Upload
margaret-davidson
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
1
VPN with Network Access Quarantine Control
ETH Windows Treffen vom 3. Oktober 2006
Dr. P. FritzInstitute for Geotechnical Engineering IGT
Swiss Federal Institute of Technology ETH-Z
2
Motivation
Nessus
HFNetChkWSUS
AntiVirusAntiSpam
PestPatrol
NTLMv2
Kerberos
IPSec
GPO
SSL/TLS
CAs
Domain IsolationPw Policy
MOMMSBSA
high security standard with
in LAN !
3
Motivation
high security at p
erimeter !
4
Motivation
neglected security fo
r VPN!
5
Motivation
Security Policies for VPN
Authentication (MS-CHAPv2, Kerberos, …)
Authorization (RA policies)
Tunnel Protocol (L2TP, …)
Data Encryption (IPSec, …)
6
Motivation
Security Policies for VPN
Authentication (MS-CHAPv2, Kerberos, …)
Autorization (RA policies)
Tunnel Protocol (L2TP, …)
Data Encryption (IPSec, …)
Client Health
7
Motivation VPN Client Health
OS PatchesVirus Definitions…….Routing enabled…….
health checked and assured by
Network Access Quarantine Control (NAQC)
→
8
Motivation VPN Client Health
health checked and assured by
Network Access Quarantine Control (NAQC)
→
QuarantineControl
on Client
9
Motivation
1.Motivation for NAQC2.Components3.How NAQC works4.Deployment5.Configuration (dialer, RA policy)6.Requirement Scripts7.Conclusion
Agenda Network Access Quarantine Control (NAQC)
10
ComponentsConventional Remote Access via VPN
11
ComponentsNAQC Remote Access
NAQC = Network Access Quarantine Control
12
How NAQC works
NAQC = Network Access Quarantine Control
13
Deploying NAQC
NAQC = Network Access Quarantine Control
1.Define Quarantine Resources (DHCP, …)
2.Create Network Policy Requirements Client Script
3.Create a dialer (CM Quarantine Profile) with CMAK
4.Configure Quarantine RA Policy on Server
5.Run Listener on RA Server
6.Distribute and run the Dialer
14
Creating a VPN Dialer
NAQC = Network Access Quarantine Control
= Connection ManagerQuarantine Profile
→ trivial, so skip it
• Download and install MS’s Connection Manager Administration Kit (CMAK)
• Run CMAK to create the Dialer
15
Creating a VPN Dialer
16
Creating a VPN Dialer
17
Creating a VPN Dialer
18
Creating a VPN Dialer
19
Creating a VPN Dialer
20
Configuring an RA Policy
using the RRA Management Console
→ trivial, so skip it
21
Configuring an RA Policy1st Policy: Connection to RA server without Quarantine Check
22
Configuring an RA Policy2nd Policy: Connection to RA server with Quarantine Check
23
Configuring an RA Policy2nd Policy: Connection to RA server wit Quarantine Check
Edit NAS-Port Type
24
Configuring an RA Policy2nd Policy: Connection to RA server with Quarantine Check
Edit MS-Quarantine-IP Filter
25
Configuring an RA Policy2nd Policy: Connection to RA server with Quarantine Check
Edit MS-Quarantine-IP Filter
26
Configuring an RA Policy2nd Policy: Connection to RA server with Quarantine Check
Edit Quarantine Session Timeout
27
Configuring an RA Policy
using the RRA Management Console
28
Configuring an RA Policy3rd Policy: Deny Connection to RA server
29
Network Policy Requirements Script • Script is called by Dialer on Client PC• Script has two duties:
Shortest Script possible (a 1-line batch file):
%1\RQC.EXE /conn %2 /domain %3 /user %4 /sig ValidationOK
Client configured to be called with parameters%ServiceDir% %ServiceName% %Domain% %UserName%
1.check Client Health, and2. inform Server of Result
30
Network Policy Requirements Script General Script Structure
REM Network policy compliance testsREM Set CHECKED to 1 if the tests pass. Set CHECKED=1REM insert code here for checking health Call check1.cmd IF ERRORLEVEL 1 Set CHECKED=0REM add code for additional checks REM Based on the test results, run RQC.EXEIF "%CHECKED%" == "0" GOTO TESTFAIL %1\RQC.EXE /conn %2 /port 7250 /domain %3 /user %4 /sig CheckOK ECHO Successfully passed network compliance tests. GOTO EXIT_SCRIPT:TESTFAIL ECHO Error: network compliance tests failed.:EXIT_SCRIPT
31
Network Policy Requirements Script Excerpt VBS-Script for OS-Version
strComputer = "."
Set objWMI = GetObject("winmgmts:{impersonationLevel= impersonate}!\\" & strComputer & "\root\cimv2")Set colItems = objWMI.ExecQuery("Select * from Win32_OperatingSystem")
For Each objItem In colItemsstrOsCaption = objItem.CaptionstrOsVersion = objItem.Version ' e.g. 5.1.2600nSpMajor = Int(objItem.ServicePackMajorVersion)nSpMinor = Int(objItem.ServicePackMinorVersion)
Next
32
Network Policy Requirements Script Compliance Tests
• OS version ?
• latest Patches installed ?
• Virus Scanner with latest signature files ?
• Firewall enabled on all interfaces ?
• Internet Connection Sharing disabled ?
• sufficient Password Strength enabled ?
• Screen Saver enabled and Password protected ?
………
33
Network Policy Requirements Script Special Problems Compliance Tests
• Virus Scanner with latest signature files ?
• Firewall enabled on all interfaces ?
? Checking all Antivir-Progs and Signature Files ?
XP Security Center
WMI Namespace \root\SecurityCenter
34
Network Policy Requirements Script Scripts to download
• From Microsoft Technet
• From IGT Website
http://www.microsoft.com/technet/security/prodtech/ windowsserver2003/quarantineservices/vppgappa.mspx
Disadvantage: they don't work
http://www.igt.ethz.ch/?event=130
35
Conclusions The Client Side
VPN with Network Access
Quarantine Control
36
Conclusions VPN with Network Access
Quarantine ControlThe Client Side
37
Conclusions VPN with Network Access
Quarantine ControlThe Client Side
38
Conclusions
• delays normal remote access to a LAN until client health has been examined.
• for RA connections only (VPN and dial-up).
• target: remote computers, e.g. at home.
Advantage: simplicityDisadvantage: limitations
VPN with Network Access Quarantine Control (NAQC)
39
Dr. P. Fritz VPN with NAQC
http://www.igt.ethz.ch/?event=130
or search for VPN
or search for VPN