This guide introduces the concept of security posture checks for ensuring client devices are operating within the proper system requirements defined by the NetFoundry Network administrator before accessing NetFoundry Services.
There are several types of Posture Check:
- device is running an expected operating system, optionally limited to minimum or maximum OS version or both, e.g. MacOS >= 11.2
- required processes e.g. navapsvc.exe (Norton AntiVirus) is running and has expected sha256 sum
- device has expected MAC address
- device is a member of expected Active Directory Domain
Using Posture Checks
Any or all of the Posture Checks can be defined and added to an AppWAN with a Posture Check role attribute. Posture Check role attributes appear like a #hastag and are used to group Posture Checks. The Posture Check becomes enforced when it has the same role attribute as the AppWAN. Any one Posture Checks may also be included in an AppWAN with an @mention by name. For more information about AppWANs see Create and Manage AppWANs.
An example AppWAN edit Screen is shown below. Multiple Services, Endpoints, and Posture Checks can be added with attributes as shown.
When a Posture Check attribute is added to an AppWAN, any client Endpoints in that AppWAN must satisfy all Posture Checks that posses the same #hashtag role attribute. Any number of Posture Checks may be added to and therefore enforced by an AppWAN.
The same Posture Check can be added to any number of AppWANs and Posture Checks only controls access to the services for each endpoint assigned to that AppWAN, only for AppWAN to which it is added. Thus AppWANs can be provisioned such that an endpoint could have access to some services and not others, based on different posture check requirements.
Applicable Posture checks means for example, the Operating System (OS) posture check for MAC OS does not apply to Windows devices, but the Windows OS posture check would apply to Windows devices, and so on.
Posture Check Enforcement
Any Posture Checks that are Assigned to an AppWAN will be relayed to the Endpoints that are also assigned to that AppWAN. The Client device , via NetFoundry application will check each of the conditions in the applicable Posture checks assigned and report the status of that check. The Network Controller will validate that all posture checks pass before allowing the Client Device to access that service. Thus, this is incorporated into the Zero Trust model.
If a client device is in multiple AppWANs, the device must comply to only the Posture Checks defined in that AppWAN to access the corresponding services in that AppWAN.
Note: The local device User Interface will still show all services for its endpoint identity, regardless of whether it is in compliance with the Posture Checks. Additional statuses will be added to the Console for Endpoint Posture Check data to aid the Network Administrator with identifying the Posture Check conditions for each endpoint (identity).
Each Posture check currently available will be described in more detail below.
In Addition, Posture Check status provided will be detailed below.
Creating Posture Checks
After logging in to the NetFoundry console with the credentials for your NF Organization, Select your NF Network in the pulldown. The pulldown is exposed when you expand the navigation sidebar by clicking the green globe at upper left. Then select "Posture Checks" in the sidebar.
The "Manage Posture Checks" page with a list of existing Posture Checks will be shown.
Initially this page will be empty. Select the blue "+" button to add your first Posture Check.
Multifactor Authentication Posture Checks:
Details about multifactor authentication posture checks can be found here.
MAC Address Posture Check
This will require the Endpoint software or tunneler to be running on a device with an expected MAC address. Any one of that devices MAC addresses needs to match any one of the expected MAC addresses.
Operating System (OS) Posture Checks
Operating System (OS) Posture Checks can be created for one or more OS in the same Posture Check.
OS Version Specification
This optional minimum value means that if the client Endpoint's OS is of the type selected and has a version equal to or higher than the minimum version then the Posture Check will succeed. A default value is already added as a hint value.
This optional maximum value means that if the client Endpoint's OS is of the expected type and has a version less than or equal to this value then the Posture Check will succeed.
Example: OS Posture Checks with minimum OS version for multiple OS types
Example: OS Posture Checks with minimum and maximum OS version for multiple OS types
Process Posture Checks
The Posture Check for client Endpoint processes enables the administrator to ensure that specific processes, such as antivirus processes or others, are running and are valid executables. The binary verification of the process is optional and can be done by providing the hash or signer thumbprint or both. If all specified fields match the client Endpoint process's characteristics then the Process Check succeeds.
(Get-FileHash -Algorithm SHA512 path/to/file).Hash.ToLower()
$filename = "C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe"
(Get-FileHash -Algorithm SHA512 $filename).Hash.ToLower()
PS C:\> (Get-FileHash -Algorithm SHA512 F:\Software\McAfee.com\Agent\mcagent.exe).Hash.ToLower()
Example Process Signer Certificate Thumbprint Generation for Windows
You can find it via the GUI by following these directions:
- Find the executable in Windows Explorer.
- Right click the file and click “Properties.”
- From the “Digital Signatures” tab, click on the listed signature, then click “Details.” A new window will appear.
- Click on “View Certificate;” another new window will appear.
- Click the “Details” tab, scroll down, and click on thumbprint.
- Finally, you will be presented with the thumbprint
You can add multiple processes per process check policy. Note that the process check will pass if one of the processes are running.
Domain Posture Check
Membership of the client Endpoint to one of expected Active Directory Domains can be required using this Posture Check. The domain check is available for Windows. Multiple Domains may be entered separated by semi-colons.
Managing / Editing Posture Checks
Select the "Posture Checks" button/menu option from main menu and the Posture Checks list screen will appear.
Export list of Posture Checks
Exporting a list of posture checks to a CSV file can be done by selecting one or more (or all by selecting the top bubble at the top of the "Name" column) and selecting the ellipses to download the list.
Edit Posture Check
Edit a Posture Check and its settings by selecting the Posture Check name or "Edit" on the the ellipses menu on the far right of the specific Posture Check.
Delete Posture check
Delete a Posture Check by selecting the Posture Check "Delete" option on the the ellipses menu on the far right of the specific Posture Check. The user will be prompted to verify the deletion by typing in the name of the Posture Check.
Endpoint Posture Check Status / Debugging
To view the Posture Checks provisioned and active for a specific client endpoint, navigate to the Endpoint list screen and select an Endpoint. On the Endpoint details screen, select the Posture Data button in the upper left hand corner.
The Posture Check Data will be shown as in the example below. This will show the active Posture checks for the client endpoint. These are the posture checks applied to one or more AppWANs in which the endpoint is added.
Note: if different AppWANs have different posture checks assigned, this window of information will be a compilation of all of the posture checks for the endpoint. To determine which are applicable for each AppWAN (and services assigned to that AppWAN), please refer to the specific AppWAN details page.
Checking Posture check status.
If an endpoint is not accessing a service and the endpoint and service is part of an AppWAN, refer to the AppWAN details page for that appWAN. Note the Posture checks assigned to that AppWAN. The endpoint device must comply to all the Posture checks assigned to that AppWAN.
Then refer to the Posture Data for the Endpoint as shown below.
Example: AppWAN has Posture Checks following Posture checks assigned:
Domain Check: this box shows the configured Domain Check named domainCheck. It has two allowed values as denoted by "Customer Configured Domains:".
The "Returned Domain(s)" shows the actual domain observed on the Endpoint device. The value "WORKGROUP" matches one of the allowed values so that check will be passing.
Process Check: This box shows the configured Process Check named puttyprocesscheck.
This shows the process is running, so that check will be passing. The binary hash is also viewable and must match that which is provisioned in the Posture Check definition(if provided).
Example of Process Check with process not running(sshproccheck (defined as c:\bin\ssh.exe), thus failing the process check:
MAC Address Check: This box shows all the mac addresses found to be associated with the endpoint device. One of them must match the provisioned values for mac addresses in the MAC Address posture check (in this case defined as "macaddrcheck").
Note: refer to posture check details page for the list of required/allowed MAC Addresses.
This list most likely will be too long to display here for possible values, if a single posture check is used for MAC addresses for many users.
OS Check: This box shows the observed OS and Version of OS of the Endpoint device. Refer to the provisioned OS posture check (in the above example "win10osvercheck"), to determine the requirements of the OS Check to see if it passes.
If you have checked all the Posture checks and the proper ones pass, the service should be accessible from the Endpoint device.
If the service is not accessible, debug logs may need to be collected on the Endpoint device.
Posture Check Debug Data Current view
Currently the data is show in the format below.
This raw data identifies the endpoint "name".
"postureData" section contains posture checks such as "mac" for mac address. The "timedOut" field shows the check run status. The example below shows the mac address check timedOut = true, so that means it failed to run.
For the process check, "is Running" = true means the check passed.
For each check, the timedOut should be false.
"osVersion": "Windows 10 Pro"