Impulse SafeConnect endpoint security policy management system

This system does NOT do digital rights management (DRM) in any way. It does not scan all the files on a computer. It does not report any user activity back to the server or to the manufacturer. What it does do is check to see if the installed programs and configuration meet the requirements of our network use policy. It then tells the server either “yes” this computer is in compliance, or “no” it is not.

The goal of this project is to enforce policies that have long been in place that require computers attached to the EPHnet to have Anti-Virus software installed and to be up to date with security patches. Virus outbreaks over the last few years have made it plain that many people don’t see this as important and the results have been dramatically negative impacts on everyone else using the network. The Impulse appliance is designed to be a policy enforcement system. The goal of the policies is to make the network safer and more reliable for all of us.

The way that it works is this: information is passed from the central routers in our network to the Impulse appliance, which is located in an isolated subnet. The information tracked is the “from” and “to” address pairs of each connection that is established across the network. Nothing more than that: just the addresses. If a “from” address appears that the Impulse does not recognize, it instructs the routers to redirect all traffic from the unknown computer to itself. When the user of the computer brings up a web browser the Impulse responds to the initial attempt to contact the default home page. The user is presented with a web page that informs them about the policy and allows them to download the policy key. Because the Impulse appliance is “out of line” in other words traffic does not flow through it, the worst result of a system failure is that users who fall out of compliance will not be quarantined.

The policy key is a small piece of software that runs in the background once installed. The policy key inserts no registry keys; a shortcut is put in the startup folder, easily accessible to the user, which launches the key on boot. (If you search the registry you will find a couple of references, those are put there by the Microsoft operating system to track what is running on the system.) When the key starts up it contacts the Impulse appliance on our network and downloads the parameters of the policies that we have defined. It looks to see if specific registry keys exist, whether specific program files exist, and whether specific applications are running. Those specifics pertain to anti-virus software, Microsoft automatic update, and anti-spyware applications. The policy key uses practically no system resources; it does not automatically update itself every four hours like antivirus software. If the computer is taken off the Williams network the key goes dormant and has no impact on use of the computer.

The Impulse system has the ability to enforce policies forbidding the use of Peer2Peer filesharing applications. It also has the ability to require a user to log in every time they attach to the network.Those features will not be turned on. Williams’ policy does not currently forbid the use of any specific software. We require people to log in when they register their computer on the network for the first time and feel that is enough.

Enforced Policies

Anti-virus software with up-to-date virus definition files must be installed and running on every computer on the network. Given the lack of major virus threats to Macintosh and Linux systems we will only be enforcing that policy for computers running Microsoft operating systems. It is still the policy to have anti-virus software installed and we still expect all Macintosh and Linux users to follow that policy. It’s only a matter of time before a damaging Mac or Linux virus is released. Anti-virus packages recognized by the Impulse system are:

  • Sophos
  • Mcafee – various flavors
  • TrendMicro – various flavors
  • EZ Antivirus
  • Symantec – various flavors
  • AVG
  • Panda
  • AVGuard

All computers should have automatic update turned on for critical security patches. Nearly all Microsoft operating systems, Macintosh operating systems, and Linux systems have that ability and it should be turned on. Enforcement is as described for anti-virus.

We strongly recommend, but do not require, that people install anti-spyware software on their computers. There are a number of good programs out there for no cost: Microsoft’s Windows Defender beta, AdAware SE, and Spybot Search and Destroy are the ones we recommend.

Policy Enforcement

Antivirus: if antivirus software is not installed the computer is blocked from network access. Access will be provided to a web page from which to download and install Sophos antivirus software, which we have, site licensed so that it is available to everyone at Williams for no charge (that’s no charge to you, Williams pays annually to license this software). If antivirus software is installed, but the virus definition files are out of date, the user will be warned that they are out of compliance but not blocked from network access. If the virus definitions are not updated within a week of the first warning, then the computer will be blocked. Impulse recognizes these antivirus packages:

Automatic Update for security patches: It auto-update is not turned on; the user will be warned that they are out of compliance. If the condition is not rectified within 2 weeks of the first warning, the computer will be blocked from the network. Instructions will be provided for how to turn on automatic updates.

Anti-spyware: this is not a policy requirement. Users will be warned monthly if they are not running anti-spyware software, if that proves too intrusive we will turn that feature off.

If any computer falls out of compliance, OIT staff will contact the owner and offer to help them correct the situation.