Create and Manage Posture Checks

Overview

This guide introduces the concept of Security Posture Checks for ensuring client devices are operating within the proper system requirements defined by the Network Administrator before accessing services provided by the NetFoundry Network.   

The Posture checks provided for selection are the following:

  • defined operating system and min/max version
  • required processes (such as anti-virus programs) are running and have validated program signatures
  • device MAC addresses are checked against list of valid/known MACs
  • domains that device is logged into are valid/approved

Using Posture Checks

Any or all of the Posture Checks can be defined and added an AppWAN via the use of Attributes.  The Posture check may be assigned a group attribute, which can be added by the Console Administrator during provisioning.  The group attribute will be preceded with a "#" symbol.  This group attribute can be added to multiple posture checks for assignment as a whole to an AppWAN.   

Single Posture checks can be referred to by a singular component attribute, which is automatically provided and preceded with a "@" symbol.  These can also be assigned to an AppWAN.

For more information about AppWANs and their provisioning, see the following: Create and Manage AppWANs

 

An example AppWAN edit Screen is shown below.  Multiple Services, Endpoints, and Posture Checks can be added with attributes as shown.

 

Screen_Shot_2020-11-23_at_12.56.56_PM.png

 

 

When a Posture check attribute is added to an AppWAN, any endpoints (which represent a Client device) in that AppWAN must conform/pass all the applicable Posture Checks related to that attribute.   Multiple Posture Checks (singular or via group attributes) can be added to an AppWAN. 

The same Posture Check can be added to multiple AppWANs, since the Posture check only controls access to the services for each endpoint assigned to that AppWAN, only for AppWAN to which it is added.  Thus AppWANs can be provisioned such that an endpoint could have access to some services and not others, based on different posture check requirements.

Applicable Posture checks means for example, the Operating System (OS) posture check for MAC OS does not apply to Windows devices, but the Windows OS posture check would apply to Windows devices, and so on.   

 

Posture Check Enforcement

Any Posture Checks that are Assigned to an AppWAN will be relayed to the Endpoints that are also assigned to that AppWAN.   The Client device , via NetFoundry application will check each of the conditions in the applicable Posture checks assigned and report the status of that check.   The Network Controller will validate that all posture checks pass before allowing the Client Device to access that service.  Thus, this is incorporated into the Zero Trust model.

If a client device is in multiple AppWANs, the device must comply to only the Posture Checks defined in that AppWAN to access the corresponding services in that AppWAN.   

Note: The local device User Interface will still show all services for its endpoint identity, regardless of whether it is in compliance with the Posture Checks.   Additional statuses will be added to the Console for Endpoint Posture Check data to aid the Network Administrator with identifying the Posture Check conditions for each endpoint (identity).

Each Posture check currently available will be described in more detail below.

In Addition, Posture Check status provided will be detailed below.

 

 

Creating Posture Checks

After logging in to the NetFoundry console with the credentials for your organization, Select your network from the main Network menu pulldown. The main menu is exposed by selecting the Green Globe at the upper left.

Then Select Posture Checks button/menu selection.

 

Screen_Shot_2020-11-20_at_9.24.33_AM.png

 

The "Manage Posture Checks" page with a summary/list of existing Posture Checks will be shown.

Initially this page will be empty and select the blue "+" button to add a new one.

 

 

Screen_Shot_2020-11-20_at_9.25.14_AM.png

 

 

 

 

 

MAC Address Posture Check

One or more MAC addresses as posture checks.   This will require the client device to have one of the mac addresses as its own to be able to utilized the services of the AppWAN for which the posture check is selected.  It only requires the client device to contain/match one of the mac addresses, even though the client could have several, or there are several matches that apply to the client. 

Screen_Shot_2020-11-23_at_1.05.36_PM.png

 

 

 

 

 

Operating System (OS) Posture Checks

 

Operating System (OS) Posture Checks can be created for one or more Operating System in the same Posture check definition.   The Posture check only applies to the OS type of the client device.  All other OS versions will not be checked if the device does Operating system type does not match.

OS Version Specification

MIN VERSION

The minimum value of a client endpoint can be entered in the "MIN VERSION" field.   This means that if the Client Endpoint OS is of the type selected and has a version "Equal to or Higher", the posture check will pass.  The MIN VERSION is required.  A default value is already added as a hint value.

 

MAX VERSION

 

This "MAX VERSION" field is optional.  If the MAX VERSION is specified, both the MIN VERSION and MAX VERSION is checked for the posture check to pass for the specified OS type.   The MAX VERSION setting causes the posture check function to checks that the version of the client endpoint is LESS THAN or EQUAL to the specified MAX VERSION to pass the posture check.

 

Example: OS Posture checks with Minimum OS Version for Multiple OS types

 

Screen_Shot_2020-11-20_at_9.39.47_AM.png

 

 

Example: OS Posture checks with Minimum and Maximum OS Version for Multiple OS types

 

Screen_Shot_2020-11-20_at_9.40.45_AM.png

 

 

 

Process Posture checks

The Posture Check for Client Endpoint Processes enables the Administrator to ensure that specific processes, such as antivirus processes or others, are running and are valid executables.   The binary verification of the process is optional and can be done by providing the hash and thumbprint. 

If all specified fields match the client endpoint process characteristics, the process check passes.

 

 

Screen_Shot_2020-11-23_at_1.06.31_PM.png

 

Example Process Hash calculation for Windows

How to get SHA 512
(Get-FileHash -Algorithm SHA512 path/to/file).Hash.ToLower()
Or
$filename = "C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe"
(Get-FileHash -Algorithm SHA512 $filename).Hash.ToLower()
Sample below
PS C:\> (Get-FileHash -Algorithm SHA512 F:\Software\McAfee.com\Agent\
mcagent.exe).Hash.ToLower()
a304386591c69ec1f3f0d441b059609675069c43cee2f843dda329175b86ec3ee277b
7250d03378d949d4adc4bf4289c216f5cf72fca67c2a9139167c82a6c36
Note - *********Hash is case sensitive and must be lowercase*************

Example Process Signer Certificate Thumbprint Generation for Windows

How to get the signer certificate thumbprint
You can find it via the GUI by following these directions:
1.
Find the executable in Windows Explorer.
2.
Right click the file and click “Properties.”
3.
From the “Digital Signatures” tab, click on the listed signature, then click
“Details.” A new window will appear.
4.
Click on “View Certificate;” another new window will appear.
5.
Click the “Details” tab, scroll down, and click on thumbprint.
Finally, you will be presented with the thumbprint

 

 

 

 

 

 

Domain Posture Check

Membership of the client endpoint to one of listed domains can be required using this posture check. The domain check is available for windows and the windows client domain must match one of the domains listed to pass the posture check.   Domains can be entered separated by semi-colons.

Screen_Shot_2020-11-23_at_1.08.04_PM.png

 

 

 

Managing / Editing Posture Checks

Select the "Posture Checks" button/menu option from main menu and the Posture Checks list screen will appear.

Export list of posture checks

Exporting a list of posture checks to a CSV file can be done by selecting one or more (or all by selecting the top bubble at the top of the "Name" column) and selecting the ellipses to Download the list.

Screen_Shot_2020-11-23_at_1.10.37_PM.png

Edit Posture check

Edit a Posture check and its settings by selecting the posture check name or "Edit" on the the ellipses menu on the far right of the specific Posture check.

Delete Posture check

Delete a Posture check by selecting the posture check "Delete" option on the the ellipses menu on the far right of the specific Posture check.   The user will be prompted to verify the deletion by typing in the name of the posture check.

 

Screen_Shot_2020-11-23_at_1.17.51_PM.png

 

 

 

Endpoint Posture Check Status 

To view the Posture Checks provisioned and active for a specific client endpoint, navigate to the Endpoint list screen and select an endpoint.  On the Endpoint details screen, select the Posture Data button in the upper left hand corner.

Screen_Shot_2020-11-23_at_3.08.48_PM.png

 

Posture Check Status ...Coming soon

The Posture Check Data will be shown as in the example below.  This will show the active Posture checks for the client endpoint. 

Screen_Shot_2020-11-23_at_3.03.46_PM.png

 

Posture Check Debug Data Current view

Currently the data is show in the format below.

This raw data identifies the endpoint "name".

"postureData" section contains posture checks such as "mac" for mac address.  The "timedOut" field shows the check run status.  The example below shows the mac address check timedOut = true, so that means it failed to run.

For the process check, "is Running" = true means the check passed.

For each check, the timedOut should be false.

 

{
"endpoint": {
"id": "760776b3-0cc5-4c87-a5b3-87f829aa498f",
"ownerIdentityId": "d6cdce3f-96dc-4862-8dd8-6c478456517f",
"createdBy": "d6cdce3f-96dc-4862-8dd8-6c478456517f",
"createdAt": "2020-11-10T18:26:42.939011Z",
"updatedAt": "2020-11-21T15:52:55.213863Z",
"networkId": "07904894-e4ec-4ee6-a782-e69d780ebd7c",
"zitiId": "pPIlh92Gg",
"name": "dwwin10",
"branch": "HEAD",
"revision": "b9e3ed2",
"type": "ziti-sdk-c",
"version": "0.17.13-local",
"arch": "x86_64",
"os": "MINGW32_NT-10.0",
"osRelease": "10.0.17134",
"osVersion": "Windows 10 Pro"
},
"postureData": {
"mac": {
"postureCheckId": "XKyn1JhGg",
"timedOut": true,
"lastUpdatedAt": "2020-11-22T19:54:18.769857664Z",
"addresses": [
"02f07cb89f01",
"b6ae2bd715fb",
"b6ae2bd710fb",
"005056c00001",
"005056c00008",
"b4ae2bd714fa",
"00ff94c65f57",
"b4ae2bd714fb"
]
},
"domain": {
"postureCheckId": "",
"timedOut": true,
"lastUpdatedAt": "0001-01-01T00:00:00Z",
"name": ""
},
"os": {
"postureCheckId": "xnTCb1hMR",
"timedOut": true,
"lastUpdatedAt": "2020-11-22T19:54:18.971534119Z",
"type": "windows",
"version": "10.0.17134",
"build": "unused"
},
"process": [
{
"postureCheckId": "OoJuNaoMR",
"timedOut": true,
"lastUpdatedAt": "2020-11-22T19:54:19.188277666Z",
"isRunning": true,
"binaryHash": "fbd1b72fc347762b151c73ec6fae58a2b4ddb49e2df75f88b006f35ea83d7edfda070a306799f3d128d3ae2d2169adbb54d18069da124a68a51959cf52cdcf4d",
"signerFingerprints": [
"02faf3e291435468607857694df5e45b68851868",
"d09e349fd5615f147cf855accd3c03b0833a2bc4",
"4022bb3c0398d595623a5380d5eeb520fc6150aa",
"03a5b14663eb12023091b84a6d6a68bc871de66b"
]
},
{
"postureCheckId": "3xzTvaoGg",
"timedOut": true,
"lastUpdatedAt": "2020-11-22T19:54:19.393232157Z",
"isRunning": false,
"binaryHash": "",
"signerFingerprints": []
}
]
},
"_links": {
"self": {
"href": "https://gateway.production.netfoundry.io/core/v2/endpoints/760776b3-0cc5-4c87-a5b3-87f829aa498f/posture-data"
},
"endpoint": {
"href": "https://gateway.production.netfoundry.io/core/v2/endpoints/760776b3-0cc5-4c87-a5b3-87f829aa498f"
}
}

 

Windows Edge Client Debug for Endpoint Posture Checks

For more information on collected detailed debug information on Posture checks, Refer to Troubleshooting Windows Desktop Edge

This details how to collect detailed logs for the Windows Client.  This information can be utilized to ascertain the state of posture checks and determine if and why they are passing or failing on the specific Windows client.

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.