on 03-29-2023 06:26 AM - edited on 03-29-2023 06:31 AM by jforsythe
Hello everyone and welcome to another episode of PANCast. Today we will discuss Host Information Profile or HIP for short. This feature is all about checking the security posture of an endpoint and is used with remote access VPN, so GlobalProtect with either on-premise firewalls or with Prisma Access. One thing to be aware of though is it requires an additional license for on-premise setup. As this is a feature that is often overlooked let me start with an example.
Most of your staff are working hybrid-ly, so sometimes in the office and sometimes at home using GlobalProtect to connect back into the office. Unfortunately, you have just had a security incident. Now the fun starts with doing the analysis to work out where it came from and how it got in. After a significant amount of time and effort you find where it started and you’re quite shocked to find it was from a user's laptop that was still running Windows 7. Not only that but some of the other software was also very out of date on the laptop and therefore would have had a number of well known vulnerabilities.
What if you could capture all of this endpoint information and decide what is compliant and what is not? And then based on this information, determine what that endpoint has access to? Well that’s where HIP comes in and it is exactly what it can do.
HIP data is collected by the GlobalProtect client and it actually collects a large amount of host information. It is done periodically and the client can then send the reports to the gateways. What is collected can be configured as well and it includes things like the hostname, the OS version and the domain. We then have individual categories for collecting specific data on things like patch management, firewall, anti-malware and disk encryption plus a few others. All of this gets collected and sent as a HIP report.
Once we have this HIP report, what can we do with it? The first thing is we can start getting logs to show the details of specific workstations. This is where HIP objects and HIP profiles come into play. A HIP object is simply a check against one of those pieces of information we collect in the HIP report. As an example, we have a HIP object to match on any workstation that is running Windows 7. We have another HIP object to match when a workstation is running Anti-malware and the latest definition file is less than a day old. We can have a lot of these HIP objects. A HIP profile is simply a collection of these HIP objects. So I create a HIP profile called “Windows non compliant” and on that profile I specify to match the following. If it is a Windows 7 workstation, or if it does not have the latest Windows patches, or if it does not have anti-malware software enabled, or disk-encryption is not enabled. So if any one of these things are true for the workstation, it will match my HIP profile called “Windows non compliant”. I can now check my HIP match logs to see if there are any non compliant machines connecting based on my HIP configuration.
So this is great as I have visibility but let’s go a step further. If I think these non compliant systems are a danger, I can add security policies to limit what those workstations can access. Now that can be don’t allow the workstation to access anything, to maybe let the workstation access just update servers so it can at least get the newer patches, etc. So you can see we can now have very specific HIP match profiles and then also very specific access policies for the workstations that match those HIP profiles. You can also use HIP to quarantine a device. This can be used to actually block a specific device from being able to login and can be set up to automatically quarantine the device based on a HIP match. There are other ways you can also add a device to the quarantine list other than HIP but I won’t go into that as you can read more on that on our admin guides.
OK, so that is an overview of HIP and what it can do. It is very powerful and very flexible and really depends on what you want to achieve. There are a couple of things I want to briefly go through though as these are important to note.
Firstly, as I mentioned, this is for use with GlobalProtect as it is the GlobalProtect client that collects and provides the HIP information. In most cases this means it is for remote access VPN. There are ways you can use this even when users are on the corporate network but it is a bit more involved, for example you will need internal gateways.
Secondly is what endpoints can you collect HIP information from. The biggest use case is for Windows and Mac and these have the most options for the information you can collect. Linux is supported as well but with minimal host information collected. When it comes to mobile devices we can collect HIP information but there is a requirement that the devices are managed by an MDM system. This allows us to be able to collect detailed information. Again we can collect some limited host information from the device, but most of the detailed HIP information needs an MDM.
Right, that covers HIP and what we can use it for. As I mentioned at the start, it is a feature that is often overlooked but if you are running GlobalProtect go and have a look. Even if you don’t start with controlling access but just configuring some HIP objects and profiles, it will give you some valuable information on the status of your endpoints.
So the key takeaway for this episode is really understanding that HIP is available. It gives you endpoint information and posture checks when you are running GlobalProtect. And of course there are considerations before you jump in and configure it.
I hope you have learnt something new and I hope you are enjoying the series. Remember the transcript and additional links can be found at live.paloaltonetworks.com and importantly for those of you that like listening on the go, we are now on a number of popular podcasting platforms including Spotify, Apple, Google and Amazon. So remember to follow PANCast however you choose to listen. Bye for now.
Check out the full PANCast YouTube playlist: PANCast: Insights for Your Cybersecurity Journey.