Patch Assessment with NAC

The recent outbreak of the Conficker worm has certainly kept our support department busy. Although the vulnerability was patched (MS08-067) by Microsoft on 23 October 2008, reports seem to suggest that in late January 2009 around 30% of systems remained unpatched.

By claiming a number of high profile victims such as the UK Ministry of Defence and hospitals in Sheffield (http://www.theregister.co.uk/2009/01/20/sheffield_conficker) it seems clear that as things stand, virus writers will continue to exploit one of the biggest problems faced by those responsible for security – patching.

Patch management systems, be it WSUS or another commercially available solution, are only effective when they’re working. If a patch hasn’t been approved and deployed, or fails to deploy on even a small number of systems, an entire network can become vulnerable.

Experience from the field shows us that even when a company invests significant funds in patching, there’s no guarantee that it will be effective. There are so many potential points of failure, ranging from failed client installs and inaccurate reporting, to GPO’s not being applied.

Installing a solution to proactively and independently assess for patches is a good way of keeping on top of this problem. It ensures that required patches are installed successfully, and prevents a system from accessing the network if not. Such products also help to ensure maximum ROI on patch management systems, and the resources used to manage and maintain them.

Network Access Control (NAC) solutions are typically thought of as being purely concerned with preventing unknown systems from accessing your network, and that’s to be expected given the name used. Increasingly though, NAC products not only control who can access the network, but perhaps more importantly ensure that the systems you already know about and manage remain secure.

Conficker also emphasises the need to use strong passwords, as it spreads itself via network shares protected with weak passwords. Sophos recently posted a list of the passwords used by conficker when trying to infect these shares (http://www.sophos.com/blogs/gc/g/2009/01/16/passwords-conficker-worm), and they’re all pretty appalling – but clearly commonly used. This highlights the fact that even having one vulnerable system on the network is going to cause your administrators a headache.

So, to effectively protect your environment from threats such as conficker, there are several important aspects to consider. All systems must receive critical patches, Anti-Virus must always be enabled and current, and any system that does not meet these requirements must be prevented from accessing the network until compliant. Combine this with regular vulnerability assessments of your infrastructure, and you stand a fighting chance.

The videos below show how we’ve been using Sophos NAC Advanced to help with this. The first video shows an administrator creating a NAC policy that requires the relevant patch (MS08-067) to be installed on a system. The second shows what happens if the patch is missing, and how the system is prevented from accessing the network until it complies.


http://www.youtube.com/watch?v=B7qE_7xaI58




http://www.youtube.com/watch?v=tf3xzNX1nSw