Smart Enforcer Network Validation Process

SmartEnforcer Network Validation Process - FAQ

What is CleanMachines?
CleanMachines is a solution provided by Perfigo, Inc. that performs network validation. The software performs the following functions:
• Require authentication to the network
• Validate whether the system connecting to the network meets the minimum security standards.
• Quarantines the system until it meets the minimum security standards.
• Provides access to the remediation sites.
• Once the system is validated as “clean,” allows access to the network.

What Networks Require Validation?
We are deploying the validation solution to the student residential network and for the open and wireless networks on campus.

Why Are We Introducing this Solution Now?
Over 70% of all systems were infected at the start of the Fall 2003 semester. Just prior to move-in weekend, the Blaster worm was introduced. We did not have a solution that could effectively quarantine systems until proven “clean”; thus, many unprotected systems became infected as soon as they were physically plugged into the network. From investigations on the causes of the problems experienced, it has been determined that the best way to prevent this from happening again is to insure that virus software and OS critical update/patches are current and maintained.
Users who did connect systems that were current with both OS patches and anti-virus software also suffered delays in Internet and other network access due to the excessive traffic caused by the infected machines.

Am I required to install any software on my computer?
All Microsoft Windows computers are required to install the SmartEnforcer client software to connect to the university network. You will also be required to use the university’s version of McAfee Anti-virus software and install critical Microsoft OS patches and updates.

How Does Validation Work?
The validation solution will “trap” any Internet browser access and redirect the user to a web page that instructs the user to download and install the validation client known as “SmartEnforcer.” Once launched, the client downloads the validation rules and processes these. If the workstation fails the test, it is allowed Internet access only to the remediation sites for a period of about 45 minutes. Once corrected, full network access is provided and a timer is set for the connection. The connection remains intact until the timer expires; at that time, the connection is reset and the user must re-validate by launching the client.

Where Do the Perfigo Servers Fit in the Network?
There is a management server, known as “SmartManager” which provides the administration of the Perfigo-protected network. The enforcement servers are known as “SmartServers.” We are configuring a pair of redundant SmartServers for the residence halls and a pair for the open and wireless networks. The SmartManager is also configured as a pair of redundant servers. The SmartServers receive the validation instructions from the SmartManager and download these to each client installed on workstations which connect to the network.

What is SmartEnforcer?
SmartEnforcer is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the SecureSmart Server. No information about the user or the content of user files is sent to the server. Each user must use SmartEnforcer for his/her Microsoft Windows PC in order to authenticate and use the university network.

What Validation Checks are Being Performed?
For Summer Session and the Fall semester, we are configuring Perfigo to validate the following:
• Run Nessus scans for known vulnerabilities.
• Check for current release of McAfee anti-virus software and current virus definitions. Available for download for free from the quarantine site.
• Check for current Windows OS Patches for Windows 2000 and Windows XP machines.

How Long Do the Validation Checks Take?
In our pilots to date, the checks take between 15 and 30 seconds.

What is the Process for Changing the Minimum Security Requirements?
As new critical Microsoft updates become available, the security requirements will be updated to reflect the new patches. Typically, we will not immediately set the validation check for the new patches, but allow some time (typically a week) for people to update their systems in due course. If a vulnerability is reported or the threat of a virus storm or worm attack emerges, we will update the validation check immediately in reaction to the threat. We will send email to Students@Rockhurst.edu to communicate the newly required updates:

How Long is the Timer?
There are actually two timers: the network connection timer that controls how long the network connection is valid, and the validation timer that controls how frequently re-validation must occur.

For example, the solution can be configured to require re-authentication to the network or re-connection once a week but only require the re-validation (the system checks) once a month.
We plan to configure the validation timer for 3 days and the network connection at 7 days. Thus, at a minimum, each user will have to re-connect and re-validate every 7 days. If the user chooses to shut his/her machine down for more than 10 minutes, the user will have to re-authenticate each day and be required to re-validate every 3 days.

Modifications to the software are in process to make the timeout and re-validation process much more intuitive. To limit help desk calls and confusion for the summer session pilot, we plan to set both timers at 45 days, thus avoiding the re-validation scenario entirely for the summer session. For the Fall semester, we plan to set the timers at 7-days for connection and 3 days for validation

How Does a User Re-Validate Before the Timer Expires?
Windows users do not have to wait to lose their network connections to re-validate. The users can logout from the network and then log back into the network by right-clicking the SmartEnforcer icon in the system tray. If the validation timer has expired when the user logs back into the network, the SmartEnforcer client will re-validate both the internal checks and perform a scan. Once the validation is complete, the login process will reconnect the system back to the network, and the connection timer will be reset. If the validation timer has not expired, he SmartEnforcer client will validate the internal checks (critical OS patches and anti-virus software).

For example, if the network connection timer is set to 7 days and the validation timer set to 3 days, we recommend that the user logout and then login again to reset the timer every 5 days.

How Does Validation Work for Macintosh Users?
Macintosh users must authenticate by logging in via a web page. The only validation check for Macintosh systems is the Nessus scan. There is no client which is downloaded to Macintosh systems. The network connection timer is set for Macintosh systems; however, there is no icon that can be right-clicked to logout and subsequently login again.

How Does Validation Work for Linux Users?
Linux users must authenticate by logging in via a web page. The only validation check for Linux systems is the Nessus scan. There is no client which is downloaded to Linux systems. The network connection timer is set for Linux systems; however, there is no icon that can be right-clicked to logout and subsequently login again.

What About Xboxes, PlayStations, etc.?
These devices must be configured and registered in the SmartManager. Students should call the help desk at x4357. The help desk agents will notify the security staff to register the device.

What Remediation is Available?
Authentication Failure. If a user’s systems fails authentication, the user is instructed to provide the correct university network username and password. If a user does not have a valid account, they must come to the help desk on the 4th Floor of Conway to receive one. Please be sure to bring your student id with you.

Anti-Virus Failure. If the user’s system fails the check for current anti-virus software, the user is provided a download either for the software itself or for the current engine and virus definition files.

Microsoft Windows Patch Failure. If the user’s system fails the check for current critical OS patches, the user is instructed to click on the URL for the Microsoft Windows update site and follow the instructions.

What Happens If an “Infected” System Behaves Badly on the Network?
The validation solution can not prevent all infections. Also, we have experienced denial of service attacks originating from within the university network. For those subnets controlled by SmartServers, the process will be to disconnect the offending system using the SmartManager management console. Unless the system is demonstrating a vulnerability for which there is no patch, there should be no need to block the physical switch port, as the user will not be able to reconnect until the problem is corrected.

Each time I try to use my computer to access the internet, my browser tells me that I need to login. I have to login frequently.
Many computers are configured to “sleep” when not in use, if your computer is set this way, you will be logged off the network and must authenticate to regain access each time your computer “sleeps” more than 10 minutes.

How do I tell if I am already logged in?
The best way is to try to go to an internet site. In most cases, if you are ABLE to access a site such as http://www.google.com, you are online and logged in.

How do I tell if I am Quarantined/Unauthenticated?
The best way is to try to go to an internet site. In most cases, if you are UNABLE to access an external site, such as www.google.com, you are UNauthenticated or might be Quarantined (the SmartEnforcer should indicate this status).

I use a personal firewall; will this cause a problem?
Usually no. In most cases, a personal firewall will work fine. Depending upon the firewall product you will receive several pop-up windows requesting “ok to proceed”. Some of the personal firewalls are:
• Windows XP
• BlackIce
• Zone Alarm
• Sygate

What IP address should I expect?
We are using the range of 172.17.0.0/16. Each student pc should get an IP address that is similar to the following:
IP Address: 172.17.100.1
Subnet Mask: 255.255.0.0
Default Gateway: 172.17.1.1

Troubleshooting

I cannot access the login page. I get the redirection page but then my browser gives an error and stops.
Generally, this is caused by an encryption (SSL) problem with your browser. Encryption is required to for authentication to complete. Try another browser if you are unable to correct the problem with the first browser. (IE -> Netscape; Netscape -> IE). Usually, Netscape has fewer encryption problems (www.netscape.com).

I am unable to ping the default gateway address; shouldn’t I be able to do this?
No, you will not be able to ping the default gateway. This is normal. Until you are completely logged in you will not be able to ping any address.

What am I allowed to access when Unauthenticated or Quarantined?
For the most part, remediation and help sites such as http://WindowsUpdate.Microsoft.com, http://www.nai.com (for McAfee) .dat update site, https://www.rockhurst.edu/nai, http://www.rockhurst.edu/perfigo and a few more.

I’m on a Macintosh or Linux machine. I’ve opened my browser but I am not redirected to a login page. What do I do?
You must try to go to a non-local site such as www.google.com.

I am able to access the internet but the SmartEnforcer still allows me to “login”. Am I logged in?
Yes, the SmartEnforcer may not always detect your network status. If you can access normal internet sites such as www.google.com, then you are authenticated.

I am NOT able to access the internet but the SmartEnforcer only allows me to “logout”. What’s going on?
The SmartEnforcer may not always detect your network status. Please choose “logout” and then choose “login”.

How do I logout?
Currently, the only way to manually logout is to use the SmartEnforcer “logout” feature. Right-click the SmartEnforcer icon in the system tray and choose logout. The SmartEnforcer icon appears as follows in the system tray:

I do not have a “logout” option in SmartEnforcer.
The SmartEnforcer does not always detect your network status. Once you login through the SmartEnforcer, you will have the “logout” feature.

Can I update Windows before I login?
Yes, You should be able to go to http://windowsupdate.microsoft.com. You may not be able to use the direct link in your browser to on your desktop. This is normal.

When I run Windows Update, I get a message stating that the product key used to install windows is invalid?
Windows Update will fail if your Windows OS is not properly licensed. You must have a legal copy of the operating system to connect to the university network.

Can I update McAfee before I have logged in?
Yes, The best way is to “tell” McAfee to update/upgrade now.

Do I have to use the SmartEnforcer client?
Yes. All Windows PCs are required to use SmartEnforcer for network access.

What happens if I uninstall the SmartEnforcer client?
You will be required to reinstall the client to reauthenticate when your login expires.

The SmartEnforcer client does not offer a “login,” just a “logout,” and the web page tells me that I must now use SmartEnforcer to login; what do I do?
The SmartEnforcer does not always detect your network status. Please choose “logout”, then you will have the “login” feature

I keep trying to install the SmartEnforcer but it tells me that I can either Modify/Repair or Remove the program.
SmartEnforcer is currently installed on your machine. You do not need to install it again.

How do I know SmartEnforcer is running?
Look in the “System Tray” for in the lower right corner near the time display. You may need to select the “<<“ to expand the list and show SmartEnforcer.

I do not see the SmartEnforcer icon in my system tray; what do I do?
There are a few possibilities:
1. SmartEnforcer has not been installed.
-> Please install SmartEnforcer to continue.
2. SmartEnforcer has been installed but you did not select “Launch” at the end of the installation.
-> From the “Start” menu, then “Programs”, then “Perfigo”, then “SmartEnforcer”, then “SmartEnforcer” to launch the program.
3. SmartEnforcer is “hidden” in the Systray.
-> Please click on “<<“ to expand the system tray list and show SmartEnforcer, then login.
4. Your computer has a problem showing Systray icons.
-> You may be able to use “taskmanager” to halt SmartEnforcer and then launch it again.
5. SmartEnforcer is installed but not running.
-> From the “Start” menu, then “Programs”, then “Perfigo”, then “SmartEnforcer”, then “SmartEnforcer” to launch the program.

My network games don’t work any more?
The recent network upgrade now performs address translation; this may be interfering with network games. Please call the helpdesk at x7-9000 and provide them the name of the game. We’ll do our best to accommodate network games on a case by case basis.