Most security professionals find that remote access clients represent one of the weakest parts of any enterprise network. Despite the modern convenience of remote connectivity across a seemingly endless supply of fast broadband connections, enforcing minimum corporate standards that include technologies such as antivirus software and personal firewalls isn't easy. Even in well-managed networks with centralized administration, remote users who use their personal PCs to connect to the office often aren't subject to the corporate security standards designed to protect crucial corporate assets. Hence, the remote Access Points (APs) tend to be the culprit when new viruses hit the network.
Companies often address these problems by issuing a company policy that requires antivirus software and personal firewalls for any machine used to connect to the network. But a policy without a basic means of enforcement and subsequent consequences for violations is rarely successful.
To solve this problem, remote access vendors such as Check Point Software Technologies and Cisco Systems have begun to offer products that make sure remote clients meet minimal requirements before letting the clients connect to the corporate network. Microsoft now offers similar functionality in Windows Server 2003. Using Windows 2003's Network Access Quarantine Control feature, you can quarantine remote access clients while a customized script runs on the remote client. This script can include a variety of queries. For example, the script might check the client for the existence of a certain file, antivirus software, or an Internet Connection Firewall (ICF).
You can use the Network Access Quarantine Control feature with Windows 2003, Windows XP, Windows 2000, Windows Me, and Windows 98 Second Edition (Win98SE). To take advantage of the Network Access Quarantine Control feature, you must use Windows 2003's Connection Manager Administration Kit (CMAK) to create a special connection profile that contains the script you want to run on the remote clients.
Before I show you how to set up a quarantine, let's look at the RRAS quarantine environment. Figure 1 shows a sample network diagram. Both the IAS1 and VPN1 servers are running Windows 2003. IAS1 is a domain controller (DC) that's already running the Internet Authentication Service (IAS). VPN1 is a VPN server. You must configure the VPN server to use Remote Authentication Dial-In User Service (RADIUS) and not domain credentials to authenticate users.
In Figure 1, notice the existence of two networks. The 172.16.0.x network is the intranet, and the 10.0.0.x network connects to the Internet. The test client is running XP and is a remote client that connects through the Internet. To expedite the testing process of the quarantine feature, you should set up your test network similar to this diagram. For detailed instructions about how to set up such a test network, see the Microsoft article "Step-by-Step Guide for Setting Up VPN-Based Remote Access in a Test
Lab" (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/rmotevpn.asp).
Note that in the network numbering used in this test setup, test networks are set aside as part of Internet Engineering Task Force (IETF) Request for Comments (RFC) 1918, which calls for allocating certain IPv4 address space for private networks. These networks might or might not already be a part of your existing network, so be sure to perform your tests in a lab that's isolated from your production resources. If you decide to move your test setup into production, you'll have to renumber one or both networks in your quarantine test setup to support the address space already assigned by your ISP and your existing intranet.
How the Quarantine Works
The new quarantine feature depends on CMAK, which has the ability to run scripts before or after dialing or connecting. After creating a Connection Manager profile, you'll have a single distributable .exe file that allows the distribution of the necessary script, optional phone books for dialing, and other associated files you need to enforce the quarantine function. The quarantine script uses the Remote Access Quarantine Client utility (rqc.exe), which is a Microsoft Windows Server 2003 Resource Kit tool.
When a new client attempts to connect to a VPN server that's running RRAS and has the Network Access Quarantine Control feature enabled, the VPN server (VPN1 in Figure 1) passes the user-provided credentials received from the remote client to the IAS server (IAS1 in Figure 1) for authentication. The credentials take the form of RADIUS Access-Request messages. The IAS server validates the credentials against the associated remote access policy. The remote access policy specifies which users can log on, when they can log on, and the connection types to allow. In addition, a remote access policy can require a client to be quarantined until a quarantine script successfully executes on the client.
When a remote access policy requires the quarantine of clients, the IAS server uses two RADIUS attributes to create the quarantine: MS-Quarantine-IPFilter, which defines the IP restrictions to be applied to the clients in quarantine, and MS-Quarantine-Session-Timeout, which limits the time that a client spends in quarantine.
After the quarantine script runs successfully, rqc.exe returns a message to the VPN server, which executes a listener component called Remote Access Quarantine Agent (rqs.exe). After rqs.exe verifies that the message is from rqc.exe, rqs.exe makes sure that the quarantine script executed successfully and that the client met all the requirements. If the script ran successfully and the client met the requirements, the RAS server lifts the quarantine and the user has access to the resources that the remote access policy defines. If the client fails to meet the requirements, the client remains in quarantine until either the user disconnects the client or the time specified by the MS-Quarantine-Session-Timeout attribute elapses, in which case the VPN server drops the client.
You need to make special resources available to clients that fail to meet your requirements. When deciding which resources to make available, consider whether you want to give these clients a simple Web page that explains why they're in quarantine and what corrective actions users can take to remedy the problems. If you require remote clients to have antivirus software and clients are in quarantine because they don't have it, consider making the antivirus installation software (or its updates) available to them. Your corporate security policy and licensing will guide you through making such decisions.
Setting Up the Quarantine
Setting up a quarantine for the first time is a four-stage process. First, you need to install rqs.exe on the VPN server. Second, you need to obtain the quarantine script for the clients to execute. Third, you need to use CMAK to create a Connection Manager (CM) profile. Finally, you need to set a remote access policy on your IAS server.
Previous
Register
