Do you REALLY need hostchecker? Check out this idea and philosphy..



  • 😄

    yo in this brave new NAC-World (Network Admission Control), the marketing talkers tell you that the devil is outside on users enddevices and will spit into your network when connecting via vpn.

    Yeah, this could really happen.
    But how many users reside INSIDE your network day by day, some thousands?
    And how many come from remote? A dozend perhaps? so chance to get an “infect” is much higher from the inside.

    But now to the point…

    Most companies have centralized antivirus domain inside the network, antivirus software is controlled.
    So, what about the idea, not to check remote clients for antivirus, updates etc and give them chance for remediation (what costs much time and you can not tell me that this ALLWAYS runs smooth!!!), but you only check, IF THIS IS ONE OF YOUR CORPORATE CLIENTS before you give the enddevice login to your network.

    You can do this simply with clientcerticates.
    So - IF the clientcertificate is presented to IVE, the client can get access. Why?
    Well - as its a company enddevice, you can be sure there is antivirus software on it - ITS UNDER YOUR CONTROL.
    So WHY check addionally for antivirus, when its ENOUGH and MUCH MORE STABLE to live without hostcheck?

    Marketing makes people scared - but very often people close their eyes about the things which are really scarry…



  • Cerificates,two factor auth and an in line IDP are my preferred method. Host checker software just increases the attack surface on the endpoint client.



  • ping-pong-ping-pong-ping…



  • Software working as intended isn’t “lucky”.  It isn’t even “abnormal”  😉



  • oh this thread gets to some kind of wired “ping-pong-ping-pong”-game. 🙂
    If you are lucky with hostchecker, then use it!
    I am lucky without it.



  • You really aren’t very good at reading.  Yes we have more than 99% success rate with host checker.  We get no more than 1-2 calls per day on it unless someone is testing things in lab and there is a misconfiguration.  Out of 4000-6000 users depending on the day, that isn’t bad.

    If our CEO had an urgent meeting he wouldn’t be at home, and if he was at home he’d then just click on his file share link that we also publish.

    The fact that you can’t seem to manage/configure your user devices to work with your third party apps is not necessarily the fault of the third party.  Don’t tell others not to do something just because your uptimes are awful.



  • 99.99% ? Are u sure?
    So if the CEO of your company has a meeting and needs urgently some documents from the home-network, he will be happy to wait for some minutes till remediation phase is done (hoping that everything will work fine…). I would like to have your CEO! Muahahhaha.

    Anyway - everyone has his opinion and expirience.



  • While your users send out their viruses, mine have automatically been updated before logging in.  There is no need for IT to step in, they go onto a network with just updates available, and get their updates.

    But we also have over 99.99% success with host checker, and you can’t seem to hit 80%.



  • Well, everyone has his personal expirience and opinion.
    To me its safe enough to check if its a corporate client device - for you this is not enough.
    So what - check your hosts and send them to remediation if check fails, if your IT-management wants it that way then enjoy it. While your clients wait till remediation/update is ready, my users are working.
    🙂



  • And what most of us are saying is that you’re doing something wrong if you’re completely throwing out your security because you can’t configure it well enough to have more than 80% uptime.

    You can throw out security all you want, but I often see 4000+ user connections throughout the week and < 40 calls about hostchecker.

    We don’t wear helmets but we certainly wear seat belts, use car seats, and like to have the police watching for speeders.



  • Yes, i understand all these arguments, and some years before i also beliefed in things like “policy enforcement” etc.
    Depends on the company and philosophy - there is no “right” or “wrong”.

    In most companies, AVAILABILITY has higher priority then ABSOLUTE SECURITY.
    That an client does not have actual AV-Signatures must NOT mean that it is infected.
    Even if a client is infected, that must not mean automatically that it will do much harm and expensive timeintensive “cleaning” actions.
    In 5 years you may have 1 or 2 situations where “actual” worms “could” do real harm and infect many many clients on company networks. But should i use complicated admin-intensive applications DAY BY DAY only because this COULD happen?

    Its a question of INVEST and RETURN OF INVEST.

    Do you war a helmet when driving in your car? Not? WHÝ NOT?



  • @spacyfreak:

    Yes, on maybe 80% of the users hostchecker worked, but on to many clients it simply hangs, they can not log in and call support.

    Sounds like your client devices have some larger issues than netconnect if you’re down as far as 80% connection success rate.

    @spacyfreak:

    Or even IF the client is infected, that must not be a work. When client comes to company with the notebook which has no actual antivirus signatures, he can also connect to LAN, you cant prevent this.

    You should probably consider checking for this and creating a quarantine VLAN that allows your clients to clean/update their devices.

    @spacyfreak:

    Do you drive car with a Helmet? To me, the security belt and airbags are enough.
    Sure, it would be MORE secure to have a helmet - but why nobody uses it?

    Hostchecker can act as your safety belt just fine.  A certificate on your client device only tells me the person who just drove a car through the building was driving a company car, it doesn’t stop them from damaging the building though.



  • Hi
    you dont need Hostchecker to check for Clientcert - you can do this on rolemapping rules and map only users who have valid cert to your access-role.
    But then the clientcert has to be installed for current user and not for the “local computer” as it has to be transmitted when logging in via web-browser.

    Then you would not need hostchecker at is brings additional complexity into the game, i do rolemapping with clientcertificates and it works as a champ.



  • Hey Spacey

    I do what you suggest, but I check for a computer certificate using HostChecker.  I think you make sense to use clientcerts, but we don’t currently auto-enroll these.  The great thing about a computer cert is you get them when your computer joins the domain and is updated transparently.  A user a use a loaner laptop and still login since a user cert is not needed.

    I agree with your logic.  What’s the difference with a company computer connecting remotely or locally.  I don’t scan them locally before they plug into the network.  I disabled virusscan checking when they switched from date range to versions.  This was too painful, and we abandoned it.

    The hot setup would be to support computer certs without needed host check.  That would be AWESOME.

    -=Dan=-



  • you are right in some way but its also about risk-management. if someone breaks down your net or steals important data, the cost will be a lot more higher than the expenses you put in your it-security.

    When client comes to company with the notebook which has no actual antivirus signatures, he can also connect to LAN, you cant prevent this

    some NAC-solutions are able to check your antivirus aswell.

    we use NAC and so far, we did not experience hugh problems where people are not able to work. let me explain at the example of a new notebook. the notbook-admins configure new notebooks only at some special configured ports, so called “learning ports”. they automatically check the MAC-address and add them to a hugh database. the notebook is getting configured and sent to the user. the user can work anywhere, his mac is allowed.

    the other advantage is your inventory! theres another brach with a hugh amount of inventory-maintanance. if a user changes his workplace and takes his machine with him, you get informed about it (Only informed, it wont block that PC at another place), so you always know where your hardware is. now you’ll say “we have that without NAC” but we didnt. it was just not working, because people are moving without any information and you dont know where your hardware is located. that surely only counts for PC’s, notebooks and printers.

    Also if hostchecker checks for the age of antivirus - why should i force a user to do redemiation to update antivirus before login, though the client is not infected?

    cause if your antivirus is not up2date, the machine could be infected with a virus the old definition does not know, so the scan is negative. with the latest definition it could be positiv, so you force the user to update. but i mean, what is “force” in this case? force can be an automatic process, that starts and updates the machine when being online, without user interaction.



  • So in my eyes, it could be great to find out how much TIME and MONEY is invested on NAC from admin and user side, and how much MONEY and TIME is safely cutted down on using it.
    I think the balance is not right, in my expirience. Also depends on the buisiness.
    In a bank, you need other security then in other companies.



  • Yes, on maybe 80% of the users hostchecker worked, but on to many clients it simply hangs, they can not log in and call support. Also if hostchecker checks for the age of antivirus - why should i force a user to do redemiation to update antivirus before login, though the client is not infected?
    Or even IF the client is infected, that must not be a work. When client comes to company with the notebook which has no actual antivirus signatures, he can also connect to LAN, you cant prevent this.

    Yes, the theory is great, but people have to WORK.
    Security is not the only thing in the world (though its important).

    Do you drive car with a Helmet? To me, the security belt and airbags are enough.
    Sure, it would be MORE secure to have a helmet - but why nobody uses it?



  • hey spacefreak,

    hmm actually nac is not that complicated. you know what happens in your physical network and if someone is blocked, then for a good reason (correct configuration required for sure).

    you are right about the balance, its just about the rules you have at your company. but when you say it “can be unsecure”, that means to me that there is the possibility that sth bad could happen, and why let this possibility persist, if theres a way of avioding it. okay the argument with 2000 users calling is fine, but at our sa4000 users are only calling when upgrading the ive os, cause only this causes problems to us. the hostchecker itself is working for our users.

    if someone is calling because his machine does not fit the requirements, well then its the job of the notebook/client-branch to configure the machines consistently, so that they are fine with the HC-conditions.

    if hostchecker blocks, than again, for a good reason, thats what I want it to do and thats what i’m using it for 😉

    what kind of problems are you experiencing with the hostchecker. why are ppl calling that often because of it? is it really because of the appliation itself and that it causes errors or breaks something down?



  • hi rdit,
    yes, i know all these arguments. Sure - it “can” happen that an external company enddevice which has not been inside to upgrade patterns can be “unsecure”.
    But as “usually” users on company devices have restricted rights, and antivirus is installed, risk is not sooooo high in my eyes that i would burden the users and myself the hostchecker.

    Ok, if hostchecker would work STABLE in any case, and if it would work FAST, we could talk about it.
    But i can not handle 2000 Users who call each 4 Minutes support cause hostchecker does not work as expected!

    Its allways "finding the right balance between “real” (!!) risk and administrative overhead.
    And the decision, which “balance” is the right one, allways depends on the local IT politics.

    I would prefer 802.1X Authentication in LAN, but NO NAC Checking as this is way to complicated, and users can get really angry if “security mechanics” locks them out though they have not done anything wrong.



  • we are using NAC, because of the danger of internal attacks and unknown hardware, as you mentioned in your post. thats for the internal part of security. unknown hardware is not longer able to connect to our lan. but dont forget: lots of NAC-solutions provide the possibility to perform hostchecks aswell! why? because only accepting hardware because of the origin (the own companies hardware) isnt safe as well. it doesnt tell you if an antivirus is up2date. it doesnt tell you when the last fullcheck has been performed. same thing for the IVE-hostcheck-solution. it just gives you lots of more opportunities.

    by only checking for a certificate, you can just say: he is allowed to connect to the network or he is not. using the hostchecker permits you to do more selective rulesets: if a user doesnt have the up2date virusdefinitions, he’s still able to read the intranet-news. or something like that.


 

53
Online

38.4k
Users

12.7k
Topics

44.5k
Posts