Step-by-Step Guide

Step 2: Create quarantined resources

You need to create resources that actually can be accessed while the quarantine packet filters are in place for a remote client. Examples of such resources include DNS servers and DHCP servers, so that IP address and other connection information such as suffix addresses, DNS server addresses, and the like can be retrieved; fileservers to download appropriate software to update out-of-compliance machines; and Web servers that can describe the quarantining process or allow a remote user to contact IT support via e-mail if any problems occur.

You can specify and use a quarantined resource in two ways. The first is to identify certain servers, which can be spread across your network, as these quarantine resources. This allows you to use an existing machine to host the quarantined resources, but you also have to create individual packet filters for quarantined sessions for each existing machine. For performance and overhead reasons, it's best to limit the number of individual packet filters for a session.

If you decide to go this route, you'll need to enable the packet filters shown in the following table:

Table 1. Packet filters for distributed quarantine resources
Traffic Type Source Port Destination Port Alternatives (instead of specifying port information)
Quarantine Notifier None TCP 7250 None

Requires Free Membership to View

DHCP UDP 68 UDP 67 None
DNS None UDP 53 You also can specify the IP address of any DNS server.
WINS None UDP 137 You also can specify the IP address of any WINS server.
HTTP None TCP 80 You also can specify the IP address of any web server.
NetBIOS None TCP 139 You also can specify the IP address of any file server.
Direct Hosting None TCP 445 You also can specify the IP address of any file server.

You also can configure any other packet filters that are particular to your organization.

The other approach is to limit your quarantined resources to a particular IP subnet. This way, you need just one packet filter to quarantine traffic to a remote user, but you might need to readdress machines and, in most cases, take them out of their existing service or buy new ones.

Using this method, the packet filter requirements are much simpler. You just need to open one for notifier traffic on destination TCP port 7250, one for DHCP traffic on source UDP port 68 and destination IDP port 67, and for all other traffic, the address range of the dedicated quarantine resource subnet. And again, you can configure any other packet filters that are particular to your organization.


Step-by-Step Guide to Network Access Quarantine Control

 Home: Introduction
 Step 1: Learn how it works
 Step 2: Create quarantined resources
 Step 3: Write the baselining script
 Step 4: Install the listening components
 Step 5: Creating a quarantined connection profile
 Step 6: Distribute the profile to remote users
 Step 7: Configuring the quarantine policy

ABOUT THE AUTHOR:
Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
Copyright 2006 TechTarget

This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: