Prevent unsecure devices from joining your network

Securing your network in today's dynamic threat landscape is no easy task, especially for small to mid-sized businesses navigating the complexities of remote work. While organizations often deploy workstation monitoring to assess device configurations and rely on secure VPN services for safe network access, there's typically not a direct integration to automatically manage unsecure devices off the network. With Steampipe, this is a simple query to determine which workstations should be removed from the network to improve your security without the complexity.

Auditing your endpoints

In our prior post, Enterprise Concerns with Tailscale, we highlighted that many companies now require endpoints to pass a health check before being able to join the network. Unfortunately, these enterprise-level tools are incredibly expensive and outside the budget range of small to medium-sized businesses.

Enter Steampipe. Using two examples of plugins in the Steampipe Hub, we can show how to report and take action.

With Vanta, we can report on the compliance status of workstations in the organization.

With Tailscale, we can report on the machines that are part of the corporate tailnet.

With Steampipe, we can cross reference the compliance status of staff workstations in Vanta with the machines that are part of the company’s tailnet to report on systems that do not meet endpoint security specifications.

select
  t.hostname,
  v.owner_name,
  v.os_version,
  v.installed_av_programs,
  v.has_screen_lock,
  v.is_encrypted,
  t.last_seen as last_seen_on_tailnet
from
  tailscale_device as t
left join
  vanta_computer as v
on
  v.hostname = t.hostname
order by last_seen_on_tailnet

+-----------------+--------------+-----------------+-----------------------+-----------------+--------------+---------------------------+
| hostname        | owner_name   | os_version      | installed_av_programs | has_screen_lock | is_encrypted | last_seen_on_tailnet      |
+-----------------+--------------+-----------------+-----------------------+-----------------+--------------+---------------------------+
| MacBook-Air     | Bob Smith    | macOS 13.3      | ["Vanta","XProtect"]  | true            | true         | 2022-12-24T07:02:08-05:00 |
| LinuxPop        | Terry Jones  | Ubuntu 22.04    | <null>                | true            | false        | 2022-12-29T10:08:46-05:00 |
| Macbook-Pro     | Chris Farris | macOS 12.6.3    | ["Vanta","XProtect"]  | true            | true         | 2023-02-05T06:12:17-05:00 |
| Jon-Win11       | Jon Udell    | Windows 11 Pro  | ["MSFT Defender AV"]  | true            | true         | 2023-02-27T10:16:15-05:00 |
| GL-Macmini      | George Lee   | macOS 12.6.3    | <null>                | true            | false        | 2023-02-27T10:16:15-05:00 |
+-----------------+--------------+-----------------+-----------------------+-----------------+--------------+---------------------------+

Now, it's nice to know which systems on your tailnet do not comply with company security standards. You can use the report to share with your team to assess the results and then take action. However if your security posture is to always ensure compliance at all times, you can automatically take action on the results. By design, Steampipe doesn't change your environment. But if you had an restful API that can disassociate a node from a tailnet, you can feed results from Steampipe to an API call to remove devices from the tailnet.

The Tailscale API for that is:

curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
  -u "tskey-api-xxxxx:"

To automate the removal of non-compliant nodes from your environment you can run a simple script to iterate through the results from steampipe:

First the ts-query.sql file:

select
  t.id as machine_id
from
  tailscale_device as t
  left join vanta_computer as v on v.hostname = t.hostname
where
  v.installed_av_programs is null

And the script to run Steampipe and call the Tailscale API:

#!/bin/bash
for machine_id in `steampipe query ts-query.sql --output csv | tail -n +2` ; do
  echo "Removing Node $machine_id"
  echo curl -X DELETE "https://api.tailscale.com/api/v2/device/$machine_id" -u "tskey-api-xxxxx:"
done

Conclusion

The techniques we've shown here are just examples of how you can enhance your network security. There are countless opportunities for you to build your own queries and controls for your organization. We welcome you to share your use cases our community!