1 VPN with Network Access Quarantine Control ETH Windows Treffen vom 3. Oktober 2006 Dr. P. Fritz...

1

VPN with Network Access Quarantine Control

ETH Windows Treffen vom 3. Oktober 2006

Dr. P. FritzInstitute for Geotechnical Engineering IGT

Swiss Federal Institute of Technology ETH-Z

2

Motivation

Nessus

HFNetChkWSUS

AntiVirusAntiSpam

PestPatrol

NTLMv2

Kerberos

IPSec

GPO

SSL/TLS

CAs

Domain IsolationPw Policy

MOMMSBSA

high security standard with

in LAN !

3

Motivation

high security at p

erimeter !

4

Motivation

neglected security fo

r VPN!

5

Motivation

Security Policies for VPN

Authentication (MS-CHAPv2, Kerberos, …)

Authorization (RA policies)

Tunnel Protocol (L2TP, …)

Data Encryption (IPSec, …)

6

Motivation

Security Policies for VPN

Authentication (MS-CHAPv2, Kerberos, …)

Autorization (RA policies)

Tunnel Protocol (L2TP, …)

Data Encryption (IPSec, …)

Client Health

7

Motivation VPN Client Health

OS PatchesVirus Definitions…….Routing enabled…….

health checked and assured by

Network Access Quarantine Control (NAQC)

→

8

Motivation VPN Client Health

health checked and assured by

Network Access Quarantine Control (NAQC)

→

QuarantineControl

on Client

9

Motivation

1.Motivation for NAQC2.Components3.How NAQC works4.Deployment5.Configuration (dialer, RA policy)6.Requirement Scripts7.Conclusion

Agenda Network Access Quarantine Control (NAQC)

10

ComponentsConventional Remote Access via VPN

11

ComponentsNAQC Remote Access

NAQC = Network Access Quarantine Control

12

How NAQC works

NAQC = Network Access Quarantine Control

13

Deploying NAQC

NAQC = Network Access Quarantine Control

1.Define Quarantine Resources (DHCP, …)

2.Create Network Policy Requirements Client Script

3.Create a dialer (CM Quarantine Profile) with CMAK

4.Configure Quarantine RA Policy on Server

5.Run Listener on RA Server

6.Distribute and run the Dialer

14

Creating a VPN Dialer

NAQC = Network Access Quarantine Control

= Connection ManagerQuarantine Profile

→ trivial, so skip it

• Download and install MS’s Connection Manager Administration Kit (CMAK)

• Run CMAK to create the Dialer

15

Creating a VPN Dialer

16

Creating a VPN Dialer

17

Creating a VPN Dialer

18

Creating a VPN Dialer

19

Creating a VPN Dialer

20

Configuring an RA Policy

using the RRA Management Console

→ trivial, so skip it

21

Configuring an RA Policy1st Policy: Connection to RA server without Quarantine Check

22

Configuring an RA Policy2nd Policy: Connection to RA server with Quarantine Check

23

Configuring an RA Policy2nd Policy: Connection to RA server wit Quarantine Check

Edit NAS-Port Type

24

Configuring an RA Policy2nd Policy: Connection to RA server with Quarantine Check

Edit MS-Quarantine-IP Filter

25

Configuring an RA Policy2nd Policy: Connection to RA server with Quarantine Check

Edit MS-Quarantine-IP Filter

26

Configuring an RA Policy2nd Policy: Connection to RA server with Quarantine Check

Edit Quarantine Session Timeout

27

Configuring an RA Policy

using the RRA Management Console

28

Configuring an RA Policy3rd Policy: Deny Connection to RA server

29

Network Policy Requirements Script • Script is called by Dialer on Client PC• Script has two duties:

Shortest Script possible (a 1-line batch file):

%1\RQC.EXE /conn %2 /domain %3 /user %4 /sig ValidationOK

Client configured to be called with parameters%ServiceDir% %ServiceName% %Domain% %UserName%

1.check Client Health, and2. inform Server of Result

30

Network Policy Requirements Script General Script Structure

REM Network policy compliance testsREM Set CHECKED to 1 if the tests pass. Set CHECKED=1REM insert code here for checking health Call check1.cmd IF ERRORLEVEL 1 Set CHECKED=0REM add code for additional checks REM Based on the test results, run RQC.EXEIF "%CHECKED%" == "0" GOTO TESTFAIL %1\RQC.EXE /conn %2 /port 7250 /domain %3 /user %4 /sig CheckOK ECHO Successfully passed network compliance tests. GOTO EXIT_SCRIPT:TESTFAIL ECHO Error: network compliance tests failed.:EXIT_SCRIPT

31

Network Policy Requirements Script Excerpt VBS-Script for OS-Version

strComputer = "."

Set objWMI = GetObject("winmgmts:{impersonationLevel= impersonate}!\\" & strComputer & "\root\cimv2")Set colItems = objWMI.ExecQuery("Select * from Win32_OperatingSystem")

For Each objItem In colItemsstrOsCaption = objItem.CaptionstrOsVersion = objItem.Version ' e.g. 5.1.2600nSpMajor = Int(objItem.ServicePackMajorVersion)nSpMinor = Int(objItem.ServicePackMinorVersion)

Next

32

Network Policy Requirements Script Compliance Tests

• OS version ?

• latest Patches installed ?

• Virus Scanner with latest signature files ?

• Firewall enabled on all interfaces ?

• Internet Connection Sharing disabled ?

• sufficient Password Strength enabled ?

• Screen Saver enabled and Password protected ?

………

33

Network Policy Requirements Script Special Problems Compliance Tests

• Virus Scanner with latest signature files ?

• Firewall enabled on all interfaces ?

? Checking all Antivir-Progs and Signature Files ?

XP Security Center

WMI Namespace \root\SecurityCenter

34

Network Policy Requirements Script Scripts to download

• From Microsoft Technet

• From IGT Website

http://www.microsoft.com/technet/security/prodtech/ windowsserver2003/quarantineservices/vppgappa.mspx

Disadvantage: they don't work

http://www.igt.ethz.ch/?event=130

35

Conclusions The Client Side

VPN with Network Access

Quarantine Control

36

Conclusions VPN with Network Access

Quarantine ControlThe Client Side

37

Conclusions VPN with Network Access

Quarantine ControlThe Client Side

38

Conclusions

• delays normal remote access to a LAN until client health has been examined.

• for RA connections only (VPN and dial-up).

• target: remote computers, e.g. at home.

Advantage: simplicityDisadvantage: limitations

VPN with Network Access Quarantine Control (NAQC)

39

Dr. P. Fritz VPN with NAQC

http://www.igt.ethz.ch/?event=130

or search for VPN

or search for VPN