PowerPoint Demo
advertisement
ETH Windows Treffen vom 3. Oktober 2006
VPN with Network Access
Quarantine Control
Dr. P. Fritz
Institute for Geotechnical Engineering IGT
Swiss Federal Institute of Technology ETH-Z
1
Motivation
Nessus
GPO
NTLMv2
MOM
MSBSA
HFNetChk
WSUS
AntiSpam
AntiVirus
PestPatrol
Kerberos
Pw Policy
CAs
IPSec
SSL/TLS Domain Isolation
2
Motivation
3
Motivation
4
Motivation
Security Policies for VPN
Authentication
(MS-CHAPv2, Kerberos, …)
Authorization
(RA policies)
Tunnel Protocol (L2TP, …)
Data Encryption (IPSec, …)
5
Motivation
Security Policies for VPN
Authentication
(MS-CHAPv2, Kerberos, …)
Autorization
(RA policies)
Tunnel Protocol (L2TP, …)
Data Encryption (IPSec, …)
Client Health
6
Motivation
VPN Client Health
OS Patches
Virus Definitions
…….
Routing enabled
…….
health checked and
→
assured by
Network Access Quarantine
Control (NAQC)
7
Motivation
health checked and
→
assured by
VPN Client Health
Network Access Quarantine
Control (NAQC)
Quarantine
Control
on Client
8
Motivation
Agenda Network Access Quarantine Control (NAQC)
1.Motivation for NAQC
2.Components
3.How NAQC works
4.Deployment
5.Configuration (dialer, RA policy)
6.Requirement Scripts
7.Conclusion
9
Components
Conventional Remote Access via VPN
10
Components
NAQC Remote Access
NAQC = Network Access Quarantine Control
11
NAQC = Network Access Quarantine Control
How NAQC works
12
Deploying NAQC
1.Define Quarantine Resources (DHCP, …)
2.Create Network Policy Requirements Client Script
3.Create a dialer (CM Quarantine Profile) with CMAK
4.Configure Quarantine RA Policy on Server
5.Run Listener on RA Server
6.Distribute and run the Dialer
13
NAQC = Network Access Quarantine Control
Creating a VPN Dialer
= Connection Manager
Quarantine Profile
• Download and install MS’s Connection Manager
Administration Kit (CMAK)
• Run CMAK to create the Dialer
→ trivial, so skip it
14
NAQC = Network Access Quarantine Control
Creating a VPN Dialer
15
Creating a VPN Dialer
16
Creating a VPN Dialer
17
Creating a VPN Dialer
18
Creating a VPN Dialer
19
Configuring an RA Policy
using the RRA Management Console
→ trivial, so skip it
20
Configuring an RA Policy
1st Policy: Connection to RA server without Quarantine Check
21
Configuring an RA Policy
2nd Policy: Connection to RA server with Quarantine Check
22
Configuring an RA Policy
2nd Policy: Connection to RA server wit Quarantine Check
Edit NAS-Port Type
23
Configuring an RA Policy
2nd Policy: Connection to RA server with Quarantine Check
Edit MS-Quarantine-IP Filter
24
Configuring an RA Policy
2nd Policy: Connection to RA server with Quarantine Check
Edit MS-Quarantine-IP Filter
25
Configuring an RA Policy
2nd Policy: Connection to RA server with Quarantine Check
Edit Quarantine
Session Timeout
26
Configuring an RA Policy
using the RRA Management Console
27
Configuring an RA Policy
3rd Policy: Deny Connection to RA server
28
Network Policy Requirements Script
• Script is called by Dialer on Client PC
• Script has two duties:
1.check Client Health, and
2. inform Server of Result
Shortest Script possible (a 1-line batch file):
%1\RQC.EXE /conn %2 /domain %3
/user %4 /sig ValidationOK
Client configured to be called with parameters
%ServiceDir% %ServiceName% %Domain% %UserName%
29
Network Policy Requirements Script
General Script Structure
REM Network policy compliance tests
REM Set CHECKED to 1 if the tests pass.
Set CHECKED=1
REM insert code here for checking health
Call check1.cmd
IF ERRORLEVEL 1 Set CHECKED=0
REM
add code for additional checks
REM Based on the test results, run RQC.EXE
IF "%CHECKED%" == "0" GOTO TESTFAIL
%1\RQC.EXE /conn %2 /port 7250 /domain %3 /user %4 /sig CheckOK
ECHO Successfully passed network compliance tests.
GOTO EXIT_SCRIPT
:TESTFAIL
ECHO Error: network compliance tests failed.
:EXIT_SCRIPT
30
Network Policy Requirements Script
Excerpt VBS-Script for OS-Version
strComputer = "."
Set objWMI = GetObject("winmgmts:{impersonationLevel=
impersonate}!\\" & strComputer & "\root\cimv2")
Set colItems = objWMI.ExecQuery("Select * from
Win32_OperatingSystem")
For Each objItem In colItems
strOsCaption = objItem.Caption
strOsVersion = objItem.Version ' e.g. 5.1.2600
nSpMajor = Int(objItem.ServicePackMajorVersion)
nSpMinor = Int(objItem.ServicePackMinorVersion)
Next
31
Network Policy Requirements Script
Compliance Tests
• OS version ?
• latest Patches installed ?
• Virus Scanner with latest signature files ?
• Firewall enabled on all interfaces ?
• Internet Connection Sharing disabled ?
• sufficient Password Strength enabled ?
• Screen Saver enabled and Password protected ?
………
32
Network Policy Requirements Script
Special Problems Compliance Tests
• Virus Scanner with latest signature files ?
• Firewall enabled on all interfaces ?
? Checking all Antivir-Progs and Signature Files ?
XP Security Center
WMI Namespace \root\SecurityCenter
33
Network Policy Requirements Script
Scripts to download
• From Microsoft Technet
http://www.microsoft.com/technet/security/prodtech/
windowsserver2003/quarantineservices/vppgappa.mspx
Disadvantage: they don't work
• From IGT Website
http://www.igt.ethz.ch/?event=130
34
Conclusions
VPN with Network Access
Quarantine Control
The Client Side
35
Conclusions
VPN with Network Access
Quarantine Control
The Client Side
36
Conclusions
VPN with Network Access
Quarantine Control
The Client Side
37
Conclusions
VPN with Network Access
Quarantine Control (NAQC)
• delays normal remote access to a LAN until
client health has been examined.
• for RA connections only (VPN and dial-up).
• target: remote computers, e.g. at home.
Advantage:
simplicity
Disadvantage: limitations
38
VPN with NAQC
Dr. P. Fritz
39
