This guide introduces the concept of Security Posture Checks for ensuring client devices are operating within the proper system requirements defined by the Network Administrator before accessing services provided by the NetFoundry Network.
The Posture checks provided for selection are the following:
- defined operating system and min/max version
- required processes (such as anti-virus programs) are running and have validated program signatures
- device MAC addresses are checked against list of valid/known MACs
- domains that device is logged into are valid/approved
Using Posture Checks
Any or all of the Posture Checks can be defined and added an AppWAN via the use of Attributes. The Posture check may be assigned a group attribute, which can be added by the Console Administrator during provisioning. The group attribute will be preceded with a "#" symbol. This group attribute can be added to multiple posture checks for assignment as a whole to an AppWAN.
Single Posture checks can be referred to by a singular component attribute, which is automatically provided and preceded with a "@" symbol. These can also be assigned to an AppWAN.
For more information about AppWANs and their provisioning, see the following: Create and Manage AppWANs
An example AppWAN edit Screen is shown below. Multiple Services, Endpoints, and Posture Checks can be added with attributes as shown.
When a Posture check attribute is added to an AppWAN, any endpoints (which represent a Client device) in that AppWAN must conform/pass all the applicable Posture Checks related to that attribute. Multiple Posture Checks (singular or via group attributes) can be added to an AppWAN.
The same Posture Check can be added to multiple AppWANs, since the Posture check only controls access to the services for each endpoint assigned to that AppWAN, only for AppWAN to which it is added. Thus AppWANs can be provisioned such that an endpoint could have access to some services and not others, based on different posture check requirements.
Applicable Posture checks means for example, the Operating System (OS) posture check for MAC OS does not apply to Windows devices, but the Windows OS posture check would apply to Windows devices, and so on.
Posture Check Enforcement
Any Posture Checks that are Assigned to an AppWAN will be relayed to the Endpoints that are also assigned to that AppWAN. The Client device , via NetFoundry application will check each of the conditions in the applicable Posture checks assigned and report the status of that check. The Network Controller will validate that all posture checks pass before allowing the Client Device to access that service. Thus, this is incorporated into the Zero Trust model.
If a client device is in multiple AppWANs, the device must comply to only the Posture Checks defined in that AppWAN to access the corresponding services in that AppWAN.
Note: The local device User Interface will still show all services for its endpoint identity, regardless of whether it is in compliance with the Posture Checks. Additional statuses will be added to the Console for Endpoint Posture Check data to aid the Network Administrator with identifying the Posture Check conditions for each endpoint (identity).
Each Posture check currently available will be described in more detail below.
In Addition, Posture Check status provided will be detailed below.
Creating Posture Checks
After logging in to the NetFoundry console with the credentials for your organization, Select your network from the main Network menu pulldown. The main menu is exposed by selecting the Green Globe at the upper left.
Then Select Posture Checks button/menu selection.
The "Manage Posture Checks" page with a summary/list of existing Posture Checks will be shown.
Initially this page will be empty and select the blue "+" button to add a new one.
MAC Address Posture Check
One or more MAC addresses as posture checks. This will require the client device to have one of the mac addresses as its own to be able to utilized the services of the AppWAN for which the posture check is selected. It only requires the client device to contain/match one of the mac addresses, even though the client could have several, or there are several matches that apply to the client.
Operating System (OS) Posture Checks
Operating System (OS) Posture Checks can be created for one or more Operating System in the same Posture check definition. The Posture check only applies to the OS type of the client device. All other OS versions will not be checked if the device does Operating system type does not match.
OS Version Specification
The minimum value of a client endpoint can be entered in the "MIN VERSION" field. This means that if the Client Endpoint OS is of the type selected and has a version "Equal to or Higher", the posture check will pass. The MIN VERSION is required. A default value is already added as a hint value.
This "MAX VERSION" field is optional. If the MAX VERSION is specified, both the MIN VERSION and MAX VERSION is checked for the posture check to pass for the specified OS type. The MAX VERSION setting causes the posture check function to checks that the version of the client endpoint is LESS THAN or EQUAL to the specified MAX VERSION to pass the posture check.
Example: OS Posture checks with Minimum OS Version for Multiple OS types
Example: OS Posture checks with Minimum and Maximum OS Version for Multiple OS types
Process Posture checks
The Posture Check for Client Endpoint Processes enables the Administrator to ensure that specific processes, such as antivirus processes or others, are running and are valid executables. The binary verification of the process is optional and can be done by providing the hash and thumbprint.
If all specified fields match the client endpoint process characteristics, the process check passes.
Example Process Hash calculation for Windows
Example Process Signer Certificate Thumbprint Generation for Windows
Domain Posture Check
Membership of the client endpoint to one of listed domains can be required using this posture check. The domain check is available for windows and the windows client domain must match one of the domains listed to pass the posture check. Domains can be entered separated by semi-colons.
Managing / Editing Posture Checks
Select the "Posture Checks" button/menu option from main menu and the Posture Checks list screen will appear.
Export list of posture checks
Exporting a list of posture checks to a CSV file can be done by selecting one or more (or all by selecting the top bubble at the top of the "Name" column) and selecting the ellipses to Download the list.
Edit Posture check
Edit a Posture check and its settings by selecting the posture check name or "Edit" on the the ellipses menu on the far right of the specific Posture check.
Delete Posture check
Delete a Posture check by selecting the posture check "Delete" option on the the ellipses menu on the far right of the specific Posture check. The user will be prompted to verify the deletion by typing in the name of the posture check.
Endpoint Posture Check Status
To view the Posture Checks provisioned and active for a specific client endpoint, navigate to the Endpoint list screen and select an endpoint. On the Endpoint details screen, select the Posture Data button in the upper left hand corner.
Posture Check Status ...Coming soon
The Posture Check Data will be shown as in the example below. This will show the active Posture checks for the client endpoint.
Posture Check Debug Data Current view
Currently the data is show in the format below.
This raw data identifies the endpoint "name".
"postureData" section contains posture checks such as "mac" for mac address. The "timedOut" field shows the check run status. The example below shows the mac address check timedOut = true, so that means it failed to run.
For the process check, "is Running" = true means the check passed.
For each check, the timedOut should be false.
"osVersion": "Windows 10 Pro"
Windows Edge Client Debug for Endpoint Posture Checks
For more information on collected detailed debug information on Posture checks, Refer to Troubleshooting Windows Desktop Edge
This details how to collect detailed logs for the Windows Client. This information can be utilized to ascertain the state of posture checks and determine if and why they are passing or failing on the specific Windows client.