Page tree

Contents

Overview

Current Roaming Version

v1.1.0.8

The ThreatSTOP Roaming solution provides DNS firewall protection to endpoint users, even when they are not connected to their corporate network.

ThreatSTOP's DNS and IP firewall services secure the boundary of a network and all devices on that network. ThreatSTOP Roaming protection secures individual Windows or OS X endpoints, allowing ThreatSTOP to protect these devices when they are roaming outside of your corporate network.

This document explains how to setup ThreatSTOP Roaming Devices in the portal and the Roaming client on your users' Windows and OS X based devices. Additionally it explains how to integrate ThreatSTOP Roaming Devices into your network security profile. Finally, it will cover System requirements (OS and Hardware), and  what DNS services are compatible with the system.

Portal Setup

Roaming setup is handled primarily through the ThreatSTOP Portal. Setting up a roaming device in the portal will generate a license key file that may be used to activate a group of endpoint devices that share the same security policy. This key value will allow protection for the licensed number of protected devices. To purchase licenses for additional endpoints, please contact our Sales team (sales@threatstop.com). ThreatSTOP Roaming and ThreatSTOP's DNS Firewall can share the same custom policies and lists*. It also allows for rapid remediation of an endpoint by identifying the device by its hostname or serial number in the Roaming Report system.

Note:

* Please be advised that on average 100,000 addresses in a policy will consume approximately 50 MB of RAM, this should be taken into consideration when configuring a custom policy.

Setup requires the following information about the endpoint client be provided to ThreatSTOP:

Important

Roaming Device setup will require a Policy before the device is setup. Please review DNS Firewall Policy Creation for more information.

  • Nickname: An easily recognizable name for the device being added.
  • Hardware Identifier: Choose the hardware identification method your clients will use. The available methods are:

    documentation@threatstop:~$

    UsernameHostname
    documentation
    threatstop

     

    • Hostname: This is the hostname of the roaming device and is unique to each individual network. In *nix environments (and OS X) this name is displayed after the user name but in front of the command prompt on the CLI. For example:

      Under Windows this can be discovered by right-clicking the Start button, selecting System and then looking for the Computer Name.
    • Serial # - The serial number of the computer.

    • Hardware UUID - The Universally Unique Identified for the computer's hardware.

  • Trusted DNS Servers: This field should be populated with DNS Servers you know to be trustworthy, generally servers inside your established network. If the Roaming client detects these addresses as the active DNS Servers it will consider itself to be "home" and therefore not "roaming," and will retain the client's DNS settings to the trusted server. If the device is removed from the trusted environment, or is otherwise unable to access these IP addresses ThreatSTOP Roaming will enable itself based on its security profile. Multiple addresses can be entered with a comma between each entry.
  • Require Admin: Set this to match your security policy. If your users are able to install, adjust, and maintain their own programs and have administrative rights to their machine it's safe to set this to No. If your users are locked down and are prevented from installing their own software set this to Yes, as it will require a user with Administrative privileges to make changes to the endpoint client. If this is set to No your users will not be able to Enable or Disable filtering, nor will they be able to add local whitelist entries.

    Note:

    This setting will impact the display of the endpoint client; it does not effect the data relayed to ThreatSTOP for reporting.

  • Location: Select the country your business is based in.
  • Postal Code: Add the postal code (if available) of your business.
  • Policy: Select the DNS Firewall policy you want to be applied to your Roaming clients. Predefined policies will populate the list by default, and custom lists can also be created for use with Roaming devices.

Roaming Devices

  1. Login to ThreatSTOP Portal.

  2. Click on Roaming Devices.
  3. If you are adding a new device click on + Add Device.
    The Add Device window will appear, you will need to provide the following information:
    1. Nickname: An easily recognizable name for the device being added.
    2. Hardware Identifier: Choose the hardware identification for your clients.
    3. Trusted DNS Servers: Enter one or more IP addresses to DNS servers that you know to be trustworthy. Multiple addresses can be entered with a comma between each entry. 
    4. Require Admin: Set this to match your security policy. If your users have administrative rights to their machine it is safe to set this to No.
    5. Location: Select the country your business is based in. (Optional)
    6. Postal Code: Add the postal code (if available) of your business. (Optional)
    7. Policy: Select the threat policy you want applied to your roaming client group.
  4. Click on Next.
  5. Click on Finish.
    This will add the device to your account, and generate a key which will be used during Roaming Client Setup.
  6. Download the key by clicking on the key icon (), and save this to a memorable spot on your hard drive.

    Note:

    ThreatSTOP for Roaming Devices uses DNS Firewall policies which can also be used with the DNS Firewall product. Creation of Custom Policies is covered in DNS Firewall Policy Creation.

Roaming Client Setup

There are two individual paths to installing Roaming (one for Windows, and the other for OS X) and we'll cover them both. The general process is to login on an account with administrator privileges, download the installer to the system disk, run the installer, apply the license key, and enable Roaming Protection. Let's get started:

Warning:

Version 1.1.0.4 must be manually uninstalled to install 1.1.0.8 or later.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Roaming Protection Install Process - Windows

  1. Login to Windows.
  2. Download the Roaming client from:

  3. Verify the installer matches its digital signature. To do this:
    1. Right-click on the .msi file.
    2. Click on Properties.
    3. Click on Digital Signatures.
    4. Verify that the following values are met:
      • Name of signer: ThreatSTOP, Inc.
      • Digest algorithm: sha1
      • Timestamp: Will match the Modified date from the General tab.
    5. If these values match click OK. If they do not, contact ThreatSTOP support for assistance.
  4. Double-click the installer icon.
    The installer will load and escalate to Administrator privileges if needed.
  5. Click Next.
  6. A permissions window may appear, click on Yes to allow the files to be copied into place.











  7. Click Finish.
    Once this is complete you'll be ready to run the Roaming client.
  8. If this is your first time installing ThreatSTOP Roaming right-click the ThreatSTOP Roaming icon and click Run As Administrator.
  9. Click on the Settings tab.
  10. Click on Choose new key file...
  11. Browse to where the license key file was downloaded or saved.
  12. Select the file and click Open.
  13. Click on the switch icon () to turn Roaming Protection On.

 

Roaming Protection Install Process - OS X

  1. Login to OS X.
  2. Download the Roaming client from:

  3. Verify the package matches its digital signature:
    1. Open a Terminal window
    2. Change to the directory to which the package was downloaded.
    3. Run the following command:

      pkgutil --check-signature <pkg file>

    4. This will produce output similar to the following:

      documentation:documentation$ pkgutil --check-signature ThreatSTOP\ Roaming\ Installer\ v1.0.1.8.pkg
      Package "ThreatSTOP Roaming Installer v1.0.1.8.pkg":
      Status: signed by a certificate trusted by Mac OS X
      Certificate Chain:
      1. Developer ID Installer: ThreatSTOP, Inc. (FMB95MXVCJ)
      SHA1 fingerprint:
      -----------------------------------------------------------------------------
      2. Developer ID Certification Authority SHA1 fingerprint:

      -----------------------------------------------------------------------------
      3. Apple Root CA SHA1 fingerprint:

      The Status output will indicate if the package is trusted by OS X, and the Certificate Chain: Developer ID Installer: ThreatSTOP, Inc. (FMB95MXVCJ) shows that the package was signed by us.

  4. Double click the package icon.
  5. Click Continue.
  6. Continue past the software license agreement.
  7. Agree to the software license agreement. 














  8. ThreatSTOP Roaming needs to be installed to the system disk, click Continue.
  9. Click Install.















  10. You will be prompted for Administrator credentials to perform the install, provide the username and password, then click Install.  











    This will begin copying the files to their installation location on your hard drive. Once this is complete you'll be ready to run the Roaming client.

     

     

     

     

     

     

     

     

     

  11. Under Applications in the Finder locate and start the TSRoaming application to begin using ThreatSTOP Roaming on your device.
  12. Click on the Settings tab.
  13. Click on Choose new key file...
  14. Browse to where the license key file was downloaded or saved.
  15. Select the file and click Open.
  16. Click on the switch icon () to turn Roaming Protection On.

Using the Client

The client maintains a mostly uniform interface between Windows and OS X, the one difference is the location of the menu bar. To keep things concise we'll use screen shots from Windows, but the same options are available to OS X users.

The client will appear in one of two modes:

Non-privilegedPrivileged

As can be seen in the screenshots above non-privileged users have the ability to view their License, Device ID, the time their policy was last updated, and view events and actions taken by the client. They also have access to the entries in the menu bar which we'll cover shortly.

Privileged users have full access to the client, can set allow lists, view events, turn the protection on or off, and also have access to the menu.

Menu

The menu contains three entries:

  • TSRoaming: Provides access to the following sub-panels:
    • About TSRoaming: Includes the program copyright notice, website, and support and sales contact information. Additionally, you can click Check for Updates to download and install the latest version of ThreatSTOP Roaming.










    • System Info: Gathers system information relevant to ThreatSTOP support for the diagnoses of issues with the Roaming client. This is then broken down into four sub-windows:
      • Diagnostics: Displays information related to your system properties, operating system, and other relevant diagnostic information for your system.
      • Health Check: Runs checks on device connectivity, activity, and licensing to validate that the Roaming endpoint is able to talk to ThreatSTOP and receive configuration and threat intelligence data.
      • Management Log: Displays a record of the log kept by the ThreatSTOP management service. This service monitors and controls the ThreatSTOP Roaming service daemon and ensures that the daemon is not interrupted in performing its duties.
      • DNSD Log: Displays the logs kept by the ThreatSTOP Roaming service daemon in the course of its duties. Including any connection difficulties and zone propagation issues.
    • Quit: Exits the program.
  • Edit: Allows the basic functions found in all office programs.
  • Help: Help links back to this help documentation.

Report

The Report tab displays a breakdown of blocked communications over the last seven days as a pie chart.

Each slice of the pie represents the threat level the communication attempt was deemed appropriate. In the example to the right we can see that three threat levels (5, 4 ,3) were blocked, and the number of attempts in each level are displayed in the middle of the slice..

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Events

Events shows the date, and time at which a communication attempt to a  site was made by the computer. It also denotes the action taken on that communication attempt based on both the global and local policy settings.

Clicking on the address of individual entries will open a modal containing more information about the threat that was stopped. While not as detailed as the information provided by Check IOC in the web portal, the information here will give you enough of an idea to determine why we blocked a given threat.

 

 

 

Allow List

The Allow List provides the ability for an administrator to provide a local override for records found in the Threat Policy. Domain exceptions require at least a second-level domain. Entries that contain only a top-level domain (TLD) will be rejected.

It should be noted that it is easy to unblock potentially harmful communications with this method.

Note:

All whitelisted domains will simply be allowed to Pass-Through, should we match the action shown in the Events to what's in the Portal, at this time there are no options to provide other filtering methods through the local allow list.

 

 

 

 

 

 

 

 

 

Settings

The final pane that is available to both privileged and unprivileged users is the Settings panel. The difference between the two is most clearly shown in the example above. The sample to the right shows the full display, and fields not available to unprivileged users will be marked:

  • Licensed/Device ID: This field provides the ThreatSTOP account number associated with the license, as well as a Device ID.
  • Choose new key file...: Clicking this allows for a new license to be associated with the Roaming client. (Privileged users only)
  • Roaming Protection On/Off: This switch enables or disables ThreatSTOP Roaming protection on the device. When the switch is slid to the right the line next to it will turn green to indicate that protection is active. (Privileged users only)
  • Configuration/Policy Updated: This box displays the last time a change was made to the configuration of the Threat Policy associated with the device, as well as the last time the Threat Policy was updated.

 

 

 

 

 

 

 

 

System Tray

DisabledActive

After configuration it's safe to close the ThreatSTOP Roaming window. The program will continue to run in the background and protect your system. In addition a system tray icon will appear, this will show the blocking status of ThreatSTOP Roaming as displayed to the right.

Clicking the icon will re-open the main control window, where right-clicking (or Control-clicking on OS X) will allow the program to be activated/deactivated and other functionality to be used.

Administration

License Keys

After a device is successfully setup a unique license key will be created for a group of endpoints. The key represents the licensed number of endpoint devices. Once the maximum number of endpoint devices is reached, or if multiple policy groups are needed, you will need to purchase one or more additional keys.

After the key is associated it will take up to 30 minutes for the Threat Policy to populate to the Roaming client, after which your device will be protected by your chosen policy.

Automated Installation

For assistance with automated installations please contact ThreatSTOP Support (https://support.threatstop.com/).

Uninstall

Uninstalling the Roaming client is OS dependent. OS X uses a dedicated uninstaller, while Windows relies on the operating system's uninstall routines.

On OS X, use the uninstall program to remove the program as well as the setup and config files. We do not recommend dragging the icon to the trash.

On Windows, the program must be uninstalled through Add Programs or Features.

Upgrading

Upgrades can be run with the current version in place. Simply download the newer version and run the installation again.

User Defined Lists

User defined lists for ThreatSTOP Roaming Devices can be administered through two points:

  • Globally (through the portal)
  • Locally (on the device itself)

End-users will not be able to adjust assigned policies either locally or globally without Administrator rights.

Global (Portal)

Global policy administration is handled through the Roaming Devices section of the ThreatSTOP portal. Established devices will be listed here, along with a drop down menu that allows the user to select the policy that best fits their needs on the endpoints for their device. Each device may have a unique policy established for their endpoint devices. Changing the drop down to a new policy will update the policies used on all of these devices.

Local (Roaming Device)

On the endpoint itself the policy may be modified to include a whitelist. This change will not be reflected upstream in the portal, and the only way to affect this change is for a user with local admin privileges to change the policy when the device is set to Admin: Yes in the portal.

Important:

Local whitelists take precedence over block and allow lists downloaded from the Threat Policy.

Reporting

Reports for ThreatSTOP Roaming are covered in Roaming Reporting.

Requirements

Operating System

ThreatSTOP Roaming is compatible with the following Operating Systems:

Hardware

Your device will need to meet or exceed the following hardware requirements:

CPU

  • No requirement beyond the ability to run the parent OS.

Memory

  • Dependent on policy size (estimated at 50 MiB/100,000 entries in policy)

Disk

  • 300 MB disk space for installation

Connection

  • Openings for the following ports:
    • 53 and 53 53 (TCP/UDP) for DNS data and log transfers
    • 443 (HTTPS) for log upload

Important:

It is imperative that clients have the correct time within a window of roughly 300 seconds. If your system clock falls out of this window it will cause updates to fail. One potential solution – available to all modern operating systems – to maintaining the correct time is to setup Network Time Protocol (NTP).

Compatibility Issues

Some minor compatibility issues have been discovered between ThreatSTOP Roaming and the following software:

  • DNS Crypt - DNS Crypt takes control of the operating system's DNS settings and provides its own encrypted interface. This prevents ThreatSTOP Roaming from being able to successfully communicate with ThreatSTOP's servers.
  • OpenVPN Connect (earlier than 2.0) - OpenVPN Connect works by taking control of the operating system's network stack and pointing DHCP and DNS resolvers to trusted hosts inside a different network. This will override ThreatSTOP Roaming's behavior and can create a conflict. To work around this, ThreatSTOP roaming uses the Trusted DNS Server setting to establish when to disable itself. Setting the address for the DNS server that OpenVPN Connect uses will turn off ThreatSTOP roaming and instead rely on the parent network's security services.
  • Hyper-V - Due to the manner in which Hyper-V's Virtual Network Switch handles interfacing with the parent OS, ThreatSTOP Roaming can only be used on systems on which Hyper-V has been installed, and a Virtual Network Switch has been setup in Private or Internal modes.

Important:

If you are running Virtual Machines (VM) on the same box as ThreatSTOP Roaming, you may or may not receive ThreatSTOP protection depending on your VM configuration. VMs using bridged mode networking create their own virtual networking device and will not receive protection from Roaming, VMs with mapped network devices (that is, network devices that communicate through the host system's network stack) will have ThreatSTOP protection.

Security Warning

If you are running hypervisors other than Microsoft's Hyper-V, be advised that your networking configuration could potentially bypass ThreatSTOP roaming. If your VMs are setup in Bridged networking mode they will not receive protection from the roaming client. Setting the network to behave in a NAT mode (passing all communications through the OS network stack rather than the hypervisor network stack) will allow the VM to maintain roaming protection through the parent system.

Troubleshooting

The following section will cover potential issues that may be encountered with ThreatSTOP Roaming, and the possible solutions:

  • No connection to the Internet
    • Verify that your system is connected to the local network. If it is verify that you can reach an external IP address, to do this:
      1. Load a command line interface
      2. Enter the command ping 8.8.8.8
        This will send data packets to Google's DNS Servers
      3. You should see results similar to the following, if you do not your system is not able to reach the Internet.

        Pinging 8.8.8.8 with 32 bytes of data:
        Reply from 8.8.8.8: bytes=32 time=9ms TTL=58
        Reply from 8.8.8.8: bytes=32 time=9ms TTL=58
        Reply from 8.8.8.8: bytes=32 time=9ms TTL=58
        Reply from 8.8.8.8: bytes=32 time=9ms TTL=58

        Ping statistics for 8.8.8.8:
            Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
        Approximate round trip times in milli-seconds:
            Minimum = 9ms, Maximum = 9ms, Average = 9ms

  • A given web page will not come up:
    • This is likely due to ThreatSTOP Roaming working as intended. If other web pages appear as normal then this is intended behavior. If you believe a web page is being incorrectly blocked, check the results with our Check IOC tool:
      1. Open https://www.threatstop.com and login
      2. Enter the blocked address in the Check IOC search box
      3. Review the Indicator Of Compromise (IOC) data.
    • If you are positive the site is safe, you can enter the Domain information into the Allow List, this will allow the client to access the site.
  • SmartScreen Warning
    In rare instances some Windows 10 systems have displayed a SmartScreen Warning on app installation. Provided that the digital signature checks out, it is perfectly safe to allow the installation program to run. If you see this screen please contact ThreatSTOP Support (support@threatstop.com). To continue installation:
    1. Click More Info.
      This will present application and publisher info.
    2. Click Run anyway.
      Installation will start as described in Windows Install.
  • Anti-Virus Warnings
    Some anti-virus tools will throw issues based on their internal settings. To date the following issues have been noted during our testing:
    • Norton Anti-Virus: May throw warnings that program is in limited use by Norton's user base.
    • ESET: When set to Paranoid mode, ESET will ask if ThreatSTOP Roaming should be allowed to connect to the Internet.
    It is safe to set exceptions for these warnings, not doing so will prevent ThreatSTOP Roaming from operating as intended.
  • Roaming is enabled but still displays negative test results. That is, bad.threatstop.com still displays when visited.
    • The test page (bad.threatstop.com) was previously visited before Roaming was enabled and your browser has cached the contents. To resolve this:
      1. Make certain Roaming is enabled.
      2. Visit bad.threatstop.com
      3. Force the browser to reload the page from the server (Ctrl+R on Windows, or Cmd+R on macOS).