making a central system verify that certain tasks have been completed prior to allowing access. Cisco does one and there are a couple of others. The problem is that it is new and new = $$$$....

    Unless you have money coming out of your "thingumy" it probably won't happen easily.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Apr 2005
    Posts
    5
    Well, I was at the RSA con in San Fran, and saw a lot of those technologies down there. I am just trying to figure out how to do it without really having them install something, per se. Of course, even an ActiveX control is installed, but it's a little more behind the scenes. Ideally, I want something that upon opening a webpage, will scan (or verify policy), then proceed to allow them to connect to my poor man's SSL VPN.

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Off topic

    Unless you have money coming out of your "thingumy" it probably won't happen easily.
    Too funny...I actually laughed out loud.

    Thanks...I needed that

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Senior Member
    Join Date
    Feb 2005
    Posts
    153
    Of course, even an ActiveX control is installed, but it's a little more behind the scenes.
    So you want to limit this to Internet Explorer only?

    I say only allow access in the first place to people you already trust to keep their computer clean.
    \"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.\"
    - Charles Darwin

  6. #6
    Senior Member
    Join Date
    Jan 2005
    Posts
    128
    well, you could implement this yourself, would be slightly easier on XP

    but this is like implementing win 32apps when 3.11 was still market share

    something along the lines of making a proggy to check the Security Centre, if all is good, then unban that URL from being accessed
    http://sfx-images.mozilla.org/affili...88x31/take.gif
    If You\'ve Done Something Right. People Wont Know You\'ve Done Anything At All - God (futurama)

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    As Tiger mentioned, this isn't going to happen for free. I have one of these solutions in place right now. See www.juniper.net and look at their SSL vpn product. It does host checking based on a policy you write. Mine checks for up to date patches and a virus sig no older than 7 days. Once they pass, the VPN tunnel is established.

    Once they are on, I can even enforce the apps they run based on MD5 hashes of the exe. This way, I know they are running version 5.0 of UberLeetSoft as apposed to maybe version 6 they obtained on their own or a version of 5.0 that has been fux0red with. There are many many policy options but these are the ones that I use with great success.

    Again, have your checkbook ready.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Junior Member
    Join Date
    Apr 2005
    Posts
    5
    Yeah, I was afraid of that. I was hoping someone might make a little app to do something like this without getting into the really expensive devices, like Juniper offers. Of course, the alternatives to having an SSL VPN for us are going to be expensive, so perhaps there is a way for me to get some $$$$ for this.

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Check point came and pitched their SNX product to us recently that does something akin to this discussion... Secure Network eXtension, I guess. It's an ActiveX control...you browse to the address, it opens up an SSL session and fires up the ActiveX to secure your system. Not sure it has any policy enforcement, but if it doesn't, I guaruntee they'll sell you the piece that does, or its n development and will be available (read: for sale) soon.

    Tiger is right...this stuff is the bleeding edge, which is invariably expensive.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  10. #10
    Junior Member
    Join Date
    Apr 2005
    Posts
    5
    I'll check it out. It'd be nice if it didn't have to be activex, but I don't think anything in the Java world would do it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •