You need to create resources that actually can be accessed while the quarantine packet filters are in place for...
a remote client. Examples of such resources include DNS servers and DHCP servers, so that IP address and other connection information such as suffix addresses, DNS server addresses, and the like can be retrieved; fileservers to download appropriate software to update out-of-compliance machines; and Web servers that can describe the quarantining process or allow a remote user to contact IT support via e-mail if any problems occur.
You can specify and use a quarantined resource in two ways. The first is to identify certain servers, which can be spread across your network, as these quarantine resources. This allows you to use an existing machine to host the quarantined resources, but you also have to create individual packet filters for quarantined sessions for each existing machine. For performance and overhead reasons, it's best to limit the number of individual packet filters for a session.
If you decide to go this route, you'll need to enable the packet filters shown in the following table:
|Traffic Type||Source Port||Destination Port||Alternatives (instead of specifying port information)|
|Quarantine Notifier||None||TCP 7250||None|
|DHCP||UDP 68||UDP 67||None|
|DNS||None||UDP 53||You also can specify the IP address of any DNS server.|
|WINS||None||UDP 137||You also can specify the IP address of any WINS server.|
|HTTP||None||TCP 80||You also can specify the IP address of any web server.|
|NetBIOS||None||TCP 139||You also can specify the IP address of any file server.|
|Direct Hosting||None||TCP 445||You also can specify the IP address of any file server.|
You also can configure any other packet filters that are particular to your organization.
The other approach is to limit your quarantined resources to a particular IP subnet. This way, you need just one packet filter to quarantine traffic to a remote user, but you might need to readdress machines and, in most cases, take them out of their existing service or buy new ones.
Using this method, the packet filter requirements are much simpler. You just need to open one for notifier traffic on destination TCP port 7250, one for DHCP traffic on source UDP port 68 and destination IDP port 67, and for all other traffic, the address range of the dedicated quarantine resource subnet. And again, you can configure any other packet filters that are particular to your organization.
Step-by-Step Guide to Network Access Quarantine Control
Step 1: Learn how it works
Step 2: Create quarantined resources
Step 3: Write the baselining script
Step 4: Install the listening components
Step 5: Creating a quarantined connection profile
Step 6: Distribute the profile to remote users
Step 7: Configuring the quarantine policy
|ABOUT THE AUTHOR:|
| Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
Copyright 2006 TechTarget