An option we have used

jimsiff · ‎03-28-2010

Hi,

I'm attempting to write a LUA script to help fill in the blanks when Host Scan can't properly detect an AV or FW package. This seems to happen with newer packages because of the delay getting the updated OPSWAT DLLs integrated with CSD.

Below is a FW check I put together (based on the DAP Advanced Functions Deployment Guide). The idea is to first do all OPSWAT-based FW checks, then if they all fail, check the results of Host Check processes checks. The Host Check process checks would be named "fw_$fw_name" as in "fw_Symantec" or "fw_McAfee". These process checks would be added after an administrator verifies a user complaint that their new FW version is not being detected.

DAP record [ Windows_FW_Check ]:

((EVAL(endpoint.os.version,"EQ","Windows 7","string"))

or (EVAL(endpoint.os.version,"EQ","Windows Vista","string"))

or (EVAL(endpoint.os.version,"EQ","Windows XP","string")))

and (assert(function()

local no_fw = true

for k,v in pairs(endpoint.fw) do -- OPSWAT fw checks

if (EVAL(v.exists, "EQ", "true", "string")) then

no_fw = false

end

if no_fw = true then –- custom fw process checks if required

> for k,v in pairs(endpoint.process.fw_.*$) do -- This doesn't appear to work. Can't I do regex based string expansion on table keys?

> for k,v in pairs(endpoint.process) do -- This doesn't work either. Isn't there a Lua table for Host Scan processes?

if (EVAL(v.exists, “EQ”, “true”, “string”)) then

no_fw = false

end

return no_fw

end)())

The problem I'm having is that while I can iterate on the Cisco predefined Lua tables such as endpoint.fw, endpoint.av, and endpoint.as, I can't seem to iterate on an endpoint.process Lua table. Maybe I'm doing something wrong or have some incorrect syntax. Does Host Scan create an endpoint.process Lua table? When a client connects, Host Scan checks for known processes and the status shows up in "debug dap trace". These processes can be checked using simple

(EVAL(endpoint.process.processname.exists,"EQ","true","string"))

That simple syntax doesn't help me. I'm trying to create a DAP framework that can remain static, while giving the administrators the flexibility to add or remove custom fw_$FWNAME and av_$AVNAME Host Scan process checks to fill the gap between when a package is updated and CSD is updated.

Thanks for any help,

Jim

jimsiff · ‎03-28-2010

So I had some syntax and logic errors to work through. I have two different methods that appear to work.

To make this work, when a client fw is not detected properly by OPSWAT, an admin verifies the problem, then adds an appropriate Host Scan process check called "fw_$FW_VENDOR" or similar. For instance, the latest version of Norton 360 isn't being detected properly by CSD 3.5. The admin would add a process check called "fw_Symantec" with a process value of "ccSvcHost.exe". When the client PC connects, if OPSWAT checks fail, a basic process check would succeed and allow the connection. This isn't ideal for a few reasons:

1) I don't believe there's a way to do SHA1 hash verification on Host Scan process checks. This allows a user to rename "calc.exe" to a valid process name, run it and get logged on without the real process running.

2) The checks aren't as solid as the real OPSWAT checks. A fw service process may be running even when the firewall itself is disabled.

3) Endpoint Assessment is only as strong as your weakest link.

The first method checks all "endpoint.fw.*.exists" keys for a "true" value. If yes, the no_fw variable is set to "false". If all checks fail, all existing "endpoint.process.fw_*.exists" keys are checked for a "true" value. If yes, the no_fw variable is set to "false". Then the return value is set to "no_fw". If return is "true" the DAP is selected, a user message is sent to the user that their firewall was not detected, and they are disconnected.

((EVAL(endpoint.os.version,"EQ","Windows 7","string"))
or (EVAL(endpoint.os.version,"EQ","Windows Vista","string"))
or (EVAL(endpoint.os.version,"EQ","Windows XP","string")))
and (assert(function()
local no_fw = true
for k,v in pairs(endpoint.fw) do --> OPSWAT fw checks
    if (EVAL(v.exists,"EQ","true","string")) then
      no_fw = false
    end
end
if no_fw == true then --> fw process checks if OPSWAT checks fail
    local fw_pattern = "fw_"
    for k,v in pairs(endpoint.process) do
      print(k)
      match = string.find(k,fw_pattern)
      if (match) then
        if (EVAL(v.exists,"EQ","true","string")) then
          no_fw = false
        end
      end
    end
end
return no_fw
end)())

The second method checks a subset of preferred "endpoint.fw.*.exists" keys for a "true" value. (eg - MS, McAfee, Norton/Symantec, AVG/Grisoft, TrendMicro, Kaspersky, etc). If yes, the no_fw variable is set to "false". If all checks fail, all existing "endpoint.process.fw_*.exists keys are checked for a "true" value. If yes, the no_fw variable is set to "false". Then the return value is set to "no_fw". If return is "true" the DAP is selected, a user message is sent to the user that their firewall was not detected, and they are disconnected. This may or may not be more CPU efficient due to less total fw checks.

((EVAL(endpoint.os.version,"EQ","Windows 7","string"))
or (EVAL(endpoint.os.version,"EQ","Windows Vista","string"))
or (EVAL(endpoint.os.version,"EQ","Windows XP","string")))
and (assert(function()
local no_fw = true
if ((EVAL(endpoint.fw.MSWindowsFW.exists,"EQ","true","string"))
   or (EVAL(endpoint.fw.NortonFW.exists,"EQ","true","string"))
   or (EVAL(endpoint.fw.GrisoftFW.exists,"EQ","true","string"))
   or (EVAL(endpoint.fw.TrendMicroFW.exists,"EQ","true","string"))
   or (EVAL(endpoint.fw.KasperskyFW.exists,"EQ","true", "string"))
   or (EVAL(endpoint.fw.McAfeeFW.exists,"EQ","true","string"))) then
   no_fw = false
end
if no_fw == true then --> fw process checks if OPSWAT fails
    local fw_pattern = "fw_"
    for k,v in pairs(endpoint.process) do
      print(k)
      match = string.find(k,fw_pattern)
      if (match) then
        if (EVAL(v.exists,"EQ","true","string")) then
          no_fw = false
        end
      end
    end
end
return no_fw
end)())

In any case, this Lua code can be applied to fw, av, and as checks relatively easily. The way I plan to implement this is to place the fw and av checks just above the Default Terminate rule. This improves troubleshooting by still allowing a valid DAP trace for higher priority DAPs when a client fails detection. Clients should still match their intended DAPs in addition to the fw check that terminates the connection. Also, it will no longer be necessary to include Endpoint Assessment variables in user DAPs. All user DAPs will only include AAA variables and any required client access modifications.

I can't say this stuff is original, since I just cobbled it together using code snippets from various sources. Maybe somebody else will find this useful. As flexible as Lua is, harnessing the true power in a GUI would put Cisco in the same league as Juniper, IMO. Last time I checked, Juniper was miles ahead of Cisco when it comes to endpoint assessment rule flexibility and dynamic access permissions.

akearns02 · ‎04-05-2014

An option we have used internally is to supplement with the OPSWAT GEARS platform to quickly expand the endpoint posture assessment capabilities, as well as provide an easier to use UI for the precise policy configuration.

GEARS is cloud-based, which means that the supported software is always up-to-date; and can be added to the DAP with a simple registry check (or file check for Mac devices).

Lee Friend · ‎11-05-2014

I have read the OPWATS Gears integration steps with Cisco and other VPN firewalls, whilst I appreciate the checks OPSWAT (either via hostscan, or gears) are fairly robust - making this weaker by having the VPN concentrators allow a user based on a simple process & registry check (those show in the guide - https://supportforums.cisco.com/sites/default/files/integrate_cisco_asa_opswat_gears_0.pdf) do not provide the levels of assurance most would be striving for.

Configuring DAPs using LUA