1 VPN with Network Access Quarantine Control ETH Windows Treffen vom 3. Oktober 2006 Dr. P. Fritz Institute for Geotechnical Engineering IGT Swiss Federal Institute of Technology ETH-Z

2 Motivation High Security Standard within LAN Motivation Nessus HFNetChk WSUS AntiVirus AntiSpam PestPatrol NTLMv2 Kerberos IPSec GPO SSL/TLS CAs Domain Isolation Pw Policy MOM MSBSA high security standard within LAN !

3 Motivation High Security at Perimeter Motivation high security at perimeter !

4 Motivation Neglected Security for VPN Motivation neglected security for VPN!

5 Motivation Security Policies for VPN Motivation Security Policies for VPN Authentication (MS-CHAPv2, Kerberos, …) Authorization (RA policies) Tunnel Protocol (L2TP, …) Data Encryption (IPSec, …)

6 Motivation Security Policies for VPN Motivation Security Policies for VPN Authentication (MS-CHAPv2, Kerberos, …) Autorization (RA policies) Tunnel Protocol (L2TP, …) Data Encryption (IPSec, …) Client Health

7 Motivation Client Health Motivation VPN Client Health OS Patches Virus Definitions ……. Routing enabled ……. health checked and assured by Network Access Quarantine Control (NAQC) →

8 Motivation Client Health Motivation VPN Client Health health checked and assured by Network Access Quarantine Control (NAQC) → Quarantine Control on Client

9 Motivation Agenda Motivation 1.Motivation for NAQC 2.Components 3.How NAQC works 4.Deployment 5.Configuration (dialer, RA policy) 6.Requirement Scripts 7.Conclusion Agenda Network Access Quarantine Control (NAQC)

10 Components Conventional Remote Access Components Conventional Remote Access via VPN

11 Components NAQC Remote Access Components NAQC Remote Access NAQC = Network Access Quarantine Control

12 How NAQC works 7 steps How NAQC works NAQC = Network Access Quarantine Control

13 Deploying NAQC NAQC = Network Access Quarantine Control  1.Define Quarantine Resources (DHCP, …) 2.Create Network Policy Requirements Client Script 3.Create a dialer (CM Quarantine Profile) with CMAK 4.Configure Quarantine RA Policy on Server 5.Run Listener on RA Server 6.Distribute and run the Dialer  

14 Creating a VPN Dialer with CMAK Creating a VPN Dialer NAQC = Network Access Quarantine Control = Connection Manager Quarantine Profile → trivial, so skip it Download and install MS’s Connection Manager Administration Kit (CMAK) Run CMAK to create the Dialer

15 Creating a VPN Dialer Dialer Name Creating a VPN Dialer

16 Creating a VPN Dialer Dialer Name Creating a VPN Dialer

17 Creating a VPN Dialer VPN Server Creating a VPN Dialer

18 Creating a VPN Dialer Post Connect Action Creating a VPN Dialer

19 Creating a VPN Dialer Additional File RQC.EXE Creating a VPN Dialer

20 Configuring a Quarantine RA Policy with RRA MMC Configuring an RA Policy using the RRA Management Console → trivial, so skip it

21 Configuring a Quarantine RA Policy 1st: without Quarantine Check Configuring an RA Policy 1st Policy: Connection to RA server without Quarantine Check

22 Configuring a Quarantine RA Policy 2nd: with Quarantine Check Configuring an RA Policy 2nd Policy: Connection to RA server with Quarantine Check

23 Configuring a Quarantine RA Policy 2nd: with Quarantine Check Configuring an RA Policy 2nd Policy: Connection to RA server wit Quarantine Check Edit NAS-Port Type

24 Configuring a Quarantine RA Policy IP Filter Configuring an RA Policy 2nd Policy: Connection to RA server with Quarantine Check Edit MS-Quarantine-IP Filter

25 Configuring a Quarantine RA Policy IP Filter Configuring an RA Policy 2nd Policy: Connection to RA server with Quarantine Check Edit MS-Quarantine-IP Filter

26 Configuring a Quarantine RA Policy Session Timeout Configuring an RA Policy 2nd Policy: Connection to RA server with Quarantine Check Edit Quarantine Session Timeout

27 Configuring a Quarantine RA Policy with RRA MMC Configuring an RA Policy using the RRA Management Console

28 Configuring a Quarantine RA Policy 3rd: Deny Connection Configuring an RA Policy 3rd Policy: Deny Connection to RA server

29 Network Policy Requirements Script Shortest Script Network Policy Requirements Script Script is called by Dialer on Client PC Script has two duties: Shortest Script possible (a 1-line batch file): %1\RQC.EXE /conn %2 /domain %3 /user %4 /sig ValidationOK Client configured to be called with parameters %ServiceDir% %ServiceName% %Domain% %UserName% 1.check Client Health, and 2. inform Server of Result

30 Network Policy Requirements Script General Script Structure Network Policy Requirements Script General Script Structure REM Network policy compliance tests REM Set CHECKED to 1 if the tests pass. Set CHECKED=1 REM insert code here for checking health Call check1.cmd IF ERRORLEVEL 1 Set CHECKED=0 REM add code for additional checks REM Based on the test results, run RQC.EXE IF "%CHECKED%" == "0" GOTO TESTFAIL %1\RQC.EXE /conn %2 /port 7250 /domain %3 /user %4 /sig CheckOK ECHO Successfully passed network compliance tests. GOTO EXIT_SCRIPT :TESTFAIL ECHO Error: network compliance tests failed. :EXIT_SCRIPT

31 Network Policy Requirements Script Sample Check Script Network Policy Requirements Script Excerpt VBS-Script for OS-Version strComputer = "." Set objWMI = GetObject("winmgmts:{impersonationLevel= impersonate}!\\" & strComputer & "\root\cimv2") Set colItems = objWMI.ExecQuery("Select * from Win32_OperatingSystem") For Each objItem In colItems strOsCaption = objItem.Caption strOsVersion = objItem.Version ' e.g nSpMajor = Int(objItem.ServicePackMajorVersion) nSpMinor = Int(objItem.ServicePackMinorVersion) Next

32 Network Policy Requirements Script Compliance Tests Network Policy Requirements Script Compliance Tests OS version ? latest Patches installed ? Virus Scanner with latest signature files ? Firewall enabled on all interfaces ? Internet Connection Sharing disabled ? sufficient Password Strength enabled ? Screen Saver enabled and Password protected ? ………

33 Network Policy Requirements Script Special Problems Network Policy Requirements Script Special Problems Compliance Tests Virus Scanner with latest signature files ? Firewall enabled on all interfaces ? ? Checking all Antivir-Progs and Signature Files ? XP Security Center WMI Namespace \root\SecurityCenter

34 Network Policy Requirements Script Scripts do download Network Policy Requirements Script Scripts to download From Microsoft Technet From IGT Website windowsserver2003/quarantineservices/vppgappa.mspx Disadvantage: they don't work

35 Conclusions The Client Side Conclusions The Client Side VPN with Network Access Quarantine Control

36 Conclusions The Client Side Conclusions VPN with Network Access Quarantine Control The Client Side

37 Conclusions The Client Side Conclusions VPN with Network Access Quarantine Control The Client Side

38 Conclusions Summary Conclusions delays normal remote access to a LAN until client health has been examined. for RA connections only (VPN and dial-up). target: remote computers, e.g. at home. Advantage: simplicity Disadvantage: limitations VPN with Network Access Quarantine Control (NAQC)

39 Internet Address Dr. P. Fritz VPN with NAQC ?event=130 ?event=130 or search for VPN ?event=130